Detection evidence owner
The detection owner maintains the benchmark record, maps rule families to vulnerability classes, and opens false-positive or false-negative work when evidence changes.
Detection evidence
This matrix tracks what SiteShadow can claim confidently, what the engine can currently prove through benchmark evidence, and which boundaries keep strong marketing copy honest.
False-positive and false-negative rates below refer to the latest recorded controlled benchmark runs, not to a statistically significant customer-code corpus. Real-world corpus tracking is a required next evidence layer.
| Class | Languages | Rule family | Taint capability | Benchmark status | Known gaps | FP rate | FN rate |
|---|---|---|---|---|---|---|---|
| SQL injection | Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP; PowerShell where represented | Source-to-sink taint, raw DB driver heuristics, injection rule family | Source-to-sink dataflow, interprocedural summaries, cross-file project scan evidence | Green OWASP, Juliet, MultiLang, language regression | Real-world ORM-specific corpus and customer suppression telemetry still needed. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| XSS | JavaScript, TypeScript, Python, Java, C#, Ruby, PHP; Blazor rules | DOM XSS, framework template checks, template autoescape rules, source-to-sink taint | DOM sinks, template sinks, React/JSX special-case scanning, sanitizer recognition | Green MultiLang, language regression, and rule benchmarks | Needs public corpus evidence for framework-specific escaping and template edge cases. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| Command injection | Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP, PowerShell | Dangerous route-operation heuristics, subprocess-in-web-framework patterns, source-to-sink taint | User-controlled command, shell, process, and eval-like sink tracking | Green MultiLang, heuristics, AI-security flow tests, and SecBench.js represented package-CVE checks | Need broader shell-argument sanitizer modeling across real projects. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| SSRF | Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP, PowerShell where represented | SSRF rule family, source-to-sink taint, AI-output HTTP client sinks | User-controlled URL to HTTP clients, metadata endpoint patterns, AI-output-to-request flows | Green MultiLang, language regression, and AI-security flow tests | Need stronger validation modeling for allowlists, DNS rebinding defenses, and URL parser edge cases. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| Secrets and credential exposure | All scanned text/code/config languages | CWE-798 patterns, credential-URL patterns, provider token signatures, config rules | Primarily pattern and context-aware rules; cross-file duplicate secret detection | Green regex benchmark | Provider pattern drift requires continuous update cadence and sampled false-positive review. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| Path traversal and file access | Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP, PowerShell | Path-traversal rule family, source-to-sink taint, file-read/file-write AI security sinks | User-controlled file path to read/write/open sinks with sanitizer and reassignment handling | Green MultiLang, language regression, AI-security flow tests, and SecBench.js represented package-CVE checks | Need more framework upload-storage fixtures and platform path-normalization evidence. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| Auth, access control, and IDOR | Python, JavaScript, TypeScript, Java, C#, Go; framework-dependent elsewhere | Auth and access-control heuristics, OWASP Top 10 auth rule families, cross-file auth consistency | Heuristic and cross-file analysis; taint supports data/object access paths where applicable | Green heuristics benchmark | Needs more real application route graphs and framework auth middleware corpora. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| AI/LLM security flows | Python, JavaScript, TypeScript, Java | AI/LLM rule families, AI-output sink tracking | LLM output as tainted source to tools, HTTP, browser automation, shell, storage, email, and chat sinks | Green 324-test AI-security benchmark | Needs continued sink-library expansion and public methodology page for AI-agent risk classes. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| IaC, container, and configuration risk | YAML, JSON, Dockerfile, Kubernetes manifests, Terraform patterns | Kubernetes, Docker, and Terraform rule families plus container and config heuristics | Pattern and structural config checks; not taint-led | Covered rule benchmark coverage | Needs separate IaC benchmark suite and cloud-provider-specific policy corpus. | 0% where covered by current controlled rule tests | Not fully measured as a separate IaC corpus |
| Language | Analyzer status | Taint status | Primary evidence | Evidence boundary |
|---|---|---|---|---|
| Python | Full | Source-to-sink taint + rules | OWASP, Juliet, MultiLang, heuristics, AI-security | Full for represented cases; framework-specific sanitizer coverage continues to expand. |
| JavaScript | Full | Source-to-sink taint + rules | MultiLang, heuristics, AI-security, React XSS special cases, SecBench.js represented package-CVE checks | Full for represented cases; JSX, template-parser, and additional upstream package-CVE classes continue to expand. |
| TypeScript | Full | Via JavaScript analyzer + rules | AI-security and JS-family rule coverage | Full through the JavaScript-family analyzer; deeper type-aware framework modeling is ongoing. |
| Java | Full | Source-to-sink taint + rules | OWASP, Juliet, MultiLang | Full for represented cases; large-framework route graph coverage continues to expand. |
| C# | Full | Source-to-sink taint + rules | Juliet, MultiLang, C#/Razor checks | Full for represented cases; ASP.NET middleware and Razor fixture depth continue to expand. |
| Go | Full | Source-to-sink taint + rules | MultiLang and heuristic benchmark evidence | Full for represented cases; router and validation library models continue to expand. |
| Ruby | Full | Source-to-sink taint + rules | Language regression evidence and Ruby analyzer evidence | Full for represented cases; Rails/Sinatra and customer-like corpus coverage continue to expand. |
| PHP | Full | Source-to-sink taint + rules | Language regression evidence and PHP analyzer evidence | Full for represented cases; Laravel/Symfony/WordPress and customer-like corpus coverage continue to expand. |
| PowerShell | Full | Source-to-sink taint + rules | Language regression evidence and PowerShell analyzer evidence | Full for represented cases; enterprise module and shell-argument sanitizer coverage continue to expand. |
| Blazor | Rules | C#/Razor-oriented rules | Blazor rule family and C# analyzer evidence | Rules coverage today; dedicated Blazor benchmark pack is required before Full. |
The detection owner maintains the benchmark record, maps rule families to vulnerability classes, and opens false-positive or false-negative work when evidence changes.
The technical reviewer validates taint, cross-file, analyzer, and benchmark claims before they are used as engineering evidence or release gates.
Product review keeps public positioning aligned to the evidence and marks unsupported claims as roadmap or known gaps.
Current evidence combines public benchmark suites, internal non-regression suites, release gate records, and live customer-facing limitations. The next credibility layers are external non-Java benchmark adapters and customer-like corpus telemetry with explicit false-positive and false-negative sampling.