Docs/FAQ

Frequently asked questions

Common questions about code storage, accuracy, pricing, and privacy.

Is my code stored on your servers?

Not in any lasting way. When you submit a repo, we clone it into an isolated, ephemeral sandbox, run the scan, and delete the clone immediately when it's done. The only things we keep are the findings — the specific lines and snippets that triggered a rule — stored encrypted in your account.

We don't keep a copy of your full codebase. Read the full details in our Privacy Policy →

What languages does ShadowOps support?

Our rules are tuned for the languages that AI code generators most commonly produce: JavaScript, TypeScript, Python, and common web-stack patterns (Express, FastAPI, Flask, Next.js, etc.). Dependency audits work for any project with a package.json or requirements.txt.

Some rules apply across languages (hardcoded secrets, insecure patterns); others are language-specific. Every scan report tells you exactly which files were checked and which rules ran.

How accurate is it? What if it misses something?

Honestly: it's a first-pass scanner, not a comprehensive security audit.

We're tuned for patterns that AI code generators reliably produce — hardcoded secrets, raw SQL queries, wildcard CORS, weak JWT config, and so on. We catch those well. We're less thorough on business-logic flaws, runtime behaviour, and infrastructure configuration.

This is why every scan report includes a coverage note— a plain list of what we checked and what we didn't. “No findings” doesn't mean “no vulnerabilities.” It means we didn't find anything in the areas we specifically looked for. See full coverage →

Is it free? What's in Pro?

Free
  • Unlimited scans
  • Full findings with plain-English explanations
  • Exact file and line references
  • Score and verdict (green / yellow / red)
  • JSON output for CI integration
ProComing soon
  • Auto-scan on every deploy
  • Unlimited connected repos
  • LLM-powered fix suggestions
  • Client-ready pentest report (PDF / Markdown)
  • Scan history and trends
  • Team seats

Do I need to install anything?

No. ShadowOps is a web tool. Paste a URL, connect a repo via OAuth, or upload files — the scan runs in our infrastructure. No CLI required, no IDE plugin required.

Can I scan private repos?

Yes. Connect your GitHub, GitLab, or Bitbucket account via OAuth. We request only the minimum permissions needed to clone the repos you select. Your OAuth token is stored encrypted and used only for that purpose.

How is this different from Snyk or Semgrep?

Those are excellent tools built for security teams. They output CVE IDs, CVSS scores, and CWE references — the right language for an engineer who lives in security tooling.

ShadowOps is built for a different situation: you used Cursor, Lovable, v0, or Bolt to build something, it works, and now you want to know if it's safe to ship — without having to learn what a CWE code means.

Every finding is explained in plain English: what it is, why it matters, and what to do about it. We're also honest about what we didn't check, which most tools aren't.

What is a “finding label” and can I opt out?

When you view a finding, you can mark it “Real issue” or “Not a problem.” This helps us distinguish real vulnerabilities from false positives.

When you label a finding, we store a short encrypted code snippet (max 500 chars), the file extension, rule ID, category, severity, and your label. Nothing that identifies you or your repo.

To opt out: go to Settings → Privacy → Finding Labels and disable the toggle, or email hello@shadowops.in.

Can I delete my account and data?

Yes. Email hello@shadowops.in with your account email and we'll delete your account and all associated data within 30 days.

Still have a question?

Email hello@shadowops.in and we'll get back to you.