sqry
sqry v4.10.13

Search code by
what it means.

AST-native semantic code search. 35 languages. 33 MCP tools. 100% local. Zero telemetry.

cargo install sqry-cli
Read the docs →

35 languages · 33 MCP tools · natural language · 100% local

The limits of text search

Text search misses structure

ripgrep finds every line containing authenticate — but can't tell you who calls it, what it returns, or whether it's used at all.

Embeddings are slow and imprecise

Semantic search via embeddings takes 1,400ms+ and returns false positives. ~60% precision means you still read code that doesn't match.

Cloud tools send your code offsite

Sourcegraph, GitHub Copilot, and similar tools require uploading your codebase. Not an option for private or regulated code.

STRUCTURAL QUERIES

Exact answers.
Not guesses.

sqry parses your code like a compiler — building a graph of every symbol, call, import, and type relationship. Queries return exact structural results in milliseconds.

$ sqry query "callers:authenticate"
  src/auth/middleware.rs:42   validate_token
  src/api/routes.rs:118       check_session
  src/tests/auth_test.rs:67  test_login_flow
$ sqry query "impl:Serialize"
  src/models/user.rs:12      User
  src/models/session.rs:8    Session
  src/api/response.rs:23    ApiResponse
$ sqry query "kind:function AND async:true AND lang:rust"
  42 results in 12ms

MCP INTEGRATION

AI assistants that query,
not guess.

Connect Claude, Codex, or Gemini to sqry via MCP. Your AI assistant gets exact structural answers instead of probabilistic guesses.

$ sqry mcp setup
semantic_search Search symbols by name, kind, language, and path
direct_callers Exact list of every caller of a function
call_hierarchy Full inbound and outbound call tree
find_unused Dead code detection across the codebase
semantic_diff Structural changes between git commits

Works in your editor.

sqry ships an LSP server with standard protocol support plus 27 custom methods.

VSCode
Neovim
Helix
sqry lsp --stdio
Editor setup guide →

35 languages supported

TIER 1 — Full relation tracking (28 languages)

C C++ Rust Shell Zig JavaScript TypeScript Dart Kotlin Swift Scala C# Go Java Python Ruby PHP Lua R Groovy Elixir SQL Svelte Vue HTML CSS Haskell Perl

TIER 2 — Symbols + imports (7 languages)

Terraform Puppet Pulumi Apex ABAP PL/SQL ServiceNow

Built for speed

12ms
graph queries
vs 1,400ms with embeddings
760K LOC/s
indexing speed
for JavaScript codebases
113×
cache speedup
from 452ms to 4ms with warm cache

LINUX KERNEL BENCHMARK

11 million nodes.
Under 2 minutes.

sqry indexes the entire Linux kernel — 28M lines of C across 63,000 files — in under 2 minutes. The resulting graph has 11.2M nodes and 18.3M edges. Query it instantly.

11.2M
nodes indexed
18.3M
edges resolved
1m48s
index time (24-core)
85ms
caller query latency
# Trace the full write() syscall path
$ sqry graph trace-path __x64_sys_write submit_bio
  __x64_sys_write → ksys_write → vfs_write
  → new_sync_write → ext4_file_write_iter
  → ext4_bio_write_folio → submit_bio
# Security audit: who calls copy_from_user?
$ sqry graph direct-callers copy_from_user --limit 5
  drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
  fs/read_write.c
  net/socket.c
  ... 2,847 more callers
# Dead code in staging drivers
$ sqry unused drivers/staging --scope function
  412 unused functions found
$ sqry ask "find authentication functions in rust"
Generated: sqry query "name~=/auth/ AND kind:function" --language rust
Confidence: 92%. Execute? [y/N]
$ sqry ask "who calls the login function"
Generated: sqry graph direct-callers "login"
Confidence: 96%. Execute? [y/N]
$ sqry ask "trace from main to database"
Generated: sqry graph trace-path "main" "database"
Confidence: 89%. Execute? [y/N]

NATURAL LANGUAGE

Ask in plain English.

sqry ask translates natural language into safe, validated sqry commands. A compact ML classifier (22M params, runs locally) achieves 99.75% intent accuracy with sub-3ms latency.

  • 4-tier confidence system (execute / confirm / disambiguate / reject)
  • Whitelist-only command generation — no shell injection
  • Unicode homoglyph detection
  • Works without ML model via rule-based fallback
  • Available as CLI, MCP tool, and LSP endpoint

SECURITY & SUPPLY CHAIN

Built to be trusted.

Every release is signed, attested, and reproducible. We ship SBOMs with every binary, fuzz the parser continuously, and audit the entire dependency tree on every commit.

SLSA Level 2

Signed & attested builds

Every binary is signed with Sigstore keyless signing and ships with per-platform SLSA provenance. No long-lived keys — attestation flows through GitHub OIDC.

CycloneDX + SPDX

SBOM & vulnerability exchange

Every release ships CycloneDX and SPDX SBOMs, Grype vulnerability scans, and OpenVEX documents. Full dependency transparency for your compliance workflows.

cargo-vet + cargo-deny

Audited dependency tree

Every dependency is audited via cargo-vet with imports from Mozilla, Google, and Bytecode Alliance. License policy and CVE checks run on every commit.

libFuzzer + Miri

Continuous fuzzing & UB detection

The query parser is fuzzed on every PR and in extended nightly runs with AddressSanitizer. Miri checks for undefined behavior weekly. Malformed input tests cover all 34 language parsers.

cargo-mutants + llvm-cov

Mutation testing & coverage gates

Weekly mutation testing validates that tests catch real bugs, not just pass. LLVM-based code coverage with enforced thresholds. Clippy with zero-warning policy across all platforms.

cargo-geiger

Unsafe code tracking

Weekly cargo-geiger audits track every unsafe block across all crates. Quarterly security audits combine RustSec advisory checks, license enforcement, and supply chain verification.

# Verify binary signature
$ cosign verify-blob --bundle sqry-linux-x86_64.bundle sqry-linux-x86_64
  Verified OK
# Verify SLSA provenance
$ slsa-verifier verify-artifact sqry-linux-x86_64 \
--provenance-path sqry-linux-x86_64-provenance.intoto.jsonl \
--source-uri github.com/verivus-oss/sqry
  PASSED: Verified SLSA provenance

sqry is open source.

Support subscriptions fund continued development, priority bug fixes, and enterprise support.

Get Support Star on GitHub ↗