May 18, 2026

Sourcegraph self-hosted 7.3

Highlights

Quantitative answers in Deep Search

Deep Search can now count, rank, and aggregate across search results, not just find them.

Deep Search has always been good at finding and explaining code. It can now also count, rank, and aggregate it without blowing up the context window.

A new sandboxed scripting tool lets the agent run programmatic aggregations across many searches in a single turn. Questions that don't fit into a single query, e.g. top-N rankings, cross-search joins, distributions across many files, can now be answered end-to-end, with every underlying search still cited so you can verify how the answer was assembled.

With the new tool, Deep Search offers Code Search's depth and exhaustivity combined with agentic reasoning capabilities for computing complex results behind a natural language prompt. When a question calls for exhaustive research, the agent fans out, processes every match across many precise queries, and aggregates them into the answer.

For example, ask Deep Search: "In github.com/kubernetes/kubernetes, who left the most TODO(<username>) comments? Show the top 15." Deep Search iterates through every match, groups by author, and returns a ranked table, instead of just the first page of hits.

The same shape unlocks questions that previously meant exporting search results and scripting against them yourself:

"How far along is the interface{} → any migration in golang/go? Break it down by top-level package."
"In microsoft/vscode, which files have been touched in the most fix/bugfix commits in the last 6 months, and who's been fixing them?"
"List the top 20 internal Go packages in sourcegraph/sourcegraph by number of distinct other internal packages that import them."
"Which files were most frequently modified in the past year and who made changes to them?"
"What's the total of all resources (cpu + mem) across all deployments on k8s in myorg/infra?"

Smart hover summaries now in Beta

Smart hover summaries leverage precise code intelligence data to show key architectural details of your code on hover.

Smart hover summary demo

When precise code intelligence is available, you now get a summary of the meaning of the symbol, and usage of the symbol across the codebase. In combination with the precise code intelligence hover information, this often saves the need to jump to a symbol and back which interrupts the flow of reading, and simplifies understanding complex codebases. Linked citations can even serve as an alternative to traditional code navigation.

Summaries are powered by a small, fast model, but only compiler-grade precise code intelligence data is used to inform the LLM of actual usage patterns across your repositories, allowing the LLM to cite factual usage locations in its answers - even across repositories.

Smart hover summaries are a Beta feature. The feature may become billable with credits once it becomes generally available.

Please share feedback on this feature with us at [email protected] or via your customer success manager. For information, see the documentation

Search contexts in Deep Search

Use search contexts in Deep Search to ask questions within a set of repositories.

Search contexts are used to scope searches in code search. Now, you can do the same for Deep Search to guide the response to a specific domain. The users default search context is pre-selected.

This makes it easier to investigate a team area or large set of repositories without rewriting your prompt or repeating filters in every question. Teams can reuse the search contexts they already maintain in Code Search instead of redefining where Deep Search should look in every prompt. Follow-up questions keep the current scope by default, and you can change it directly from the follow-up composer when you need to investigate a different area.

Granular admin permissions via RBAC

Administrator privileges can now be delegated through granular RBAC permissions, you can grant users only the admin capabilities they need without making them full administrators.

Administration on Sourcegraph has historically been an all-or-nothing decision: either a user was an administrator and could do everything, or they weren't and couldn't access any admin surface. We've replaced this with a set of fine-grained RBAC permissions that map onto distinct admin responsibilities. Now you can grant users exactly the access they need and nothing more.

Eight new permission namespaces are available in the role editor (Site admin → Users & auth → Roles), each grantable independently to any role.

Repository management — add, modify, and delete repositories and code host connections; view repository statistics, mirror state, and recorded git commands; trigger reindex, reclone, optimize, and disk-cleanup operations.
User management — create, modify, and delete users, organizations, and roles; manage access requests; view survey responses and pending permissions.
Access tokens — list access tokens across the instance, create tokens on behalf of other users, and create site-admin:sudo-scoped tokens.
Advanced configuration — view and edit site configuration, auth providers, SMTP, and other instance-level settings.
Integration management — view and configure integrations such as Slack and outbound webhooks.
Notifications — view, dismiss, and create administrator notifications, and send test emails from the instance.
Out-of-band migrations — view and modify the direction of out-of-band database migrations.
Entitlements — create, update, and delete entitlements and manage user grants.

