Security scanning built for the vibe-coding era.
SiteShadow is not an old SAST tool adapted to a new workflow. It was built from day one for vibe coders: developers using AI to move faster, explore more ideas, and ship real software with guardrails that keep pace.
< 300 ms per‑file scan, fast as your spell‑check Edge‑deployed WASM · no project build requiredProof-backed coverage
Scanner pipeline
One scanner, four paths
VS Code and Cursor, the customer-gated CLI, CI/SARIF jobs, and API clients all feed the same SiteShadow SAST core. The output changes by surface; the evidence model does not.Static evidence pipeline
Single-file scans run the base rules plus tiered analysis. Project scans add cross-file, dependency, and workspace context before findings are merged and deduplicated.
Regex rules
Loads static rule patterns, preserves line offsets, honors ignore directives, and returns direct evidence for secrets, unsafe imports, risky literals, and known weak primitives.
const token = "sk_live_redacted";
// siteshadow:ignore-next-line
const fixture = "fake_test_secret";
- Rule ID, severity, source range, and message
- Comment-aware matching without line drift
- Evidence suitable for editor and CI output
SAST context only: findings are static evidence for review, not proof of runtime exploitability.
What regex scanners miss, SiteShadow catches
How it's different
Most SAST tools match text patterns. SiteShadow understands data flow.
AST-based taint tracking
Tree-sitter parses your code into an AST. Taint flows from sources (request.args, user input) through variables, function calls, and string operations to sinks (SQL, eval, exec). Sanitizers like int() and html.escape() break the chain.
Interprocedural analysis across functions
When get_input() returns tainted data and handle_request() passes it to SQL, SiteShadow follows the flow across function calls. Two-pass summary generation across Python, JavaScript, TypeScript, Java, C#, and Go.
Noise-aware sanitizer recognition
Parameterized queries, parseInt(), shlex.quote(), and DOMPurify.sanitize() are part of the documented sanitizer set SiteShadow uses to reduce avoidable SAST noise. See how data flow reduces SAST noise.
Taint tracking proof you can inspect.
SiteShadow publishes developer-readable proof pages for vulnerability patterns that simple pattern matching misses. Today: a multi-hop SQL injection example that follows user input across helper functions, a DOM-based XSS example showing why pattern-only SAST flags DOMPurify-wrapped code as a false positive, and a command-injection example showing why subprocess(shell=True) is the modern trap.
The public coverage is intentionally concrete: 2,011 checks, 190 CWE mappings, 31 heuristic checks, and 5 AI/LLM rule families.
Public coverage language is limited to current evidence and documented limitations.
Everything you need to ship secure code
Features
Taint Tracking
WASM-powered dataflow analysis across Python, JavaScript/TypeScript, Java, C#, Go, Ruby, PHP, and PowerShell. Python and JavaScript ship explicit source/sink/sanitizer catalogs (50+ sources, 70+ sinks, 70+ sanitizer patterns), and other languages are covered by the rule-based detection layer. Sanitizer recognition reduces false positives; see /coverage for current detection gaps.
Fix Guidance
Editor diagnostics explain the safer pattern and, where a fix is deterministic, offer a code action. Examples include replacing weak hashes, avoiding shell invocation, and moving hardcoded secrets into environment-backed configuration.
GitHub Action
Add uses: siteshadow/scan@v1 to your workflow. SARIF upload to Code Scanning, PR comments with severity table, delta reporting against baseline.
Dependency Risk
Heuristics flag deserialization danger, pickle.loads, yaml.load without SafeLoader, eval of parsed JSON, and similar patterns that turn untrusted input into arbitrary code execution.
Secret Detection
Inline scan surfaces hard-coded credentials, API keys, JWT secrets, and connection strings as you type. Dedicated checks cover URL-embedded creds and config-file secrets across every supported language.
IaC Scanning
Dockerfile, Kubernetes YAML, and CI-pipeline rules detect privileged containers, root users, script injection, missing resource limits, and unsafe image pulls. IaC coverage is currently Partial, see /coverage for active gaps.
Custom Rules
Per-organization rule overrides, enable, disable, tune severity, or add brand-new pattern rules through the manifest system without waiting for an engine release.
Enterprise SSO
Okta and Azure AD single sign-on. Per-organization configuration with encrypted secrets. Break-glass emergency access.
Three ways to use SiteShadow
In your editor, VS Code / Cursor extension
Dashboard > Settings > ExtensionAuthenticated extension download, inline diagnostics, and fix guidance.
In your CI, GitHub Action
- uses: siteshadow/scan@v1
with:
api-key: ${{ secrets.SITESHADOW_API_KEY }}PR comments, SARIF upload, delta reporting.
For approved teams, customer-gated CLI scanner
Contact SiteShadow for CLI accessGuided onboarding for teams that need local and CI automation.
Who uses SiteShadow?
The four roles where SiteShadow shows up most in early-access conversations, and what each one uses it for.
Audit evidence: SOC 2 Type II, ISO 27001, and CMMC
Static-analysis security testing is a named requirement in SOC 2 (CC7.1, CC8.1) and ISO 27001 (A.8.28, A.8.29), and supports the secure-development evidence CMMC teams need when preparing around NIST SP 800-171. SiteShadow packages that SAST evidence, in CI, on every commit. Coverage published here.
SOC 2 Type II (CC7.1, CC8.1)
SiteShadow generates the SAST artifacts SOC 2 examiners cite for system monitoring, vulnerability identification, and change management with security testing. Every scan is timestamped and exportable. See the control mapping.
ISO/IEC 27001:2022 (A.8.28, A.8.29)
SiteShadow covers secure-coding scanning and security-testing-in-development, in-product, on every commit. Annex A lists these as named controls; SAST is what they ask for, and SAST is what SiteShadow does.
CMMC-aligned evidence packs (NIST SP 800-171)
For teams preparing for CMMC, SiteShadow maps findings to NIST SP 800-171 families, exports monthly scan evidence, SARIF, adjudication records, and POA&M-ready unresolved items. It is evidence support for the program, not certification or a replacement for compliance work.
Scope on the page, not in a sales deck
190 CWE mappings, 10 OWASP Top 10 categories represented, ten languages, and 2,011 documented checks. Published with benchmark methodology and current limitations. Detection credibility matrix.
SiteShadow is the SAST inside your compliance program, not the program itself. SiteShadow does not write your policies, does not run your access reviews, and does not replace your GRC platform. SiteShadow is not a certification, not a SOC 2 or ISO 27001 attestation, and not a CMMC certification; it is SAST evidence that supports those compliance programs.
Where SiteShadow is strongest
Editor workflow
SiteShadow brings interprocedural taint tracking, rule checks, and fix guidance into VS Code and Cursor so developers can triage findings while the code is still fresh.
Evidence-first coverage
The public coverage page lists the current check count, benchmark methodology, language boundaries, and known gaps instead of relying on broad coverage claims.
CI and audit output
Teams can use SARIF, PR comments, severity thresholds, and evidence exports to connect developer feedback with security review and audit workflows.
Stop guessing. Start tracing.
SiteShadow follows your data from input to output. When a flow is risky, it explains why; when sanitizer evidence is recognized, it reduces avoidable noise.
Request SiteShadow access
SiteShadow access is customer-gated while the CLI and install surfaces move through release review. Tell us your stack and we will reply with the right extension, API key, or onboarding path.