SiteShadow

Interactive demo

Walk the SiteShadow scanner pipeline.

Pick an entry point (VS Code, Cursor, the customer-gated CLI, CI/SARIF, or an API client) and step through the five static analysis engines that produce SiteShadow's evidence. Same SAST core for every surface; the output format is what changes.

This is the same scanner-pipeline view shown on the homepage. For the underlying evidence, see coverage, proofs, and the detection credibility matrix.

Scanner pipeline

One scanner, four paths

VS Code and Cursor, the customer-gated CLI, CI/SARIF jobs, and API clients all feed the same SiteShadow SAST core. The output changes by surface; the evidence model does not.
Editor scan ready: inline diagnostics will use the same shared SAST core.
Entry points
Shared SAST core

Static evidence pipeline

Single-file scans run the base rules plus tiered analysis. Project scans add cross-file, dependency, and workspace context before findings are merged and deduplicated.

VS Code / Cursor request active file, workspace context, editor diagnostics
Engine 01 2,011 checks

Regex rules

Loads static rule patterns, preserves line offsets, honors ignore directives, and returns direct evidence for secrets, unsafe imports, risky literals, and known weak primitives.

const token = "sk_live_redacted";
// siteshadow:ignore-next-line
const fixture = "fake_test_secret";
  • Rule ID, severity, source range, and message
  • Comment-aware matching without line drift
  • Evidence suitable for editor and CI output
Outputs
Editor feedback Line-level diagnostics and fix prompts
SARIF / JSON CI upload, PR comments, machine-readable gates
Evidence pages Coverage, proofs, credibility matrix, audit artifacts

SAST context only: findings are static evidence for review, not proof of runtime exploitability.

See the evidence behind the pipeline.

Walk specific proofs that show the SAST core doing real work: a multi-hop SQL injection traced across helper functions, and how data-flow context separates real findings from sanitized noise.

Request SiteShadow access

SiteShadow access is customer-gated while the CLI and install surfaces move through release review. Tell us your stack and we will reply with the right extension, API key, or onboarding path.