Each namespace exposes READ and WRITE actions (where applicable) so that you can give someone visibility into an admin surface without granting them the ability to change it.

Several of these are flagged as high-trust permissions in the role editor — for example, ADVANCED_CONFIG#WRITE, USER_MANAGEMENT#WRITE, ACCESS_TOKENS#WRITE, NOTIFICATIONS#WRITE, OOB_MIGRATIONS#WRITE, INTEGRATION_MANAGEMENT#WRITE, and REPO_MANAGEMENT#READ — because the capability they grant is effectively equivalent to administrator access for that area of the product. Treat them accordingly when assigning roles.

How it works

Administrators continue to receive every permission by default, so existing deployments behave exactly as they did before the change. New permissions added by an upgrade are granted to the built-in SITE_ADMINISTRATOR role automatically, and a small set of grandfathering rules ensure that newly restrictive permissions don't break workflows on older installs.

To delegate admin capabilities, create or edit a role and check the permissions for the relevant namespace. Users assigned that role will gain access to exactly the admin endpoints those permissions cover — and nothing else.

Example roles

Here are a few roles that may be useful for your Sourcegraph instance:

Repository operator — REPO_MANAGEMENT#READ, REPO_MANAGEMENT#WRITE. Can connect code hosts, add/remove repositories, inspect mirror state, and trigger reclone/reindex operations without seeing user data or site configuration.
Support engineer — USER_MANAGEMENT#READ, REPO_MANAGEMENT#READ, NOTIFICATIONS#READ. Read-only access to the surfaces needed to triage customer tickets without the ability to change anything.
Identity admin — USER_MANAGEMENT#READ, USER_MANAGEMENT#WRITE, ACCESS_TOKENS#READ. Owns user, org, and access-request lifecycle; can audit access tokens but cannot mint sudo tokens.
Integrations owner — INTEGRATION_MANAGEMENT#READ, INTEGRATION_MANAGEMENT#WRITE, NOTIFICATIONS#WRITE. Manages outbound webhooks, Slack, and operational notifications for the instance.
Release/migrations engineer — OOB_MIGRATIONS#READ, OOB_MIGRATIONS#WRITE, ADVANCED_CONFIG#READ. Can drive out-of-band migrations during upgrades and inspect site configuration without modifying it.
Billing/entitlements admin — ENTITLEMENTS#READ, ENTITLEMENTS#WRITE, USER_MANAGEMENT#READ. Manages entitlements and user grants without broader admin reach.
Read-only auditor — every #READ permission and no #WRITE. Useful for compliance reviewers who need full visibility into the admin surface without any ability to make changes.

A new compare page: now in Beta

Making it easier to understand large changes.

We are introducing a new compare page for viewing changes between two revisions.

The new compare page

As more and more code is written and generated, looking at and understanding changes remains a critical part in the software development life cycle. For a long time the diff view experience in Sourcegraph hasn't been improved and, frankly, hasn't been up to the level of quality that we have set for ourselves. It's also been lacking capabilities of other diff viewers that developers are used to.

We are taking the first step towards improving the diff view experience. We've made the following improvements over the existing compare page:

Tree of changed files for overview and quick navigation
Various filter types (file extension, file name, focus on/hide folder)
The ability to mark files as viewed
Full file view of the before/after version with code intelligence support

All this scales well to diffs with thousands of files.

This is just the beginning. We will heavily iterate on this in the near future and try out new features to help you understand large changes. If for some reason the new diff viewer doesn't fit your workflow, you can disable (and re-enable) the new view via a toggle on the page itself. In that case please let us know why it doesn't work for you to better understand your workflow.

Happy diffing!

Search your Git graph in Deep Search

Pinpoint where a commit or fix lives across branches, tags, and releases.

Deep Search can now search Git tags, ancestry, and commits on any branch to pinpoint where a change lives in your Git history.

For example, ask Deep Search: "In Kubernetes v1.29, a regression was introduced where the apiserver_watch_events_sizes metric stopped reporting total outgoing watch event traffic. How many versions shipped with the bug before it was resolved?"

