Python — Supported format
Python is a first-class format in Decoder. Upload a single .py, a ZIP, or import a GitHub repo and get static + malware findings.
What it is
Static + malware analysis tuned for Python idioms.
Why it's useful
Catches eval/exec misuse, hardcoded secrets, subprocess shell=True, pickle deserialisation, suspicious imports.
How Decoder implements it
Language-aware rules + manifest parsing for requirements.txt, pyproject.toml, Pipfile.
When to use it
Any Python project review.
When NOT to use it
Runtime profiling — Decoder is static-only.
Practical example
A pickle.loads on untrusted input lands as CWE-502 / High.
FAQ
Glossary
- CWE-502
- Deserialisation of Untrusted Data.
Related
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
A leaked key is the most common breach vector. Decoder combines provider-specific regex (AWS, GitHub, Stripe…) with entropy to flag secrets that don't belong in code.
Most code in any modern project isn't yours. Decoder reads manifests and lockfiles to map the dependency surface and flag suspicious entries.