See to the bottom of any codebase.

Paste a URL. CodeTrawl runs one deterministic sweep — full git history, AST-level structure, security, and supply chain — and shows its work. The surface grade orients you in seconds. The survey underneath — the full report, line by line — is the product.

public repos · free account · zero config · survey in ~60s
or try a sample —
sweep — github.com/demo
B+
history
structure
security
supply chain
surface grade B+ · 82/100 · full survey ready — 41.3s · deterministic: same input, same survey

A surface grade orients — it isn't a gate. It points you straight at what to look at first; the survey beneath is where the work is.

COMPUTED, NEVER GENERATED — every grade and signal is deterministic: tree-sitter AST parsing · full-history git analysis · resolved dependency graphs. The model only narrates what was measured.

The grade is the surface.
The survey is the depth.

One sweep computes every signal — then keeps the working. Each line in the survey follows back to the commits, files, and manifests it was measured from.

acquireparseexaminedecidegithub.com/owner/repocloneblobless · in-memoryparsetree-sitter · 8 langshistorystructuresecuritysupplysignals20 deterministicB+surface gradebriefingAI narrates only

one pass · ~60s · deterministic end to end — the model never sits between the signals and the grade

src/server/render.tsx — churn 47 × complexity 19hotspot
1 high advisory — devDependency only, no runtime pathadvisory, scoped
packages/core — 81% of changes by one authorbus factor 1

Four lenses. One sweep.

History, structure, security, supply chain — four ways of reading a codebase, computed in the same pass.

01

Git history

Churn × complexity hotspots and bus factor from the full commit graph — plus PR cycle time from recent pull requests.

58,712 commits read
02

Structure

tree-sitter ASTs across 8 languages — call graphs, class maps, import cycles, dead ends.

41,330 call edges
03

Security

Secret scanning, dynamic-execution patterns, known supply-chain incidents — matched against the record, not guessed.

0 secrets found
04

Supply chain

Dependencies resolved across npm, Cargo, and PyPI — advisories scoped runtime vs dev before they count.

runtime 38% · dev 62%1,204 deps resolved

What the survey actually shows.

Six of the views CodeTrawl renders from a sweep — real layouts, real data. Pick one.

Health scoring

One repository, one verdict.

Four departments vote from deterministic signals. The grade is their sum, capped by the worst outcome — never an AI's opinion.

AI narrates. It never decides.

computed by the machine
  • Runs the sweep — git history, ASTs, dependency graphs, security scans
  • Computes every signal and the grade — deterministically
  • Same input, same survey — re-run it and diff the results
  • Stamps every claim with a signal id you can follow to the evidence
allowed for the model
  • Writes the briefing — plain language over computed signals
  • Cites only what the sweep measured — nothing invented
  • Never scores, never decides, never overrides a signal
  • Optional — the survey stands complete without it

Repos are cloned in memory, read once, and discarded — we keep the findings, never your files. Public repos are free; private repos run on paid plans.

Analyze a repo

One sweep. Four subscriptions.

Capability comparison: SonarQube, CodeScene, Snyk, and CodeTrawl
CapabilitySonarQubeCodeSceneSnykCodeTrawl
Git-history forensics — hotspots, bus factornoyesnoyes
AST structure — call graphs, import cyclespartialpartialpartialyes
Dependency advisories across ecosystemspartialnoyesyes
Secrets & risky-execution patternsyesnopartialyes
One synthesized grade for the whole repopartialpartialnoyes
Paste any public URL — no repo connection, no install, no CInopartialnoyes

Capability mapping from public product documentation, 2026 — point tools go deeper on their own gauge; none combines all four.

Run all four on your repo

Free for public repositories. Paid plans unlock the full survey.

See pricing