SiteShadow Blog
What scanners actually catch.
Deep dives on SAST blind spots, interprocedural taint analysis, false-positive calibration, and the categories of bugs scanners should — and currently don't — detect in real code. Each post links to the underlying proof or coverage evidence so you can verify the claim, not just read it.
The SQL injection path pattern-only scanners can miss
Your Flask app normalizes input in helpers. Your database call sits several functions away. If a scanner only matches local string-concatenation patterns, this is the path it can miss.
More posts are in the works. For technical evidence and active scanner gap disclosure, see Detection Coverage and the Proofs index.