Published proof
Why regex-based SAST misses multi-hop SQL injection
A source-to-sink walkthrough showing how user input can cross helper functions before it reaches a SQL query, and why pattern matching alone can miss the connected flow.
Proof pages
SiteShadow proof pages show the vulnerable flow first, then explain why taint tracking matters: sources, helper functions, sinks, and fixes in plain code.
Published proof
A source-to-sink walkthrough showing how user input can cross helper functions before it reaches a SQL query, and why pattern matching alone can miss the connected flow.
Published proof
The same source-and-sink pattern looks identical with or without a recognized sanitizer. See how SiteShadow recognizes DOMPurify-wrapped code while still flagging the unsanitized version, a practical false-positive reduction example.
Published proof
subprocess(shell=True) is the command-injection trap pattern-only SAST misses
Modern Python reaches for subprocess, safer with an args list,
dangerous as soon as shell=True turns it back into a shell-formed string.
See the trap, the structural fix (args-list, not a wrapper), and the
shlex.quote() sanitizer SiteShadow recognizes.
Coverage proof
A technical coverage page showing supported languages, vulnerability classes, benchmark methodology, current benchmark evidence, and limitations. This is the source a buyer should read before accepting any broad coverage claim.