Artificial Intelligence

How to Build a Knowledge Graph from Enterprise Source Code

Michel Ozzello
by Michel Ozzello
How to build a knowledge graph from source code

TL;DR A code knowledge graph transforms a codebase from a collection of text files into a structured, queryable model of how the system actually works. The architecture involves five phases: AST parsing, relationship extraction, graph storage, incremental updates, and agent delivery via MCP. Open-source tools like GitNexus, Potpie AI, and CodeGraph have proven the approach works for individual developers. CoreStory's Code Intelligence Model applies the same architecture at enterprise scale — multiple languages, millions of lines of code, and validated business rule extraction.

Why a Knowledge Graph Is the Right Model for Code

Source code is inherently relational. A function calls other functions. A class inherits from a parent. A service depends on other services. A business rule spans multiple files across several modules. These relationships are the architecture, and they're invisible to tools that treat code as text.

Vector-based approaches (embeddings and RAG) treat code like any other text: split it into chunks, embed it, and retrieve by semantic similarity. That works for finding code that looks similar to a query. But it fails at structural questions: "What calls this function?", "What happens when a payment fails?", "Which services are affected if I change this schema?". These are graph traversal problems, not similarity search problems.

A knowledge graph represents code entities (files, functions, classes, modules, services) as nodes and their relationships (calls, imports, inherits, defines, depends-on) as edges. This structure enables queries that follow execution paths, trace dependencies, and map the impact of changes — the exact operations that developers and AI agents need to work safely on large systems.

The distinction matters more than it seems. When an AI agent retrieves code via RAG, it gets a handful of text fragments that seem relevant. When it queries a knowledge graph, it gets the actual call chain, the real dependencies, and the complete context of how a piece of code fits into the system.

So how does all this work in practice?

Step 1: AST Parsing at Scale

The foundation of any code knowledge graph is Abstract Syntax Tree (AST) parsing. An AST is the compiler's representation of your source code: a tree structure that captures every function, class, variable, import, and expression in a machine-readable format.

Tree-sitter has become the dominant parser for code intelligence tools. It's the same parser GitHub uses for syntax highlighting, and it supports incremental parsing — meaning it can re-parse only the changed portions of a file instead of reprocessing the entire codebase. GitNexus, KiroGraph, Graphify, and Code Grapher all use Tree-sitter as their parsing layer.

What AST parsing extracts

Functions and methods: names, signatures, parameters, return types

Classes and interfaces: inheritance hierarchies, implemented interfaces, decorators

Import statements: cross-file dependencies, external library usage

Variable declarations: types, scopes, usage patterns

Export statements: public API surface of each module

The polyglot challenge

Enterprise codebases rarely use a single language. A typical system might combine Java backend services, TypeScript frontend applications, Python data pipelines, SQL stored procedures, and even COBOL mainframe modules. Each language has its own AST structure, its own relationship patterns, and its own idioms.

Most open-source code graph tools support between 4 and 14 languages. GitNexus supports deep semantic analysis for 8 languages (TypeScript, JavaScript, Python, Java, Go, Rust, PHP, Ruby). KiroGraph handles 24 node types across modern web languages. CoreStory supports all of the above and then some, including legacy languages like COBOL and RPG that most tools can't parse at all — this isn't a minor detail since if your knowledge graph can't parse the COBOL module that implements 60% of your business logic, the graph is missing the most important part of the system.

Step 2: Relationship Extraction

AST parsing gives you the nodes. Relationship extraction gives you the edges, and the edges are where the intelligence lives.

Core relationship types

RelationshipExampleWhy it matters
CALLSprocessPayment() → validateCard()Execution flow; change impact analysis
IMPORTSservice.ts imports auth.tsDependency tracking; breaking change detection
INHERITSPremiumUser extends BaseUserType hierarchies; polymorphism understanding
IMPLEMENTSPaymentService implements IPaymentProcessorInterface contracts; substitutability
DEFINESmodule defines calculateTax()Ownership; responsibility mapping
DATA_FLOWuserInput → sanitize() → databaseSecurity analysis; data lineage

The hard part is cross-file resolution. When a TypeScript file imports a function from another module, the parser needs to resolve that import to the actual definition, which might be re-exported through an index file, aliased under a different name, or defined in a completely different repository. Tools like GitNexus handle named bindings, re-export tracking, and constructor-inferred type resolution. At enterprise scale, this resolution becomes significantly more complex when services communicate via APIs, message queues, or shared databases rather than direct imports.

