SiteShadow

SiteShadow Blog

What scanners actually catch.

Deep dives on SAST blind spots, interprocedural taint analysis, false-positive calibration, and the categories of bugs scanners should, and currently don't, detect in real code. Each post links to the underlying proof or coverage evidence so you can verify the claim, not just read it.

Product update

Security feedback as fast as spellcheck

SiteShadow 0.6.0 brings realtime background scanning into Cursor and VS Code, with quiet editor diagnostics while deeper scans stay available for save, manual, and project workflows.

Read →

SQL injection

The SQL injection path pattern-only scanners can miss

Your Flask app normalizes input in helpers. Your database call sits several functions away. If a scanner only matches local string-concatenation patterns, this is the path it can miss.

Read →

More posts are in the works. For technical evidence and active scanner gap disclosure, see Detection Coverage and the Proofs index.