Find real vulnerabilities.
Fix them instantly.
SiteShadow traces tainted data across functions and files to find SQL injection, XSS, command injection, and SSRF that regex scanners miss. 2,000+ rules. Auto-fix in your editor. GitHub Action for CI.
Proof-backed coverage
What regex scanners miss, SiteShadow catches
How it's different
Most SAST tools match text patterns. SiteShadow understands data flow.
AST-based taint tracking
Tree-sitter parses your code into an AST. Taint flows from sources (request.args, user input) through variables, function calls, and string operations to sinks (SQL, eval, exec). Sanitizers like int() and html.escape() break the chain.
Interprocedural analysis across functions
When get_input() returns tainted data and handle_request() passes it to SQL, SiteShadow follows the flow across function calls. Two-pass summary generation across Python, JavaScript, TypeScript, Java, C#, and Go.
Low false positives on sanitized code
Parameterized queries, parseInt(), shlex.quote(), DOMPurify.sanitize() — SiteShadow recognizes 30+ sanitizer patterns and stays quiet when code is safe. See how data flow reduces SAST noise.
These counts come from controlled benchmark and release-gate evidence. Customer-code false-positive and false-negative rates require separate corpus measurement.
Inspect the evidence path: coverage and limitations, SAST false-positive reduction, and the multi-hop SQL injection proof.
Taint tracking proof you can inspect.
SiteShadow publishes developer-readable proof pages for vulnerability patterns that simple pattern matching misses, starting with a multi-hop SQL injection example that follows user input across helper functions.
The public coverage is intentionally concrete: 2,000+ checks, 190+ CWEs, 31 heuristic checks, and 5 AI/LLM rule families.
Public coverage language is limited to current evidence and documented limitations.
Everything you need to ship secure code
Features
Taint Tracking
WASM-powered dataflow analysis across Python, JavaScript/TypeScript, Java, C#, Go, Ruby, PHP, and PowerShell. Python and JavaScript ship explicit source/sink/sanitizer catalogs — 50+ sources, 70+ sinks, 70+ sanitizer patterns — and other languages are covered by the rule-based detection layer. Sanitizer recognition reduces false positives; see /coverage for current detection gaps.
Instant Fixes
One-click code actions in VS Code / Cursor. Replaces hashlib.md5 with sha256, os.system with subprocess.run, hardcoded secrets with os.environ.
GitHub Action
Add uses: siteshadow/scan@v1 to your workflow. SARIF upload to Code Scanning, PR comments with severity table, delta reporting against baseline.
Dependency Risk
Heuristics flag deserialization danger — pickle.loads, yaml.load without SafeLoader, eval of parsed JSON, and similar patterns that turn untrusted input into arbitrary code execution.
Secret Detection
Inline scan surfaces hard-coded credentials, API keys, JWT secrets, and connection strings as you type. Dedicated checks cover URL-embedded creds and config-file secrets across every supported language.
IaC Scanning
Dockerfile, Kubernetes YAML, and CI-pipeline rules detect privileged containers, root users, script injection, missing resource limits, and unsafe image pulls. IaC coverage is currently Partial — see /coverage for active gaps.
Custom Rules
Per-organization rule overrides — enable, disable, tune severity, or add brand-new pattern rules through the manifest system without waiting for an engine release.
Enterprise SSO
Okta and Azure AD single sign-on. Per-organization configuration with encrypted secrets. Break-glass emergency access.
Three ways to use SiteShadow
In your editor — VS Code / Cursor extension
cursor --install-extension siteshadow.vsixReal-time scanning, inline diagnostics, one-click fixes.
In your CI — GitHub Action
- uses: siteshadow/scan@v1
with:
api-key: ${{ secrets.SITESHADOW_API_KEY }}PR comments, SARIF upload, delta reporting.
For approved teams — customer-gated CLI scanner
Contact SiteShadow for CLI accessGuided onboarding for teams that need local and CI automation.
Who uses SiteShadow?
Audit-ready: SOC 2 Type II and ISO 27001
Static-analysis security testing is a named requirement in SOC 2 (CC7.1, CC8.1) and ISO 27001 (A.8.28, A.8.29). SiteShadow does that job, in CI, on every commit. Coverage published here.
SOC 2 Type II — CC7.1, CC8.1
SiteShadow generates the SAST artifacts SOC 2 examiners cite for system monitoring, vulnerability identification, and change management with security testing. Every scan is timestamped and exportable. See the control mapping.
ISO/IEC 27001:2022 — A.8.28, A.8.29
SiteShadow covers secure-coding scanning and security-testing-in-development, in-product, on every commit. Annex A lists these as named controls; SAST is what they ask for, and SAST is what SiteShadow does.
Scope on the page, not in a sales deck
190+ CWEs, 100% OWASP Top 10 2025 coverage, ten languages, 2,000+ checks. Published, benchmarked, reproducible. Detection credibility matrix.
SiteShadow is the SAST inside your compliance program, not the program itself. SiteShadow does not write your policies, does not run your access reviews, and does not replace your GRC platform. SiteShadow is not a certification and is not a SOC 2 or ISO 27001 attestation in itself; it is the SAST evidence those frameworks require.
SiteShadow vs. the competition
vs. Semgrep
Semgrep requires learning a custom rule DSL. SiteShadow works out of the box with 2,000+ rules, interprocedural taint tracking, and one-click fixes in your editor.
vs. Snyk Code
Snyk's auto-fix only handles dependency upgrades. SiteShadow generates actual code fixes: parameterized queries, safe API replacements, env var migrations.
vs. CodeQL
CodeQL requires a build step and takes minutes. SiteShadow analyzes in milliseconds with no build required. Full SARIF output for GitHub Code Scanning.
Stop guessing. Start tracing.
SiteShadow follows your data from input to output. If it's safe, we stay quiet. If it's not, we show you exactly why and how to fix it.
Request SiteShadow access
SiteShadow access is customer-gated while the CLI and install surfaces move through release review. Tell us your stack and we will reply with the right extension, API key, or onboarding path.