Severity Scoring — How Decoder ranks findings
Severity tells you what to fix first. Decoder normalises every finding into Critical / High / Medium / Low using signal strength, exploitability, and project context.
What it is
Normalised priority score across heterogeneous detectors (static, malware, secrets).
Why it's useful
Comparable triage across rule packs and languages.
How Decoder implements it
Each rule emits a base severity, refined by entropy, reachability hints, and detector confidence.
When to use it
Sorting backlog, gating CI, building reports.
When NOT to use it
When you need raw CVSS — Decoder severity is policy-relative, not CVSS-equivalent.
Practical example
Filter Critical+High and export to share with the security team.
FAQ
Glossary
- Critical
- Likely exploitable, immediate risk.
- Triage
- Sorting findings by urgency before fixing.
Related
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
CWE (Common Weakness Enumeration) is the MITRE taxonomy of software weaknesses. Decoder attaches a CWE ID where applicable so findings are comparable across tools and reports.
SAST inspects source code to find security weaknesses before runtime. Decoder ships SAST as a free, no-key feature across 20+ languages.