roam — Code Intelligence Landscape

Landscape Map

Y-axis: analysis depth. X-axis: agent readiness. Click any point for details.

18 tools scored across 45 criteria in 7 categories. Adjust weights below to apply your own priorities.

Shallow Analysis Depth Deep

Low Agent Readiness High

Category Weight Sliders

Drag sliders to reweight categories. Map positions and total scores update in real-time.

Total weight: 100

Scoring Disclosure

This scoring system was designed by the roam project maintainers. While 97% of criteria (44/45) are binary or count-based, three forms of bias exist: criteria selection (we chose what to measure), category weights (we set defaults), assessment (we scored all competitors). The weight sliders, open-source data, and per-criterion visibility are mitigations.

Tool-by-Tool Analysis

Architecture determines capability ceilings. Here's what each tool can and can't build -- and where roam stands honestly against each.

Static Analysis & Security

SonarQube

Rule-first · CFG/DFG · 6,500+ rules · 42+ languages · Server-based

The enterprise standard for code quality. Full intra-function dataflow and taint propagation. Research-backed Cognitive Complexity (they defined the spec). Quality Gates (they invented the concept).

Their strengths

20/20 static analysis -- deepest available. Full dataflow tracks data through variables, branches, and function calls
Taint propagation traces untrusted input source-to-sink across call boundaries
6,500+ language-specific rules (~200 unique concepts across 30+ languages)
SCA/SBOM generation, enterprise governance, mature CI/CD ecosystem

What they architecturally can't build

Cross-file dependency graphs -- the rule engine processes files individually
Graph algorithms -- no PageRank, SCC, Louvain, Fiedler
Architecture simulation (no graph to simulate on)
Git-based temporal analysis (churn, co-change, blame entropy)
Multi-agent work partitioning, topology fingerprinting
MCP agent integration (their MCP server wraps a running SonarQube instance)

Where they beat us

Full dataflow analysis -- deeper intra-function tracking with type-aware precision
Taint propagation -- full source-to-sink tracking across call boundaries
Rule depth -- 6,500 rules vs our 2,480+ cross-language rules
Enterprise governance workflows and team management

Shared capabilities

Cognitive complexity scoring (they invented it, we reimplemented it)
Code smell detection, dead code identification
CI gate integration (both output SARIF)

Our path forward

#121 AST pattern library -- structural matching similar to their rule engine
#136 100+ cross-language rules -- expand detector catalog
#70 Taint analysis -- source-to-sink tracking on our graph

CodeQL

Security-focused · Full dataflow · Custom QL language · GitHub-owned

GitHub's security analysis engine. Full source-to-sink taint tracking with a custom query language for expressing complex vulnerability patterns. Powers GitHub Code Scanning and Copilot Autofix.

Their strengths

Full source-to-sink taint analysis across function boundaries
Custom QL query language -- express arbitrary code patterns with precision
Deep GitHub integration (Code Scanning, Copilot Autofix, GHAS)
Strong community of security researchers writing QL queries

What they architecturally can't build

Dependency graph algorithms -- no PageRank, SCC, community detection
Git temporal analysis -- no churn, co-change, blame entropy
Architecture simulation or topology comparison
Multi-agent partitioning, algo detection, health scoring
MCP agent integration (community-maintained, only 4 tools)

Where they beat us

Source-to-sink taint tracking for security vulnerabilities
Custom query language for expressing arbitrary patterns
GitHub-native integration -- zero configuration for GitHub repos

Shared capabilities

Security vulnerability detection (different approaches)
CI integration via SARIF output
Dead code detection

Our path forward

#70 Taint analysis -- source-to-sink tracking on our graph
Custom query language is a long-horizon consideration

Semgrep

Pattern matching · Metavariables · Rules marketplace · Local + cloud

Fast structural pattern matching with a large community rules marketplace. Lightweight by design -- no persistent index, no dependency model. Semgrep Pro adds inter-procedural taint.

