Cursor developer worried about injection bugs
Evidence
The evidence behind SiteShadow.
Six routes into the same proof model: where SiteShadow scans, what it catches, what it suppresses, and what auditors get out the other end. Pick the one that matches what you need to verify before you ship or buy.
Or start with a guided path
Three common entry points by what you’re trying to verify. Each step opens the next page that builds on the last.
Security engineer evaluating SAST
Auditor mapping SAST to controls
Taint tracing
See multi-hop SQL injection traced across helper functions.
The flow goes through three call sites and a string-format helper before reaching the sink. Real source code, real trace, real evidence.
Read the proofSanitizer recognition
See why pattern-only SAST flags DOMPurify as a false positive.
Same source, same sink, the difference is a DOMPurify call in the middle. SiteShadow recognizes sanitizer evidence on the safe version and still flags the unsafe one.
Read the proofCommand injection
See why subprocess(shell=True) is the modern trap.
Modern Python reaches for subprocess and trusts that it's safer than os.system. shell=True puts the bug right back. The fix is structural (args-list), not a wrapper.
False-positive reduction
See how data-flow context separates real findings from sanitized noise.
Recognized sanitizer patterns, parameterized queries, and explicit suppressions, why pattern-only SAST misses the difference and why taint tracing doesn't.
See the explainerCoverage
Inspect coverage across languages, frameworks, and CWEs.
What SiteShadow detects, by language and by category, including the gaps. Published, benchmarked, reproducible.
Open the coverage pageCredibility matrix
Read the detection credibility matrix.
The methodology behind the coverage claims: what evidence each detection has, what benchmark it traces to, and where the known limitations sit.
Open the matrixRule library
Browse the rule library.
208 vulnerability-class pages with what to fix, why it matters, and example safer code. Searchable, linkable, dropped into any onboarding or runbook.
Open the libraryStandards mapping
See SOC 2 and ISO 27001 mapping, plus CMMC-aligned evidence packs.
Which SAST controls SiteShadow's evidence covers (CC7.1, CC8.1, A.8.28, A.8.29), where CMMC preparation can use NIST SP 800-171 mapped scan artifacts, and the fineprint about what SAST is and isn't inside a compliance program.
Open standards mappingWant to see the scanner produce all of this?
Walk the interactive scanner pipeline, pick an entry point, step through the five engines, and see the evidence each one produces.