SiteShadow

Evidence

The evidence behind SiteShadow.

Six routes into the same proof model: where SiteShadow scans, what it catches, what it suppresses, and what auditors get out the other end. Pick the one that matches what you need to verify before you ship or buy.

Or start with a guided path

Three common entry points by what you’re trying to verify. Each step opens the next page that builds on the last.

Taint tracing

See multi-hop SQL injection traced across helper functions.

The flow goes through three call sites and a string-format helper before reaching the sink. Real source code, real trace, real evidence.

Read the proof

Sanitizer recognition

See why pattern-only SAST flags DOMPurify as a false positive.

Same source, same sink, the difference is a DOMPurify call in the middle. SiteShadow recognizes sanitizer evidence on the safe version and still flags the unsafe one.

Read the proof

Command injection

See why subprocess(shell=True) is the modern trap.

Modern Python reaches for subprocess and trusts that it's safer than os.system. shell=True puts the bug right back. The fix is structural (args-list), not a wrapper.

Read the proof

False-positive reduction

See how data-flow context separates real findings from sanitized noise.

Recognized sanitizer patterns, parameterized queries, and explicit suppressions, why pattern-only SAST misses the difference and why taint tracing doesn't.

See the explainer

Coverage

Inspect coverage across languages, frameworks, and CWEs.

What SiteShadow detects, by language and by category, including the gaps. Published, benchmarked, reproducible.

Open the coverage page

Credibility matrix

Read the detection credibility matrix.

The methodology behind the coverage claims: what evidence each detection has, what benchmark it traces to, and where the known limitations sit.

Open the matrix

Rule library

Browse the rule library.

208 vulnerability-class pages with what to fix, why it matters, and example safer code. Searchable, linkable, dropped into any onboarding or runbook.

Open the library

Standards mapping

See SOC 2 and ISO 27001 mapping, plus CMMC-aligned evidence packs.

Which SAST controls SiteShadow's evidence covers (CC7.1, CC8.1, A.8.28, A.8.29), where CMMC preparation can use NIST SP 800-171 mapped scan artifacts, and the fineprint about what SAST is and isn't inside a compliance program.

Open standards mapping

Want to see the scanner produce all of this?

Walk the interactive scanner pipeline, pick an entry point, step through the five engines, and see the evidence each one produces.