What Is Reachability Analysis?
Reachability analysis determines whether a vulnerable piece of code can actually be reached and executed within an application. It answers a question a raw vulnerability list cannot: not just whether a vulnerable dependency is present, but whether the vulnerable function in it is ever called. Reachability is what separates a finding that needs a fix from one that is dormant, and it is one of the most effective ways to cut false positives in application security.
Static reachability vs runtime reachability
There are two ways to answer the reachability question. Static reachability infers it from source code and call graphs without running the application. It is useful but conservative, and it often produces reachable warnings it cannot confirm. Runtime reachability confirms it from real execution: it observes whether the vulnerable function is actually invoked when the application runs. Static analysis identifies possibility. Runtime reveals reality.
Why reachability reduces noise
Most flagged code is loaded but never run. A dependency can carry a critical CVE in a function your application never calls. Without reachability, that finding still lands on an engineer queue. With runtime reachability, it can be set aside in favor of issues that actually execute. This is why reachability is central to prioritization: it removes the largest source of non-actionable findings.
Function-level reachability
Reachability is most valuable at function level. Package-level reachability tells you a vulnerable library loads. Function-level reachability tells you the specific vulnerable function is invoked, which is the precise signal needed to confirm exploitability and to point developers at the exact code that matters.
Reachability and exploitability
Reachability is necessary but not always sufficient for exploitability. A vulnerability is reachable when its code executes, and exploitable when an attacker can actually trigger it. The strongest prioritization combines both: confirm the code runs, then assess whether it can be exploited in the live environment.
How Kodem does reachability analysis
Kodem validates reachability with runtime evidence. It correlates static SAST and SCA findings with what actually executes in production, confirming whether vulnerable code paths are reached before a finding is prioritized. That turns a long list of possible issues into a short list of confirmed, reachable ones.
Frequently asked questions
Is static reachability enough?
It is a useful first filter, but it is conservative and cannot confirm execution. Runtime reachability validates what static analysis can only estimate.
Does reachability replace severity scores?
No. It complements them. Severity measures theoretical impact; reachability measures whether the issue is live in your environment.
What is shadow code?
Code that is present but never executed. Reachability analysis is how you identify and de-prioritize it.
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.
The State of the Application Security Workflow
This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.
.avif)
Get real-time insights across the full stack…code, containers, OS, and memory
Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.