Their strengths

Fast AST-level pattern matching with metavariable capture
5,000+ community rules in the marketplace
User-friendly rule authoring -- write a code pattern, Semgrep finds matches
Semgrep Pro: inter-procedural taint analysis

What they architecturally can't build

No persistent index -- re-scans the full codebase each time
No graph algorithms -- no PageRank, SCC, Louvain, community detection
No git history analysis -- churn, co-change, blame entropy
No architecture metrics, health scoring, or simulation
No MCP agent integration (beta server, no stable tool count)

Where they beat us

Mature pattern matching with metavariable capture and autofix
Large rules marketplace (5,000+ community rules)
Lightweight and fast for targeted pattern scans

Shared capabilities

AST-based code analysis (tree-sitter)
SARIF output for CI integration

Our path forward

#121 AST pattern library -- structural matching with language-aware patterns

Code Intelligence (Our Space)

CKB / CodeMCP

SCIP semantic indexing · Compound MCP · 76-92 tools · Local

The closest MCP competitor by tool count. SCIP-based semantic indexing gives precise type-aware cross-references. Designed specifically for AI agent workflows with compound and batch operations.

Their strengths

SCIP protocol gives precise type-aware cross-references (not text matching)
76-92 MCP tools (count varies across their docs) with compound operations
Better "go to definition" accuracy in languages with complex type systems
Local-first, designed for agent workflows

What they architecturally can't build

Limited graph algorithms -- SCIP indexes symbols; added Tarjan SCC in v8.1 but no queryable relationship graph
No PageRank, Louvain, Fiedler, or spectral analysis
No git history analysis (churn, co-change, blame, entropy)
No architecture simulation, topology fingerprinting, or health scoring
No vulnerability analysis or algo anti-pattern detection
No community detection or multi-agent partitioning

Where they beat us

SCIP gives type-aware precision that tree-sitter AST matching can't match
Better for Java generics, C++ templates, and similar type-heavy code

Shared capabilities

MCP agent integration with compound operations
Symbol lookup, reference navigation
Local-first architecture, no API keys

Sourcegraph

Code search · Cross-repo navigation · Enterprise cloud · Invented SCIP

Enterprise-scale code search and navigation across thousands of repositories. Invented the SCIP protocol for precise code intelligence. Code monitoring and batch changes.

Their strengths

Cross-repository search at massive enterprise scale
Code monitoring -- get alerts when patterns appear across repos
Batch changes -- modify code across hundreds of repos in one operation
Precise code navigation via SCIP protocol

What they architecturally can't build

Not local-first -- requires cloud or self-hosted instance
No graph algorithms on code structure
No git-based temporal analysis
No architecture simulation, health scoring, or algo detection
No MCP agent integration

Where they beat us

Cross-repo search at scales roam can't match (thousands of repos)
Code monitoring and batch changes for large organizations
Mature enterprise deployment and team features

Shared capabilities

Code search, symbol navigation
Multi-language support

Our path forward

#54 Hybrid BM25 + vector search (DONE)
#56 Local embedding model for semantic search (DONE)

CodeGraphMCPServer

Tree-sitter + NetworkX · Louvain · 14 MCP tools · Local

Shares our architectural DNA -- tree-sitter parsing into a NetworkX graph with Louvain community detection. Simpler scope, focused on basic graph queries. 14 MCP tools.

Their strengths

Clean, focused graph-first approach
Louvain community detection on the code graph
Simpler codebase -- easier to understand and extend

What they architecturally can't build (without expanding scope)

Only Louvain -- no PageRank centrality, no SCC/Tarjan, no spectral (Fiedler)
No git history integration at all
No architecture simulation, health scoring, or vulnerability analysis
14 MCP tools vs 101 -- limited agent vocabulary

Where they beat us

Simpler -- if you only need Louvain communities, there's less to learn

Shared capabilities

Tree-sitter parsing, NetworkX graph, Louvain communities
MCP agent integration, local-first

CodePrism

Rust-based · Universal AST · 20 MCP tools · Local

Rust-based graph analysis engine with a Universal AST abstraction. Newer project, focused on fast parsing and multi-language AST uniformity. 20 MCP tools.

Their strengths

Rust performance for large codebases
Universal AST abstraction may be more uniform across languages
Open source, local-first

What they architecturally can't build (without expanding scope)

No git history analysis
No vulnerability analysis or security features
No architecture simulation, health scoring, spectral analysis
Limited graph algorithm breadth

Where they beat us

Rust parsing performance -- faster for very large codebases
Universal AST may provide more consistent cross-language behavior

Shared capabilities

Graph-based code analysis, MCP tools, multi-language AST
Local-first, open source

Behavioral Analysis

CodeScene

Behavioral · Git history as primary data · Team dynamics · Cloud

Git history as the primary data source. Temporal coupling, team dynamics, knowledge distribution. Behavioral signals that complement structural analysis. The only tool with deeper team-level analysis than roam.