Deep Search can also handle the same kind of questions across any repository you have access to:

"Which version introduced feature X?"
"Which releases shipped with the vulnerable dependency?"
"Has this refactor landed on any branch yet?"
"Did we cherry-pick this fix into our release branch?"

Try it today, and please share feedback with us at [email protected] or via your customer success manager!

Details

Improvements

Deep Search Support search contexts in list-repos

Support search contexts in the List Repos tool. The tool now uses a search-based implementation, following the same design as other Deep Search tools such as Keyword Search and NLS Search.
Deep Search Improve share link UI with standard components
Deep Search Improve search context lookup

Search context lookup now matches by visible name, namespace, and full spec format, making it easier to find contexts using partial queries.
Deep Search Make diff search accept array of authors

Diff search can now filter by multiple authors.
Deep Search Add Deep Search scope keyboard shortcut

Added keyboard shortcut (Cmd/Ctrl+Shift+,) to open the scope picker directly from the Deep Search composer.
Deep Search Evaluator tool for code execution

Added a code execution 'evaluator' tool to Deep Search that allows sandboxed Lua scripts to call keyword, regex, commit or diff searches and process results programmatically.
Deep Search Default DS Sonnet 4.6 feature flag to true

Deep Search now uses Sonnet 4.6 as the main agent model.
Deep Search Add list_refs, check_ancestry tools for improved versioning searches

Deep Search can now more efficiently answer questions about which versions and releases contain a specific commit or fix.
Code Search Upgrade zoekt for gitindex perf improvements

Upgraded zoekt dependency to include a 21% performance improvement in git indexing time
Code Nav Replace inline hotkey indicator with tooltip on blame toggle
Code Nav Support gherkin highlighting

Tree-sitter syntax highlighting support for Gherkin/Cucumber .feature files.
Code Intel Make maximum ancestors considered in upload detection configurable

SRC_CODE_INTEL_COMMIT_GRAPH_MAX_ANCESTORS can now be set to alter the default of 100.
Batch Changes Add commit signing toggle to OAuth credential flow

Added commit signing toggle to OAuth credential configuration flow for batch changes. Users can now enable SSH commit signing when configuring credentials via OAuth (GitHub, GitLab), matching the functionality previously available only in the PAT flow.
Administration Show last event received date for webhooks
Administration SITE_CONFIG, EXTSVC_CONFIG json support

As an alternative to SITE_CONFIG_FILE and EXTSVC_CONFIG_FILE, the entire contents of advanced configuration and external service configuration can now be provided using SITE_CONFIG and EXTSVC_CONFIG respectively.
Authentication Retry oauth2 refresh tokens after transient errors

Automatically retry OAuth2 refresh tokens after transient errors, improving authentication reliability and reducing the need for manual reconnection.
Authentication User notification for expired credentials

Notify users when their account credentials have expired, prompting them to reconnect.
Authentication Show reconnect button when connection expired

A Reconnect button now appears on the user settings security page when an authentication token has expired, allowing users to easily re-establish their connection.
Authentication Customize sign-in page "Contact your site admin" message

Admins can now customize the sign-in page message when built-in sign-up and access requests are disabled using the new auth.accessRequest.disabledMessage site config field (supports Markdown).
Compare Rearrange file tree layout and align with VS Code styling

Reorganized file tree panel to show reviewed status inline and moved file stats to bottom of page. Updated file tree styling to match VS Code: removed folder icons and aligned file icons with folder toggle buttons.
Compare Wrap long lines in unified mode

Long lines in unified diff mode now wrap instead of extending horizontally
Compare Improve focused file recovery after filtering
Compare Add labels for file changes and autocollapse deleted files

Added visual badges to indicate added, removed, and renamed files in the compare view. Deleted files are now automatically collapsed by default.
Compare Add level lines and condense tree view

Added visual level lines to the file tree view to improve readability of deeply nested directory structures. The tree view is now more condensed with slightly smaller item sizes.
Executors Add runtime class env to be able to set gvisor on k8s jobs

