SiteShadow
Audit evidence · SOC 2 / ISO 27001 / CMMC

Security scanning built for the vibe-coding era.

SiteShadow is not an old SAST tool adapted to a new workflow. It was built from day one for vibe coders: developers using AI to move faster, explore more ideas, and ship real software with guardrails that keep pace.

< 300 ms per‑file scan, fast as your spell‑check Edge‑deployed WASM · no project build required

Proof-backed coverage

2,011 checks Public coverage summarized in the evidence pages.
190 CWE mappings Mapped across the detection credibility matrix.
Coverage and proofs Inspect the evidence before you request access.
SiteShadow scanning code paths across files

Scanner pipeline

One scanner, four paths

VS Code and Cursor, the customer-gated CLI, CI/SARIF jobs, and API clients all feed the same SiteShadow SAST core. The output changes by surface; the evidence model does not.
Editor scan ready: inline diagnostics will use the same shared SAST core.
Entry points
Shared SAST core

Static evidence pipeline

Single-file scans run the base rules plus tiered analysis. Project scans add cross-file, dependency, and workspace context before findings are merged and deduplicated.

VS Code / Cursor request active file, workspace context, editor diagnostics
Engine 01 2,011 checks

Regex rules

Loads static rule patterns, preserves line offsets, honors ignore directives, and returns direct evidence for secrets, unsafe imports, risky literals, and known weak primitives.

const token = "sk_live_redacted";
// siteshadow:ignore-next-line
const fixture = "fake_test_secret";
  • Rule ID, severity, source range, and message
  • Comment-aware matching without line drift
  • Evidence suitable for editor and CI output
Outputs
Editor feedback Line-level diagnostics and fix prompts
SARIF / JSON CI upload, PR comments, machine-readable gates
Evidence pages Coverage, proofs, credibility matrix, audit artifacts

SAST context only: findings are static evidence for review, not proof of runtime exploitability.

What regex scanners miss, SiteShadow catches

How it's different

Most SAST tools match text patterns. SiteShadow understands data flow.

AST-based taint tracking

Tree-sitter parses your code into an AST. Taint flows from sources (request.args, user input) through variables, function calls, and string operations to sinks (SQL, eval, exec). Sanitizers like int() and html.escape() break the chain.

Interprocedural analysis across functions

When get_input() returns tainted data and handle_request() passes it to SQL, SiteShadow follows the flow across function calls. Two-pass summary generation across Python, JavaScript, TypeScript, Java, C#, and Go.

Noise-aware sanitizer recognition

Parameterized queries, parseInt(), shlex.quote(), and DOMPurify.sanitize() are part of the documented sanitizer set SiteShadow uses to reduce avoidable SAST noise. See how data flow reduces SAST noise.

Taint tracking proof you can inspect.

SiteShadow publishes developer-readable proof pages for vulnerability patterns that simple pattern matching misses. Today: a multi-hop SQL injection example that follows user input across helper functions, a DOM-based XSS example showing why pattern-only SAST flags DOMPurify-wrapped code as a false positive, and a command-injection example showing why subprocess(shell=True) is the modern trap.

The public coverage is intentionally concrete: 2,011 checks, 190 CWE mappings, 31 heuristic checks, and 5 AI/LLM rule families.

Public coverage language is limited to current evidence and documented limitations.

Read the multi-hop SQLi proof Read the DOM-XSS / DOMPurify proof Read the command-injection proof See how data flow cuts noise

Everything you need to ship secure code

Features

Taint Tracking

WASM-powered dataflow analysis across Python, JavaScript/TypeScript, Java, C#, Go, Ruby, PHP, and PowerShell. Python and JavaScript ship explicit source/sink/sanitizer catalogs (50+ sources, 70+ sinks, 70+ sanitizer patterns), and other languages are covered by the rule-based detection layer. Sanitizer recognition reduces false positives; see /coverage for current detection gaps.

Fix Guidance

Editor diagnostics explain the safer pattern and, where a fix is deterministic, offer a code action. Examples include replacing weak hashes, avoiding shell invocation, and moving hardcoded secrets into environment-backed configuration.

GitHub Action

Add uses: siteshadow/scan@v1 to your workflow. SARIF upload to Code Scanning, PR comments with severity table, delta reporting against baseline.

Dependency Risk

Heuristics flag deserialization danger, pickle.loads, yaml.load without SafeLoader, eval of parsed JSON, and similar patterns that turn untrusted input into arbitrary code execution.

