What we scan
Exactly which vulnerability categories ShadowOps checks — and which ones it doesn't. Every scan report includes this list so you always know what was and wasn't covered.
What we check
| Category | Confidence |
|---|---|
| Secrets & API keys | High |
| Broken authentication | High |
| SQL injection | High |
| Cross-site scripting (XSS) | Medium |
| CORS misconfiguration | High |
| Sensitive data exposure | Medium |
| Cryptography weaknesses | High |
| SSRF | Medium |
| Dependency vulnerabilities | High |
Confidence tiers:
HighPattern reliably indicates a real vulnerability in AI-generated code.
MediumPattern is suspicious but may be a false positive in some contexts.
LowWorth investigating but treat as a hint, not a confirmed finding.
What we don't check
“No findings” means we didn't detect anything in the areas above — not that your app has no vulnerabilities. The areas below require dynamic analysis, manual review, or infrastructure access that a static scanner can't provide.
- –Business logic vulnerabilities
- –Runtime behaviour and race conditions
- –Infrastructure & cloud misconfiguration (IAM, S3 policies)
- –Network-level vulnerabilities
- –Client-side JavaScript execution context
- –Mobile application security
- –Authentication flows that require live execution
Supported languages
JavaScriptTypeScriptPythonHTMLCSSJSON / YAML config
Want broader coverage?
Join the Pro waitlist at shadowops.in/#notify — Pro will add deeper Semgrep rulesets, dependency CVE matching, and infrastructure-as-code scanning.