Kubernetes jobs launched by the executor service can now be configured with a runtime class via the EXECUTOR_KUBERNETES_RUNTIME_CLASS environment variable.
Executors Move secrets under their domain settings
GitHub Link webhooks to apps correctly and clean up when app deleted

When creating a GitHub App from Sourcegraph, the corresponding webhook handler is now linked to the App, and deleting the App in Sourcegraph deletes the webhook handler as well.
Inference Add support for Opus 4.7

Added support for Opus 4.7 model in Cody with adaptive thinking.
MCP Expose evaluator tool

Exposed the evaluator tool on MCP endpoints.
RBAC Add observability management admin rbac perms

Added new OBSERVABILITY#{READ,WRITE} RBAC permissions that gate access to observability and debugging admin endpoints (outbound requests, slow requests, gitserver info, background jobs, search stats, observability test alerts).
RBAC Add code host management admin RBAC permission

Add a dedicated EXTERNAL_SERVICES RBAC namespace gating code host configuration (replacing prior site-admin and REPO_MANAGEMENT checks), grant admin UI access to its holders, and surface a high-trust warning for EXTERNAL_SERVICES#WRITE.
RBAC Add executor secret management admin permission

Added EXECUTOR_SECRETS#READ and EXECUTOR_SECRETS#WRITE RBAC permissions to allow delegated executor secret administration without requiring full site-admin privileges.
RBAC Add out of band migration admin rbac permissions

Added new OOB_MIGRATIONS#{READ,WRITE} RBAC permissions that gate access to the out-of-band migrations admin endpoints.
RBAC Add notification read/write RBAC admin permissions

Added new NOTIFICATIONS#READ and NOTIFICATIONS#WRITE RBAC permissions for controlling access to admin notifications and test email sending
RBAC Add access request management to user management admin permission

Access request management now uses the USER_MANAGEMENT#{READ,WRITE} RBAC permissions instead of the static site-admin check.
RBAC Create access tokens auth admin permission

Access token management and auth provider validation endpoints now use ACCESS_TOKENS#READ and ACCESS_TOKENS#WRITE RBAC permissions instead of requiring site-admin status, allowing delegated access token administration without full site-admin privileges.
RBAC Add user management admin permissions

Non-site-admin users can now manage users, organizations, roles, and permissions when explicitly granted USER_MANAGEMENT#{READ,WRITE} RBAC permissions.
RBAC Add integration management admin permissions

Added INTEGRATION_MANAGEMENT#{READ,WRITE} RBAC permission to allow non-site-admin users to manage Slack, incoming webhook, and outbound webhook integrations
RBAC Add entitlement admin permissions

Non-site-admin users can now manage entitlements when explicitly granted ENTITLEMENT#{READ,WRITE} RBAC permissions.
RBAC Implement Batch Changes read-only permission

Implemented the BATCH_CHANGES#READ permission. This enables administrators to create a role where users can view, but not edit or create Batch Changes.
Repositories Add branch compare links

Added a Compare action to repository branch listings to open the compare view for a branch.
Smart hover summaries Enforce and consume entitlements

Smart hover summaries now support entitlements.
UI Upgrade Monaco to 0.55

Upgrade Monaco editor to 0.55.
Cloud Prevent modification of infrastructure-managed advanced configuration fields

In Sourcegraph Cloud, some site config fields are no longer configurable by customers, such as auth.allowedIpAddress, as they are managed by our infrastructure.
Credits Add credit usage notification, replacing Deep-Search-specific notification

Admin notifications now alert when credit balance is low, with thresholds at 50%, 25%, 10%, 5%, and 0% remaining.
Emails Allow adding additional emails to SCIM controlled users

SCIM-managed users can now add additional non-primary emails
Entitlements Support zero-value limits to fully block feature access

Admins can now set entitlement limits to zero to fully block user access to a feature.
Entitlements Add smart hover summary entitlement

Add entitlements for smart hover summary, enabling site admins to configure usage limits for the feature.
Entitlements Add monthly (30-day) window option

Added monthly (30-day) window option for entitlements
Notifications Add user notifications system

Users are notified when repository permissions are being synced for the first time and when the sync completes.
Organizations Allow underscores in organization names

