Skip to Content
SCA & DependenciesReachability Analysis

Reachability Analysis

Reachability analysis is performed automatically during PR reviews to determine if vulnerable code is reachable from external inputs. A vulnerability in a function you never invoke poses significantly less risk than one in your critical execution path.

Reachability data is shown as badges on SCA vulnerability findings and included in PR review impact analysis.

How It Works

During PR reviews, CodeStax builds a code graph for your repository and traces execution paths from your application’s entry points through call chains to determine whether vulnerable functions are reachable.

The analysis follows three steps:

  1. Entry point identification — Detect HTTP handlers, CLI commands, main functions, event listeners, and other application entry points.
  2. Call chain tracing — Follow function calls from entry points through your code and into dependencies.
  3. Dangerous sink detection — Identify whether the call chain reaches functions known to be associated with the vulnerability (e.g., deserialization, command execution, network calls).

Supported Languages

Supports Python, JavaScript/TypeScript, Java, Go, Ruby, and more. Each language uses the most appropriate analysis technique for its ecosystem, ranging from full AST-based call graph analysis to import tracing and function call matching.

Reachability in Priority Scoring

Reachability is a significant factor in the overall vulnerability priority score. A critical-severity CVE that is unreachable will score lower than a high-severity CVE that sits directly in a hot execution path.

Attack Chain Detection

Beyond single-function reachability, CodeStax detects multi-step attack chains — sequences of reachable vulnerable functions that together enable a complete exploit. When an attack chain is detected, the vulnerability is automatically escalated in priority and flagged in the results table.

Interpreting Results

PR review results include a reachability status for each finding:

  • Reachable — A confirmed execution path exists from an entry point to the vulnerable code. Treat these with highest urgency.
  • Potentially Reachable — An indirect or partial path was found but could not be fully confirmed. Review manually.
  • Unreachable — No execution path was found. The risk is significantly reduced, though the dependency should still be updated when practical.
  • Unknown — The language is not supported or analysis could not complete. No reachability adjustment is applied to the priority score.
Malicious PackagesDependency Diff