Detection evidence owner
The detection owner maintains the benchmark record, maps rule families to vulnerability classes, and opens false-positive or false-negative work when evidence changes.
Detection evidence
SiteShadow Detection Credibility Matrix
This matrix tracks what SiteShadow claims, what the engine can currently prove through benchmark evidence, and what remains a known gap before a claim should be treated as production-grade.
2,011checks in public coverage
190CWEs mapped
1,698OWASP benchmark tests green
6,444Juliet tests green
1,000MultiLang tests green
0%benchmark FP/FN on latest recorded full run
False-positive and false-negative rates below refer to the latest recorded controlled benchmark runs, not to a statistically significant customer-code corpus. Real-world corpus tracking is a required next evidence layer.
Vulnerability-Class Matrix
| Class | Languages | Rule family | Taint capability | Benchmark status | Known gaps | FP rate | FN rate |
|---|---|---|---|---|---|---|---|
| SQL injection | Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP; PowerShell where represented | H10 taint, H18 raw DB driver, A05 injection rules | Source-to-sink dataflow, interprocedural summaries, cross-file project scan evidence | Green OWASP, Juliet, MultiLang, language regression | Real-world ORM-specific corpus and customer suppression telemetry still needed. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| XSS | JavaScript, TypeScript, Python, Java, C#, Ruby, PHP; Blazor rules | XSS-DOM, framework template checks, H09 template autoescape, H10 taint | DOM sinks, template sinks, React/JSX special-case scanning, sanitizer recognition | Green MultiLang, language regression, and rule benchmarks | Needs public corpus evidence for framework-specific escaping and template edge cases. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| Command injection | Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP, PowerShell | H03 dangerous route operation, H06 subprocess + web framework, H10 taint | User-controlled command, shell, process, and eval-like sink tracking | Green MultiLang, heuristics, AI-security flow tests | Need broader shell-argument sanitizer modeling across real projects. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| SSRF | Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP, PowerShell where represented | SS01, H10 taint, AI-flow HTTP client sinks | User-controlled URL to HTTP clients, metadata endpoint patterns, AI-output-to-request flows | Green MultiLang, language regression, and AI-security flow tests | Need stronger validation modeling for allowlists, DNS rebinding defenses, and URL parser edge cases. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| Secrets and credential exposure | All scanned text/code/config languages | CWE-798, CRED-URL, provider token patterns, config rules | Primarily pattern and context-aware rules; cross-file duplicate secret detection | Green regex benchmark | Provider pattern drift requires continuous update cadence and sampled false-positive review. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| Path traversal and file access | Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP, PowerShell | P01, H10 taint, file-read/file-write AI security sinks | User-controlled file path to read/write/open sinks with sanitizer and reassignment handling | Green MultiLang, language regression, and AI-security flow tests | Need more framework upload-storage fixtures and platform path-normalization evidence. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| Auth, access control, and IDOR | Python, JavaScript, TypeScript, Java, C#, Go; framework-dependent elsewhere | H01, H02, H22, A01/A07 rules, cross-file auth consistency | Heuristic and cross-file analysis; taint supports data/object access paths where applicable | Green heuristics benchmark | Needs more real application route graphs and framework auth middleware corpora. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| AI/LLM security flows | Python, JavaScript, TypeScript, Java | AI/LLM rule families, AI-FLOW sinks | LLM output as tainted source to tools, HTTP, browser automation, shell, storage, email, and chat sinks | Green 324-test AI-security benchmark | Needs continued sink-library expansion and public methodology page for AI-agent risk classes. | 0% on latest controlled benchmark run | 0% on latest controlled benchmark run |
| IaC, container, and configuration risk | YAML, JSON, Dockerfile, Kubernetes manifests, Terraform patterns | K8S, DOCKER, TERRAFORM, H11-H14, H26, configuration rules | Pattern and structural config checks; not taint-led | Covered rule benchmark coverage | Needs separate IaC benchmark suite and cloud-provider-specific policy corpus. | 0% where covered by current controlled rule tests | Not fully measured as a separate IaC corpus |
Language and Taint Matrix
| Language | Analyzer status | Taint status | Primary evidence | Evidence boundary |
|---|---|---|---|---|
| Python | Full | H10 taint + rules | OWASP, Juliet, MultiLang, heuristics, AI-security | Full for represented cases; framework-specific sanitizer coverage continues to expand. |
| JavaScript | Full | H10 taint + rules | MultiLang, heuristics, AI-security, React XSS special cases | Full for represented cases; JSX and template-parser edge cases continue to expand. |
| TypeScript | Full | Via JavaScript analyzer + rules | AI-security and JS-family rule coverage | Full through the JavaScript-family analyzer; deeper type-aware framework modeling is ongoing. |
| Java | Full | H10 taint + rules | OWASP, Juliet, MultiLang | Full for represented cases; large-framework route graph coverage continues to expand. |
| C# | Full | H10 taint + rules | Juliet, MultiLang, C#/Razor checks | Full for represented cases; ASP.NET middleware and Razor fixture depth continue to expand. |
| Go | Full | H10 taint + rules | MultiLang and heuristic benchmark evidence | Full for represented cases; router and validation library models continue to expand. |
| Ruby | Full | H10 taint + rules | Language regression evidence and Ruby analyzer evidence | Full for represented cases; Rails/Sinatra and customer-like corpus coverage continue to expand. |
| PHP | Full | H10 taint + rules | Language regression evidence and PHP analyzer evidence | Full for represented cases; Laravel/Symfony/WordPress and customer-like corpus coverage continue to expand. |
| PowerShell | Full | H10 taint + rules | Language regression evidence and PowerShell analyzer evidence | Full for represented cases; enterprise module and shell-argument sanitizer coverage continue to expand. |
| Blazor | Rules | C#/Razor-oriented rules | Blazor rule family and C# analyzer evidence | Rules coverage today; dedicated Blazor benchmark pack is required before Full. |
Evidence Sources and Governance
Technical review
The technical reviewer validates taint, cross-file, analyzer, and benchmark claims before they are used as engineering evidence or release gates.
Product claim review
Product review keeps public positioning aligned to the evidence and marks unsupported claims as roadmap or known gaps.
Current evidence combines public benchmark suites, internal non-regression suites, release gate records, and live customer-facing limitations. The next credibility layers are external non-Java benchmark adapters and customer-like corpus telemetry with explicit false-positive and false-negative sampling.