What inputs are accepted?

Single file, ZIP archive, or a public Git URL.

Is my repository visible to other users?

No. Row-Level Security scopes every repository to its owner_id.

Do I need an API key?

Only for AI features. Static and malware scans run free.

capability

Analysis

#repo

#github

#zip

#analysis

Repository Analysis

Repository Analysis turns a codebase into something you can read, search and interrogate. Upload a ZIP or import a public GitHub project; Decoder indexes structure, runs static checks and gates AI features behind your own key.

What it is

Whole-project ingest: tree, file metadata, language detection, per-file static signals.

Why it's useful

Replaces the 'clone, grep, hope' loop. You see the shape of the project, surface risky files first, then jump to AI explanations only where useful.

How Decoder implements it

ZIP or Git URL → server-side extraction (zip-slip and size guards) → per-file language + size metadata → static + malware pass → on-demand AI explain / chat using your BYOK or local model.

When to use it

Onboarding to a new repo, reviewing a third-party drop, auditing an open-source dependency, triaging a suspected malicious archive.

When NOT to use it

Tracking long-lived diffs across many commits — use a code-review tool for that.

Practical example

Paste a public GitHub URL of an abandoned plugin: Decoder shows the file tree, flags two files with high-entropy strings, and lets you chat with the codebase before integrating it.

FAQ

Glossary

Zip slip: Vulnerability where a crafted archive entry writes outside the extraction directory; Decoder rejects such entries.
Indexing: Building a queryable representation of a repository's files and metadata.

format

ZIP Archive Analysis

ZIPs are the most common way to ship code and the most abused way to ship malware. Decoder ingests a ZIP server-side with hardened guards and exposes its content for review.

capability

Chat with Your Code

Chat with Your Code turns a repository into a queryable knowledge surface. Ask 'where is auth handled?' or 'what does this script do?' and get answers grounded in your actual files.

capability

AI-Origin Detection

AI-Origin Detection estimates whether a code artefact was likely produced by an LLM, and explains why. The goal is informed review, not gatekeeping.

capability

Static Malware Analysis

Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.

concept

BYOK — Bring Your Own Key

BYOK means you bring your own AI provider key. Decoder never proxies AI calls through a shared account: your key, your billing, your privacy boundary.

capability

Local AI Inference

Local AI lets you use Decoder's explain and chat features against a model running on your own hardware via Ollama or LM Studio — useful when code cannot leave your environment.

capability

Dependency Analysis — Inspecting third-party code

Most code in any modern project isn't yours. Decoder reads manifests and lockfiles to map the dependency surface and flag suspicious entries.

integration

GitHub Integration — Import a repo by URL

Decoder accepts any public GitHub URL: it pulls the tree and runs the same analysis pipeline as a ZIP upload.

Open a repository