Interactive demo
Walk the SiteShadow scanner pipeline.
Pick an entry point (VS Code, Cursor, the customer-gated CLI, CI/SARIF, or an API client) and step through the five static analysis engines that produce SiteShadow's evidence. Same SAST core for every surface; the output format is what changes.
Scanner pipeline
One scanner, four paths
VS Code and Cursor, the customer-gated CLI, CI/SARIF jobs, and API clients all feed the same SiteShadow SAST core. The output changes by surface; the evidence model does not.Static evidence pipeline
Single-file scans run the base rules plus tiered analysis. Project scans add cross-file, dependency, and workspace context before findings are merged and deduplicated.
Regex rules
Loads static rule patterns, preserves line offsets, honors ignore directives, and returns direct evidence for secrets, unsafe imports, risky literals, and known weak primitives.
const token = "sk_live_redacted";
// siteshadow:ignore-next-line
const fixture = "fake_test_secret";
- Rule ID, severity, source range, and message
- Comment-aware matching without line drift
- Evidence suitable for editor and CI output
SAST context only: findings are static evidence for review, not proof of runtime exploitability.
See the evidence behind the pipeline.
Walk specific proofs that show the SAST core doing real work: a multi-hop SQL injection traced across helper functions, and how data-flow context separates real findings from sanitized noise.
Request SiteShadow access
SiteShadow access is customer-gated while the CLI and install surfaces move through release review. Tell us your stack and we will reply with the right extension, API key, or onboarding path.