Fixes

Deep Search Improve prompting for search context usage
Deep Search Render '1-end' fallbacks for partial read_file line range

Fixed visual bug where the read_file tool in Deep Search showed "undefined" if the line range wasn't explicitly set. Now falls back to "1" for a missing start line and "end" for a missing end line, matching how the backend handles missing bounds.
Deep Search Pluralize "more ranges" label in file citations

Fixed pluralization of "more ranges" label in file citations to correctly show singular form when only one range is present
Deep Search Pluralize "files" label in compare-revisions tool
Deep Search Fix copy file path button layout in sources sidebar
Deep Search Show error when reasoning consumes entire output budget

Deep Search now displays an error message when reasoning consumes the entire output budget, preventing users from seeing a blank response.
Deep Search Include revisions in code search tool results

Deep Search keyword and NLS search results now include repository revisions in file and repo results.
Deep Search Revert automatic application of default search context
Deep Search Gate search context selector behind feature flag
Deep Search Revert list_repos search context scoping
Deep Search Bound fork title prompt size

Fixed Deep Search title generation failing with "context length exceeded" on deeply forked conversations.
Deep Search Scope list_repos by search context id

Scoped listRepos to the active search context when a repo-defined search context is selected.
Deep Search Recover from failed conversation creation
Deep Search Drop buggy NEW IS NOT NULL guard in search-queue trigger

Fixes a bug where some deep search conversations were not indexed for conversation search. This change triggers a full rebuild of the search index for conversation search, which happens in the background.
Deep Search Fix conversation search after title changes

Conversation search now correctly finds conversations after their titles have been changed.
Code Search Fix vertical alignment of DisplayPath
Code Search Fix search.contextLines user setting
Code Search Fix copy button positioning
Code Search Fix slash-prefixed fuzzy finder file path searches

Fixed a bug where "/"-delimited regex patterns were incorrectly detected in the Fuzzy Finder, which especially for path queries could lead to zero search results.
Code Search Preserve regex escapes in slash-delimited patterns

Slash-delimited inline regex queries now preserve regex escapes and behave like patterntype:regexp.
Code Search Fix resizable panel behavior and layout distribution
- Fixed symbol tree panel failing to expand after switching to Deep Search
- Fixed symbol tree and search preview panels jumping unexpectedly on window resize
- Fixed layout distribution to prevent unnecessary collapse of fixed-size panels
Code Search Prevent dynamic filter items from shifting on selection
Code Search Classify canceled searches separately

Canceled searches are now classified separately from application errors, preventing false-positive SLO burn alerts from normal product behavior.
Code Search Fix search page result indicator overflow
Code Search Select suggestions by position

Fixed an issue where multiple suggestion rows could appear selected simultaneously during Query assist refreshes
Code Search Intersect identical rev:at.time revisions across repo patterns
Code Search Fix inverted logic in commit date filter suggestions

Fixed incorrect commit date filter suggestions for "Last week" and "Last month" options, which were using before: instead of after:.
Batch Changes Reject unsupported pushed-only changesets

Batch Changes now rejects pushed-only changesets for unsupported code hosts (Bitbucket Cloud) instead of accepting them and failing during reconciliation.
Batch Changes Tolerate missing Bitbucket Cloud PR links

Fixed a batch changes UI error when Bitbucket Cloud pull request metadata is missing its HTML link.
Batch Changes Fix null fk constraint

Fixed foreign key constraint violation when re-running batch specs with previously-applied changesets
Batch Changes Wire monaco-yaml worker for batch spec editor
Batch Changes Improve select all of changesets on batch changes preview page

The Select all button now appears consistently and is more responsive while selecting all changesets on the preview page.
Batch Changes Improve select all of changesets on batch changes detail page

Select All on the batch changes changeset details page will now lazy select all changesets.
Administration Show 'next sync pending' when next sync is a time in the past

Fixed the code host connections page displaying confusing text like "Next sync 4 minutes ago" when a sync was overdue or running. It now shows "Next sync pending." instead.
Administration Clean up outbound requests page styling
Authentication Resolve GitHub OAuth endpoints against base URL