Step 3: Graph Storage and Query

Once you've extracted nodes and edges, you need a storage layer that supports efficient graph traversal. The dominant choice in the open-source ecosystem is Neo4j. Potpie AI, CodeGraph, and Code Grapher all use it as their graph database. GitNexus built its own lightweight format (LadybugDB), while KiroGraph uses SQLite for local-first operation.

The storage choice affects what queries are practical. A graph database supports queries like:

"Show me all callers of validatePayment() within 3 hops" (breadth-first traversal)

"Trace the complete execution path from HTTP request to database write" (depth-first traversal)

"What is the impact radius if I change the User schema?" (dependency fan-out)

"Find all dead code, functions that are defined but never called" (orphan detection)

These queries are natural operations on a graph database but extremely expensive or impossible with vector search. Try asking a RAG system "what is the impact radius of changing the User schema". It doesn't know, because impact radius is a graph property, not a text similarity property.

Step 4: Incremental Updates

A knowledge graph that requires full reprocessing on every commit is impractical for large codebases. The solution is git-diff-driven incremental updates: detect which files changed, re-parse only those files, update affected nodes and edges, and leave the rest of the graph intact.

KiroGraph reports up to 90% reduction in token usage for common read patterns when using an incrementally maintained graph versus raw file reading. Code Grapher implements surgical updates via its update_graph_from_diff tool. Graphify uses file-content hashing to determine which files need re-extraction, running AST rebuilds instantly on code changes without LLM calls.

At enterprise scale, incremental updates need to handle branch-based development, merge conflicts, and multi-repository changes. CoreStory's ingestion pipeline processes git diffs incrementally, updating the Code Intelligence Model without reprocessing the entire codebase. This is critical when you're dealing with repositories that contain millions of lines across dozens of services.

Step 5: Delivery — Making the Graph Useful to AI Agents

A knowledge graph is only valuable if agents can query it. The delivery layer is where the architecture connects to actual development workflows.

The industry has converged on MCP (Model Context Protocol) as the standard delivery mechanism. GitNexus, Code Grapher, KiroGraph, Graphify, and CoreStory all provide MCP servers that expose graph queries to AI coding agents. When an agent in Claude Code, Cursor, or Codex needs to understand part of the codebase, it queries the MCP server and receives structured results. These results are not raw code, but graph-derived intelligence about relationships, dependencies, and architecture.

The key architectural decision is what level of intelligence to deliver. Open-source tools typically serve raw graph data: nodes, edges, and traversal results. The agent then interprets this data using its own reasoning. CoreStory goes further: the CIM delivers pre-analyzed specifications (component descriptions, architecture summaries, and extracted business rules) so the agent receives understanding, not just data.

Knowledge Graph creation - from Source Code to Conde Context for humans and AI agents
Knowledge Graph creation - from  Source Code to Code Context for humans and AI agents

Enterprise-Scale Code Intelligence

CoreStory's Code Intelligence Model (CIM) follows this five-phase architecture, purpose-built for enterprise scale:

  • Polyglot AST parsing across multiple languages, including COBOL, RPG, and other legacy languages that open-source parsers don't support.
  • Relationship extraction that handles enterprise patterns: API calls between microservices, database queries, message queue consumers, and stored procedure invocations.
  • Persistent graph storage with incremental updates driven by git diffs.
  • AI-enhanced specification generation: the CIM doesn't just store the graph — it generates human-readable specifications from the structural analysis.
  • MCP delivery that serves structured intelligence to any compatible AI coding agent.

The open-source tools described in this article prove the architecture works. CoreStory is the production-grade implementation for teams that need polyglot support, enterprise scale, and validated output.