Their strengths

Temporal coupling detection -- what files and functions change together
Team dynamics: developer profiles, knowledge silos, bus factor
Code health trends over long time horizons
Organizational coupling analysis (who works on what with whom)

What they architecturally can't build

No AST-level analysis -- can't see function structure, only file-level
No graph algorithms on code structure
No MCP agent integration (14 tools via community server)
No vulnerability analysis or architecture simulation
Not local -- requires cloud or self-hosted instance

Where they beat us

Deeper team dynamics -- developer profiles, organizational coupling, knowledge silos
Code health trends over longer time horizons
More refined temporal coupling detection

Shared capabilities

Git-based analysis: churn, coupling, code health scoring
Cognitive complexity (both implement it)

Architecture Trade-offs: What the Scores Don't Show

Different architectures answer different questions. Understanding these trade-offs gives the complete picture beyond point comparisons.

Why rule counts vary 100x

SonarQube has 6,500+ rules because each rule is language-specific. "Don't use eval" exists as separate rules for JavaScript, Python, PHP, Ruby, Perl, and Groovy. "Max function length" is another 30 language-specific copies. ~200 unique concepts × 30 languages = 6,000+ rules.

Tools built on tree-sitter (roam, CodeGraphMCPServer, CodePrism) define rules that work across all supported languages from a single definition. One cross-language rule replaces 27 language-specific rules. 100 well-designed cross-language rules can match the coverage of 3,000+ per-language rules.

Graph-first vs Rule-first

Rule-first tools (SonarQube, CodeQL, Semgrep) scan files individually against a catalog of patterns. They excel at: "Is this line vulnerable?" "Does this code match a known bad pattern?" Their strength is depth -- tracking data through variables, branches, and function calls to find exploitable paths.

Graph-first tools (roam, CodeScene) model the codebase as a connected system and compute structural properties. They excel at: "What breaks if I change this?" "Where are the architectural bottlenecks?" "Which modules are too coupled?" Their strength is breadth -- seeing the forest, not just individual trees.

These approaches are complementary: graph analysis finds architectural risks that no amount of line-level scanning can detect. Taint analysis finds security vulnerabilities that no graph algorithm can trace.

What each architecture can and cannot build

Graph + Git + AST (roam): Can: PageRank centrality, cycle detection, community clustering, architecture simulation, impact analysis, co-change coupling, churn hotspots, multi-agent partitioning, topology fingerprinting.
Cannot: Full taint propagation, type inference, virtual dispatch resolution.
CFG + DFG + Rules (SonarQube, CodeQL): Can: Source-to-sink taint tracking, context-sensitive call resolution, dead code via data flow, type-aware analysis, custom query languages (QL).
Cannot: Cross-file dependency graphs, architectural metrics, git-based temporal analysis, community detection, topology comparison, multi-agent work partitioning.
Pattern matching (Semgrep, ast-grep): Can: Fast structural pattern search, user-defined rules with metavariables, lightweight inter-procedural taint (Semgrep Pro).
Cannot: Persistent index, architectural metrics, git history analysis, graph algorithms.

Also Considered

Tools evaluated but excluded from the landscape. They overlap with code intelligence in narrow ways but don't build a persistent structural model of your codebase.

Serena MCP: LSP-based agent navigation and editing. 40 MCP tools. Strong symbol lookup but no persistent analysis graph or architecture metrics.
Aider: AI coding agent that uses PageRank internally for repo-map ranking. The graph is transient and not queryable -- it's an implementation detail, not a feature.
Greptile: Cloud AI code intelligence API. Indexes repositories for natural-language queries. No deterministic graph algorithms or local analysis.

Complete Matrix Snapshot

Compact comparison aligned to the source tracker.

Evidence and Sources

Based on primary product documentation, public repositories, and direct feature verification. Scores are computed from 45 criteria across 7 categories. 44 are binary or count-based. 1 (documentation quality) is subjective and marked as such.

Snapshot date: February 27, 2026. Vendor claims change quickly; this page is version-pinned and refreshed with explicit evidence notes.