SiteShadow

Detection evidence

SiteShadow Detection Credibility Matrix

This matrix tracks what SiteShadow can claim confidently, what the engine can currently prove through benchmark evidence, and which boundaries keep strong marketing copy honest.

Evidence owner: detection engineering Review: technical accuracy and product claims Last updated: 2026-06-25
2,011checks in public coverage
190CWE mappings
1,698OWASP benchmark cases
1,230OWASP Python benchmark cases
6,444Juliet cases
1,000MultiLang cases
305SecBench.js addressable CVE cases
100% recallcaught every planted vulnerability on the latest external-benchmark runs (0 FN); per-CWE discrimination is real, but these controlled-benchmark false positives are not a measured real-world precision rate

False-positive and false-negative rates below refer to the latest recorded controlled benchmark runs, not to a statistically significant customer-code corpus. Real-world corpus tracking is a required next evidence layer.

Vulnerability-Class Matrix

Class Languages Rule family Taint capability Benchmark status Known gaps FP rate FN rate
SQL injection Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP; PowerShell where represented Source-to-sink taint, raw DB driver heuristics, injection rule family Source-to-sink dataflow, interprocedural summaries, cross-file project scan evidence Green OWASP, Juliet, MultiLang, language regression Real-world ORM-specific corpus and customer suppression telemetry still needed. 0% on latest controlled benchmark run 0% on latest controlled benchmark run
XSS JavaScript, TypeScript, Python, Java, C#, Ruby, PHP; Blazor rules DOM XSS, framework template checks, template autoescape rules, source-to-sink taint DOM sinks, template sinks, React/JSX special-case scanning, sanitizer recognition Green MultiLang, language regression, and rule benchmarks Needs public corpus evidence for framework-specific escaping and template edge cases. 0% on latest controlled benchmark run 0% on latest controlled benchmark run
Command injection Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP, PowerShell Dangerous route-operation heuristics, subprocess-in-web-framework patterns, source-to-sink taint User-controlled command, shell, process, and eval-like sink tracking Green MultiLang, heuristics, AI-security flow tests, and SecBench.js represented package-CVE checks Need broader shell-argument sanitizer modeling across real projects. 0% on latest controlled benchmark run 0% on latest controlled benchmark run
SSRF Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP, PowerShell where represented SSRF rule family, source-to-sink taint, AI-output HTTP client sinks User-controlled URL to HTTP clients, metadata endpoint patterns, AI-output-to-request flows Green MultiLang, language regression, and AI-security flow tests Need stronger validation modeling for allowlists, DNS rebinding defenses, and URL parser edge cases. 0% on latest controlled benchmark run 0% on latest controlled benchmark run
Secrets and credential exposure All scanned text/code/config languages CWE-798 patterns, credential-URL patterns, provider token signatures, config rules Primarily pattern and context-aware rules; cross-file duplicate secret detection Green regex benchmark Provider pattern drift requires continuous update cadence and sampled false-positive review. 0% on latest controlled benchmark run 0% on latest controlled benchmark run
Path traversal and file access Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP, PowerShell Path-traversal rule family, source-to-sink taint, file-read/file-write AI security sinks User-controlled file path to read/write/open sinks with sanitizer and reassignment handling Green MultiLang, language regression, AI-security flow tests, and SecBench.js represented package-CVE checks Need more framework upload-storage fixtures and platform path-normalization evidence. 0% on latest controlled benchmark run 0% on latest controlled benchmark run
Auth, access control, and IDOR Python, JavaScript, TypeScript, Java, C#, Go; framework-dependent elsewhere Auth and access-control heuristics, OWASP Top 10 auth rule families, cross-file auth consistency Heuristic and cross-file analysis; taint supports data/object access paths where applicable Green heuristics benchmark Needs more real application route graphs and framework auth middleware corpora. 0% on latest controlled benchmark run 0% on latest controlled benchmark run
AI/LLM security flows Python, JavaScript, TypeScript, Java AI/LLM rule families, AI-output sink tracking LLM output as tainted source to tools, HTTP, browser automation, shell, storage, email, and chat sinks Green 324-test AI-security benchmark Needs continued sink-library expansion and public methodology page for AI-agent risk classes. 0% on latest controlled benchmark run 0% on latest controlled benchmark run
IaC, container, and configuration risk YAML, JSON, Dockerfile, Kubernetes manifests, Terraform patterns Kubernetes, Docker, and Terraform rule families plus container and config heuristics Pattern and structural config checks; not taint-led Covered rule benchmark coverage Needs separate IaC benchmark suite and cloud-provider-specific policy corpus. 0% where covered by current controlled rule tests Not fully measured as a separate IaC corpus

Language and Taint Matrix

Language Analyzer status Taint status Primary evidence Evidence boundary
PythonFullSource-to-sink taint + rulesOWASP, Juliet, MultiLang, heuristics, AI-securityFull for represented cases; framework-specific sanitizer coverage continues to expand.
JavaScriptFullSource-to-sink taint + rulesMultiLang, heuristics, AI-security, React XSS special cases, SecBench.js represented package-CVE checksFull for represented cases; JSX, template-parser, and additional upstream package-CVE classes continue to expand.
TypeScriptFullVia JavaScript analyzer + rulesAI-security and JS-family rule coverageFull through the JavaScript-family analyzer; deeper type-aware framework modeling is ongoing.
JavaFullSource-to-sink taint + rulesOWASP, Juliet, MultiLangFull for represented cases; large-framework route graph coverage continues to expand.
C#FullSource-to-sink taint + rulesJuliet, MultiLang, C#/Razor checksFull for represented cases; ASP.NET middleware and Razor fixture depth continue to expand.
GoFullSource-to-sink taint + rulesMultiLang and heuristic benchmark evidenceFull for represented cases; router and validation library models continue to expand.
RubyFullSource-to-sink taint + rulesLanguage regression evidence and Ruby analyzer evidenceFull for represented cases; Rails/Sinatra and customer-like corpus coverage continue to expand.
PHPFullSource-to-sink taint + rulesLanguage regression evidence and PHP analyzer evidenceFull for represented cases; Laravel/Symfony/WordPress and customer-like corpus coverage continue to expand.
PowerShellFullSource-to-sink taint + rulesLanguage regression evidence and PowerShell analyzer evidenceFull for represented cases; enterprise module and shell-argument sanitizer coverage continue to expand.
BlazorRulesC#/Razor-oriented rulesBlazor rule family and C# analyzer evidenceRules coverage today; dedicated Blazor benchmark pack is required before Full.

Evidence Sources and Governance

Detection evidence owner

The detection owner maintains the benchmark record, maps rule families to vulnerability classes, and opens false-positive or false-negative work when evidence changes.

Technical review

The technical reviewer validates taint, cross-file, analyzer, and benchmark claims before they are used as engineering evidence or release gates.

Product claim review

Product review keeps public positioning aligned to the evidence and marks unsupported claims as roadmap or known gaps.

Current evidence combines public benchmark suites, internal non-regression suites, release gate records, and live customer-facing limitations. The next credibility layers are external non-Java benchmark adapters and customer-like corpus telemetry with explicit false-positive and false-negative sampling.