SiteShadow

Product update

Security feedback as fast as spellcheck

SiteShadow 0.6.0 adds realtime background scanning to the editor. As you write code, SiteShadow can refresh security diagnostics quietly in the background, without waiting for a manual scan or breaking your flow.

By Mireille Fontaine · May 31, 2026

Open SiteShadow Install the extension

Why this matters

Developers already trust their editor to catch syntax mistakes, type errors, and spelling problems before those issues become review noise. Security feedback deserves the same immediacy. If a risky pattern appears while a file is being edited, the best time to flag it is while the author still has the full context in their head.

That is the goal of SiteShadow's realtime scanner: bring serious, deterministic security signals into the normal writing loop, with diagnostics that update in the background instead of waiting for a separate ceremony.

Realtime does not mean every heavyweight engine path runs on every keystroke. It means the editor gets fast, quiet checks while deeper analysis stays available for save, manual, and project scans.

What changed in 0.6.0

The extension now listens for document edits and schedules a debounced scan of the active file. When the file changes again, stale work is ignored and the newest version wins. Empty, untitled, non-file, and oversized documents are skipped so the editor path stays practical.

On the API side, SiteShadow now understands an execution mode of realtime. That mode uses a realtime-safe policy: serious deterministic file checks can run in the background, while taint tracking, heuristic analysis, AI review, dependency work, and cross-file project behavior remain on the save, manual, or project paths.

Realtime background scan Save, manual, and project scans
Runs quietly after edits with a short debounce. Runs when the developer asks for the fuller scan path.
Focuses on deterministic critical and high severity file checks. Includes deeper engines such as taint, heuristics, AI, and project analysis.
Updates editor diagnostics without surfacing background errors as interruptions. Surfaces explicit scan results, summaries, and workflow feedback.

No new pack to maintain

One important design choice is invisible to most users but important for reliability: realtime scanning is an execution policy, not a second free or paid engine pack. Rule metadata decides what is safe for the realtime path, and existing free and paid entitlement rules still apply.

That keeps the product easier to reason about. The team can tune realtime eligibility as evidence comes in without asking customers, support, or engineering to track another package of rules by hand.

What you should expect

In supported Cursor and VS Code installs, SiteShadow can now behave more like spellcheck: present while you work, quiet unless it has something useful to say, and fast enough to belong in the editor rather than only in a later review step.

This is the first release of the realtime path. We will keep widening it only where latency, signal quality, and developer experience stay aligned. The standard is simple: background security feedback should help you keep writing better code, not make the editor feel busy.

Request access Back to blog