Fixed incorrect paths used for GitHub OAuth token refreshes
Authentication Bcrypt 72-byte password limit by SHA-512 pre-hashing

Built-in auth now accepts passwords longer than 72 UTF-8 bytes. Existing hashes continue to work and are migrated on next successful login.
Authentication Preserve permissions on transient 401 after OAuth refresh

Preserve user permissions when a 401 error occurs immediately after a successful OAuth token refresh, treating it as a transient error rather than a credential revocation. This prevents unnecessary permission wipes caused by GitLab's token rotation eventual consistency and concurrent refresh race conditions.
Authentication Add sign out button to password reset page
Authentication DCR ignores ports for loopback redirect URIs

MCP clients using random ports in redirect URIs no longer require reauthentication when the port changes.
Code Insights Prevent sequence overflow on repo_names upserts
Code Insights Map RevisionNotFoundError(HEAD) to EmptyRepoErr in GitFirstEverCommit
Compare Set document title to include compared revisions
Compare Remove header border radius in single file view
Compare Fix full file view decoration errors
Compare Correctly set scroll indicator position after switching to list view
GitLab Update GitLab native integration for compatibility and dark mode
- Fixed GraphQL API requests by adding required Content-Type header
- Fixed code intelligence hover popovers by updating permalink selector for modern GitLab versions
- Added dark mode support for code intelligence hover overlays
- Updated Sourcegraph logo in hover overlay
GraphQL Restore repository createdAt field

Restored the GraphQL field Repository.createdAt to return the persisted repository timestamp instead of synthetic time.Now() data.
Licensing Fix config watcher to write license state to correct Redis key

Fixed license key changes taking up to an hour to take effect.
MCP Guard typed-nil tool telemetry results
Permissions Filter user_external_accounts to AUTH kind perms paths
RBAC Improve RBAC permission error message formatting

Improved RBAC permission error message formatting for better readability (e.g. "missing READ permission for REPO_MANAGEMENT" instead of "user is missing permission REPO_MANAGEMENT#READ").
Repositories Fix stacking order isolation in repository area pages

Fixed z-index stacking order issues in repository area pages that caused UI elements to overlap with the header search input suggestions panel.
Security Upgrade github.com/go-jose/go-jose

Upgraded github.com/go-jose/go-jose to address CVE-2026-34986, a potential denial of service vulnerability in JSON Web Encryption decryption.
UI Show current repo name in open-in-editor path example

The "Set your preferred editor" popover now shows the current repository name in the path example instead of a hardcoded placeholder.
UI Revert Svelte version to 5.34.3 to fix collapsible panel resizing

Fixed collapsible panel resizing that was broken with Svelte 5.55.0.
UI Incorrect schema validation of Bitbucket Server

Fixed syntax validation for Bitbucket Server code host connection configuration
UI Polish web app UI components
- Adjusted core navigation popover positioning
- Fixed button shadows in icon variant
- Fixed code insights creation UI layout
- Removed pressed translation CSS rule to prevent layout shifts
- Fixed resizable panel bug when conditionally rendering panels
- Simplified search result UI by removing unnecessary headings
External Services Relax external service schema validation
Frontend Handle /-/logout and guard middleware against nil next
Notifications Prevent message hint from breaking popover layout
Notifications Automatically clear repository sync failure notification

Repository sync failure notifications are automatically cleared after a successful sync
Otel Collector Bind OTLP receiver to 0.0.0.0 in jaeger.yaml

Fixed OTLP receiver in bundled jaeger.yaml to accept cluster traffic by binding to 0.0.0.0:4317 (gRPC) and 0.0.0.0:4318 (HTTP). Previously, after otelcol v0.104.0, the receiver defaulted to 127.0.0.1 and silently dropped traces from other pods.
Searcher Count content matches when both path and content match

In non-indexed regex search, when both path and content matching are enabled, searcher now evaluates content even when paths match, ensuring content matches contribute to result counts and aligning counting semantics with indexed search.
Webhooks Fix GitHub icon visibility in dark mode

Removed

Code Intel Remove squirrel callers from frontend

Hover tooltips, highlights, and basic code navigation in search-based mode are now powered by Syntactic code navigation.
Squirrel Remove squirrel backend