Does SiteShadow upload my code?

SiteShadow processes your code in-memory on our secure servers using stateless analysis. Your code is never saved or stored — it is discarded immediately after scanning. No persistent copies, no retention.

Email hello@siteshadow.com with what you build in Cursor and your stack. We’ll reply with next steps.

Do I still need CI scanners?

SiteShadow is built for in-editor signal. It complements CI tooling by catching issues earlier, when fixes are cheapest.

How do you prevent false positives?

The goal is actionable signal: clear context, tuned rules, and explicit exceptions.

What languages are supported?

SiteShadow supports Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP, PowerShell, and Blazor. Python, JavaScript, Go, Java, and C# include deep taint analysis with WASM-powered dataflow tracking. It also scans GraphQL schemas, gRPC proto files, Dockerfiles, and Kubernetes YAML.

Find real vulnerabilities.
Fix them instantly.

SiteShadow traces tainted data across functions and files to find SQL injection, XSS, command injection, and SSRF that regex scanners miss. 2,000+ rules. Auto-fix in your editor. GitHub Action for CI.

Get Started Free Browse 2,000+ Rules

What regex scanners miss, SiteShadow catches

How it's different

Most SAST tools match text patterns. SiteShadow understands data flow.

AST-based taint tracking

Tree-sitter parses your code into an AST. Taint flows from sources (request.args, user input) through variables, function calls, and string operations to sinks (SQL, eval, exec). Sanitizers like int() and html.escape() break the chain.

Interprocedural analysis across functions

When get_input() returns tainted data and handle_request() passes it to SQL, SiteShadow follows the flow across function calls. Two-pass summary generation across Python, JavaScript, Go, Java, and C#.

Low false positives on sanitized code

Parameterized queries, parseInt(), shlex.quote(), DOMPurify.sanitize() — SiteShadow recognizes 30+ sanitizer patterns and stays quiet when code is safe.

SiteShadow analysis pipeline: code flows through five security layers — pattern rules, heuristic analysis, taint analysis, AI/LLM security, and cross-file analysis — producing merged findings

Accuracy you can verify.

The OWASP Benchmark is the industry-standard test for SAST tools — 2,740 real Java vulnerability test cases across 11 CWE categories.

Our engine achieves a perfect score: 100% true positive rate, 0% false positive rate across all 7 CWE categories — outperforming every major enterprise SAST vendor on the benchmark, including Checkmarx, Fortify, Veracode, and graph-based ML tools like Qwiet AI.

Most vendors won't publish their score. We will.

Everything you need to ship secure code

Features

🔍

Taint Tracking

WASM-powered dataflow analysis across Python, JavaScript, Go, Java, and C#. Traces user input from 60+ sources through variables, f-strings, and method chains to 50+ dangerous sinks. 26+ sanitizer patterns eliminate false positives.

⚡

Instant Fixes

One-click code actions in VS Code / Cursor. Replaces hashlib.md5 with sha256, os.system with subprocess.run, hardcoded secrets with os.environ.

🔗

GitHub Action

Add uses: siteshadow/scan@v1 to your workflow. SARIF upload to Code Scanning, PR comments with severity table, delta reporting against baseline.

📦

CVE Scanning

Checks requirements.txt and package.json against OSV.dev for known vulnerabilities. Shows CVE ID, CVSS score, and upgrade path.

🔑

Git History Secrets

Scans git commit history for API keys, tokens, and passwords that were deleted but still exist in git objects. 15 secret patterns + entropy detection.

🏗️

IaC Scanning

Terraform, CloudFormation, Docker, Kubernetes, Helm, and GitHub Actions rules. Detects privileged containers, open security groups, script injection, and more.

📝

Custom Rules (YAML)

Define your own taint sources, sinks, and sanitizers in YAML. Extend the engine for internal APIs without writing code.

🔐

Enterprise SSO

Okta and Azure AD single sign-on. Per-organization configuration with encrypted secrets. Break-glass emergency access.

Three ways to use SiteShadow

In your editor — VS Code / Cursor extension

cursor --install-extension siteshadow.vsix

Real-time scanning, inline diagnostics, one-click fixes.

In your CI — GitHub Action

- uses: siteshadow/scan@v1
  with:
    api-key: ${{ secrets.SITESHADOW_API_KEY }}

PR comments, SARIF upload, delta reporting.

On the command line — CLI scanner

python scan_cli.py ./src --format sarif --auto-fix-dry-run

Scan directories, generate SARIF, preview auto-fixes.

2,033+

Security Rules

Languages

209+

Automated Tests

Code Stored

Who uses SiteShadow?

37%

Security Engineers

25%

DevOps Teams

29%

Full-stack Developers

Auditors

Community coming soon

Stay tuned

SiteShadow vs. the competition

vs. Semgrep

Semgrep requires learning a custom rule DSL. SiteShadow works out of the box with 2,000+ rules, interprocedural taint tracking, and one-click fixes in your editor.

vs. Snyk Code

Snyk's auto-fix only handles dependency upgrades. SiteShadow generates actual code fixes: parameterized queries, safe API replacements, env var migrations.

vs. CodeQL

CodeQL requires a build step and takes minutes. SiteShadow analyzes in milliseconds with no build required. Full SARIF output for GitHub Code Scanning.

Stop guessing. Start tracing.

SiteShadow follows your data from input to output. If it's safe, we stay quiet. If it's not, we show you exactly why and how to fix it.