Secret Detection

Inline scan surfaces hard-coded credentials, API keys, JWT secrets, and connection strings as you type. Dedicated checks cover URL-embedded creds and config-file secrets across every supported language.

IaC Scanning

Dockerfile, Kubernetes YAML, and CI-pipeline rules detect privileged containers, root users, script injection, missing resource limits, and unsafe image pulls. IaC coverage is currently Partial, see /coverage for active gaps.

Custom Rules

Per-organization rule overrides, enable, disable, tune severity, or add brand-new pattern rules through the manifest system without waiting for an engine release.

Enterprise SSO

Okta and Azure AD single sign-on. Per-organization configuration with encrypted secrets. Break-glass emergency access.

Three ways to use SiteShadow

In your editor, VS Code / Cursor extension

Dashboard > Settings > Extension

Authenticated extension download, inline diagnostics, and fix guidance.

In your CI, GitHub Action

- uses: siteshadow/scan@v1 with: api-key: ${{ secrets.SITESHADOW_API_KEY }}

PR comments, SARIF upload, delta reporting.

For approved teams, customer-gated CLI scanner

Contact SiteShadow for CLI access

Guided onboarding for teams that need local and CI automation.

SiteShadow setup flow
2,011
Security Checks
10
Languages
190
CWEs Covered
0
Code Stored

Who uses SiteShadow?

The four roles where SiteShadow shows up most in early-access conversations, and what each one uses it for.

Security Engineers
Review SAST findings, tune policy thresholds, export evidence for compliance.
DevOps Teams
GitHub Action with SARIF, CI policy gates, fail-on-critical for PRs.
Full-stack Developers
Inline VS Code / Cursor diagnostics, fix guidance, free tier.
Auditors
SOC 2 and ISO 27001 mapping, plus CMMC-aligned evidence packs for SAST findings.

Audit evidence: SOC 2 Type II, ISO 27001, and CMMC

Static-analysis security testing is a named requirement in SOC 2 (CC7.1, CC8.1) and ISO 27001 (A.8.28, A.8.29), and supports the secure-development evidence CMMC teams need when preparing around NIST SP 800-171. SiteShadow packages that SAST evidence, in CI, on every commit. Coverage published here.

SOC 2 Type II (CC7.1, CC8.1)

SiteShadow generates the SAST artifacts SOC 2 examiners cite for system monitoring, vulnerability identification, and change management with security testing. Every scan is timestamped and exportable. See the control mapping.

ISO/IEC 27001:2022 (A.8.28, A.8.29)

SiteShadow covers secure-coding scanning and security-testing-in-development, in-product, on every commit. Annex A lists these as named controls; SAST is what they ask for, and SAST is what SiteShadow does.

CMMC-aligned evidence packs (NIST SP 800-171)

For teams preparing for CMMC, SiteShadow maps findings to NIST SP 800-171 families, exports monthly scan evidence, SARIF, adjudication records, and POA&M-ready unresolved items. It is evidence support for the program, not certification or a replacement for compliance work.

Scope on the page, not in a sales deck

190 CWE mappings, 10 OWASP Top 10 categories represented, ten languages, and 2,011 documented checks. Published with benchmark methodology and current limitations. Detection credibility matrix.

SiteShadow is the SAST inside your compliance program, not the program itself. SiteShadow does not write your policies, does not run your access reviews, and does not replace your GRC platform. SiteShadow is not a certification, not a SOC 2 or ISO 27001 attestation, and not a CMMC certification; it is SAST evidence that supports those compliance programs.

See the control mapping Talk to us about audit prep

Where SiteShadow is strongest

Editor workflow

SiteShadow brings interprocedural taint tracking, rule checks, and fix guidance into VS Code and Cursor so developers can triage findings while the code is still fresh.

Evidence-first coverage

The public coverage page lists the current check count, benchmark methodology, language boundaries, and known gaps instead of relying on broad coverage claims.

CI and audit output

Teams can use SARIF, PR comments, severity thresholds, and evidence exports to connect developer feedback with security review and audit workflows.

Stop guessing. Start tracing.

SiteShadow follows your data from input to output. When a flow is risky, it explains why; when sanitizer evidence is recognized, it reduces avoidable noise.

Request SiteShadow access

SiteShadow access is customer-gated while the CLI and install surfaces move through release review. Tell us your stack and we will reply with the right extension, API key, or onboarding path.