Docs/What we scan

What we scan

Exactly which vulnerability categories ShadowOps checks — and which ones it doesn't. Every scan report includes this list so you always know what was and wasn't covered.

What we check

CategoryConfidence
Secrets & API keysHigh
Broken authenticationHigh
SQL injectionHigh
Cross-site scripting (XSS)Medium
CORS misconfigurationHigh
Sensitive data exposureMedium
Cryptography weaknessesHigh
SSRFMedium
Dependency vulnerabilitiesHigh

Confidence tiers:

HighPattern reliably indicates a real vulnerability in AI-generated code.
MediumPattern is suspicious but may be a false positive in some contexts.
LowWorth investigating but treat as a hint, not a confirmed finding.

What we don't check

“No findings” means we didn't detect anything in the areas above — not that your app has no vulnerabilities. The areas below require dynamic analysis, manual review, or infrastructure access that a static scanner can't provide.

  • –Business logic vulnerabilities
  • –Runtime behaviour and race conditions
  • –Infrastructure & cloud misconfiguration (IAM, S3 policies)
  • –Network-level vulnerabilities
  • –Client-side JavaScript execution context
  • –Mobile application security
  • –Authentication flows that require live execution

Supported languages

JavaScriptTypeScriptPythonHTMLCSSJSON / YAML config

Want broader coverage?

Join the Pro waitlist at shadowops.in/#notify — Pro will add deeper Semgrep rulesets, dependency CVE matching, and infrastructure-as-code scanning.