If web browsers are your main concern, the 'simple' answer would seem to be setting up a proxy (e.g. squid) with SSL interception. And informing your users you are doing this.
But that (as others have pointed out) doesn't buy you all that much, beyond opening up the door to more possibilities.
With Squid alone, you would get the source, destination site/URL, and size/mime-type of the upload (and most likely, source code will be exfiltrated as a compressed archive, so the mime-type seems unlikely to be all that useful).
You can enable ICAP in Squid to offload deeper inspection to something else, but I couldn't find an open-source DLP solution that supports ICAP - there are commercial ones.
It is possible to use ClamAV via ICAP, so possibly you could write some signatures in Clam to try and help with your use case.
Fundamentally, though, this is unlikely to really guard against people exfiltrating data (it is a matter of how determined/clever they would need to be, and I can't think of much that really raises that bar).
It may be better to mandate a working environment that limits the opportunities to exfiltrate in the first place (e.g. use something akin to a bastion host/jumphost on which source code can be accessed and worked on, but hopefully not downloaded - copying may be difficult to prevent).