Dependency Analysis — Inspecting third-party code
Most code in any modern project isn't yours. Decoder reads manifests and lockfiles to map the dependency surface and flag suspicious entries.
What it is
Static parse of manifests to enumerate packages, versions, and pinning state.
Why it's useful
Shows the real attack surface — typosquats, abandoned packages, unpinned ranges.
How Decoder implements it
Parses common manifests during repo/ZIP analysis and surfaces them in the Insights tab.
When to use it
Auditing any third-party project, especially before merging or shipping.
When NOT to use it
For runtime CVE tracking — pair with a dedicated SCA in CI.
Practical example
A package named reqeusts (typo) is flagged for review during a Python repo scan.
FAQ
Glossary
- SCA
- Software Composition Analysis — auditing third-party code.
- Lockfile
- Pinned dependency manifest (package-lock.json, poetry.lock…).
Related
Supply chain security is about trusting the code you didn't write. Decoder helps inventory and inspect that surface during analysis.
Repository Analysis turns a codebase into something you can read, search and interrogate. Upload a ZIP or import a public GitHub project; Decoder indexes structure, runs static checks and gates AI features behind your own key.
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
Decoder accepts any public GitHub URL: it pulls the tree and runs the same analysis pipeline as a ZIP upload.
Python is a first-class format in Decoder. Upload a single .py, a ZIP, or import a GitHub repo and get static + malware findings.
JavaScript and TypeScript are first-class in Decoder. Upload single files, ZIPs, or import a GitHub repo.
Java is supported as a first-class format. Rules cover the common enterprise weakness classes mapped to CWE.