Benefits of a comprehensive Knowledge Graph

A well structured knowledge brings a series of advantages to the enterprise teams at all levels

Improving Developer Experience and Lowering "Cognitive Load"

  • A Knowledge Graph (KG) reduces "Onboarding Time" for new developers that are being brought to a project. They can ask, "Where does the data from this form eventually get stored?" and get a trace across three services, instead of having to navigate the code themselves, or ask other developers.
  • By using a knowledge graph, AI coding agents (like Cursor or Claude) stop hallucinating imports or using deprecated APIs because the graph enforces the actual dependency tree. This improves the quality of code outputs, which in turn reduces the effort of code validation and debugging by developers.

Improving "System Observability" for Architects

  • When considering the inter-service dependencies, a world-class knowledge graph includes Infrastructure-as-Code (IaC) — it doesn't just link COBOL to Java; it links the Java service to its Kubernetes config and its database schema.
  • While this article focuses on AST (static), the future is merging this with OpenTelemetry (dynamic) data to show which graph edges are most "active" or error-prone, providing unique perspectives over the actual live architecture.

Focusing on "Lower Risk with higher ROI" for CIOs:

  • When done well, the knowledge graph becomes the "Institutional Memory" that doesn't quit. When the senior developers retire, the knowledge graph remains as the documented map of their combined logic and decisions over the years of development. This is a strategic de-risking.
  • "Standard RAG" often leads to AI-generated code that breaks builds. Moving to a Code Intelligence Model (CIM) reduces "rework" costs by ensuring AI agents have 100% architectural context. This will have considerable impacts on the actual ROI of software development.

From Code to Intelligence

Building a knowledge graph from source code is no longer a research project. The architecture is proven: AST parsing, relationship extraction, graph storage, incremental updates, and MCP delivery. Open-source tools let individual developers experiment today.

For enterprise teams dealing with large, polyglot, legacy codebases, CoreStory's Code Intelligence Model is a production-ready implementation of this architecture, purpose-built for the scale and complexity that open-source tools aren't designed to handle.

See how CoreStory builds a Code Intelligence Model from your codebase. Talk to an expert →

Frequently Asked Questions

How is a code knowledge graph different from a code search index?

A search index helps you find code. A knowledge graph helps you understand code. Search indexes map text to locations; knowledge graphs map entities to relationships. The difference shows up when you need to trace execution paths, analyze change impact, or understand how components interact.

Can I build a code knowledge graph with open-source tools?

Yes. GitNexus, Potpie AI, CodeGraph, KiroGraph, Graphify, and Code Grapher all provide open-source or free implementations. They work well for single-language repositories under 500,000 lines. For enterprise-scale polyglot systems, you'll likely need a purpose-built platform.

How long does it take to index a codebase?

AST parsing is fast, and most tools report seconds to minutes for repositories under 100,000 lines. Incremental updates after the initial index are near-instantaneous. The bottleneck at enterprise scale is relationship resolution across services and languages, which is where CoreStory's purpose-built pipeline adds value.

Does the knowledge graph replace documentation?

No, but it can generate documentation as a byproduct. The primary value is structural intelligence: call graphs, component maps, business rules, and dependency relationships that are derived directly from code analysis, not manually written. This intelligence is what AI agents need to work safely on large systems.

Michel Ozzello
Michel Ozzello is a software engineer with over 30 years of experience.He started programming in the late 1980s—back when COBOL certifications were still a thing (yes, he has one). A lifelong technologist and investor in AI startups, he writes about software from the perspective of someone who has spent decades building it.

Related Posts

Swimm vs Mintlity vs CoreStory - code documentation tool comparison
Swimm vs Mintlify vs CoreStory: Code Documentation Tools vs Code Intelligence Platforms
MCP Servers for Codebase Context Ai Coding Agents Access
MCP Servers for Codebase Context: How AI Coding Agents Access Code Intelligence
How to Give AI Coding Agents Better Codebase Context
Agent Boosting: The Missing Workflow for Getting Real Results from AI Coding Agents
Deterministic AI Analysis: Why Consistent Results Matter for Enterprises
The Context Window Paradox: Why Throwing More Tokens at Legacy Code Doesn't Work