SecureCodeReviews
Documentation

ShieldX Product Manual

Security scanning that developers can run in 60 seconds. From setup to advanced configuration.

Quick Navigation
Overview Quickstart Product Preview Secrets Scanner Dependency Scanner Cloud Security Assessment API Security Scanner Log Threat Analyzer SAST Code Analyzer CI/CD Integration AI Security Review License Compliance Scanner Security Score Dashboard Container Security IaC Scanner SBOM Generator Compliance Report Privacy & Security FAQ

What is ShieldX?

ShieldX is security that developers actually want to use. Built for startups, it provides 14 integrated modules—from detecting hardcoded secrets to container security, infrastructure-as-code scanning, SBOM generation, and compliance reporting. It's drastically cheaper and faster than legacy enterprise platforms, requiring zero dedicated security headcount to get started.

Key Capabilities

  • Secrets detection with entropy analysis
  • Real-time CVE scanning
  • Cloud security posture assessment
  • API endpoint OWASP compliance testing
  • AST-based SAST with taint tracking
  • AI-powered security review
  • Container & Dockerfile security
  • Infrastructure-as-Code scanning
  • SBOM generation (CycloneDX)
  • Compliance mapping (8 frameworks)
  • Log-based threat detection
  • CI/CD pipeline integration
  • Custom rule engine
  • Unified security scoring

Privacy Guarantees

  • Zero code storage — code is never saved
  • No data retention on servers
  • HTTPS only with TLS 1.2+
  • No third-party data sharing
  • SOC 2 ready architecture
  • GDPR compliant data handling

Subscription Plans

Free
$0

Demo mode + basic secrets scanner

Pro
$79/mo

All 14 modules incl. AST-based SAST, AI review, unlimited scans

Enterprise
$299/mo

Team management, CI/CD gate, SLA, priority support

Getting Started by Plan

Demo only

Free Demo

Use the guided demo workspace with sample code, sample dependencies, and example results. This keeps free visitors out of the paid workspace while still showing the full product flow.

1
Open ShieldX and click Run Full Demo.
2
Review the sample findings across secrets, dependencies, cloud, API, and logs.
3
Use the separate free AI and public tools for non-paid exploration.
Paid scans

Pro Workspace

Run real scans on your own code, dependency manifests, API targets, and security workflows. Save score snapshots and export reports.

1
Paste your source code, package manifest, or endpoint into the relevant module.
2
Run a live scan and review the score, findings, and remediation guidance.
3
Save scan history, export the PDF report, and configure CI/CD automation.
Team seats

Enterprise Rollout

Create the Enterprise workspace, invite team members, assign seat roles, and keep onboarding and support aligned to the organization owner account.

1
Set the workspace name and generate the CI/CD API key.
2
Invite team members and assign owner, admin, member, or viewer access.
3
Run the first baseline scan, export a report, and contact onboarding for rollout help.

What the Paid Workspace Looks Like

These preview cards mirror the kind of result summaries, saved reports, and team controls customers see in the paid ShieldX workspace.

Pro Results Overview
Live score view
8.2 / 10

A paid workspace combines module results into one security score with saved snapshots and export-ready summaries.

Secrets: 0 critical, 1 high
Dependencies: 2 CVEs flagged from vulnerability database
API score: 7.4 with missing CSP and weak rate-limit indicators
Saved Reports & History
Paid workflow
PDF export

Pro and Enterprise accounts can save scan history and create reports that look ready to share with engineering or leadership.

Snapshot stored with target, score, and findings counts
Export PDF for remediation reviews or customer updates
Repeat scans over time to show posture improvement
Enterprise Team Console
Enterprise only
25 seats

Enterprise accounts get the team panel with workspace naming, seat tracking, invite management, and owner/admin controls.

Workspace name and seat usage visible in one place
Invite admins, members, and viewers by email
Keep Enterprise access separate from demo and Free users

Secrets Scanner
Module 1/14

Detect hardcoded secrets, API keys, tokens, and credentials in your source code

Features

20+ regex patterns covering AWS, GitHub, Stripe, Google, Slack, npm, Docker, and more
Shannon entropy analysis to reduce false positives
Three confidence levels: High, Medium, Low
Line-by-line match reporting with exact match highlights
Specific remediation guidance for each secret type
Placeholder detection automatically filters test/dummy values

How to Use

1
Navigate to ShieldX → Secrets Scanner tab
2
Paste your source code, config files, .env content, or any text
3
Click 'Scan for Secrets' to analyze
4
Review findings sorted by confidence (High > Medium > Low)
5
Low-confidence matches are collapsed by default to reduce noise
6
Follow the green 'Fix' recommendations for each finding

What's Covered

AWS Access Keys
GitHub Tokens (ghp/gho/ghu/ghs/ghr)
GitHub Fine-Grained Tokens
Stripe Keys
Slack Tokens & Webhooks
Google API Keys
Private Keys (RSA/EC/DSA)
JWT/Bearer Tokens
Database Connection Strings
SendGrid, Twilio, Mailgun Keys
npm Tokens
Docker Hub Tokens
Generic API Key Patterns
Hardcoded Passwords
Internal IP Addresses

Dependency Scanner
Module 2/14

Find known vulnerabilities (CVEs) in your project dependencies using real-time CVE data

Features

Real-time queries against Google's Open Source Vulnerabilities (OSV) database
Supports npm (package.json), pip (requirements.txt), and Go ecosystems
CVE severity ratings: Critical, High, Medium, Low
Displays aliases (CVE IDs), summaries, and reference links
Shows fixed version for each vulnerability
Works with real production dependencies — not simulated data

How to Use

1
Navigate to ShieldX → Dependency Scanner tab
2
Paste your package.json, requirements.txt, or build.gradle content
3
Click 'Scan Dependencies' to query the vulnerability database
4
Review the vulnerability list sorted by severity
5
Click reference links for detailed CVE information
6
Upgrade dependencies to the suggested 'Fixed In' versions

What's Covered

npm / Node.js (package.json)
pip / Python (requirements.txt)
Go modules
More ecosystems coming soon

Cloud Security Assessment
Module 3/14

Interactive security checklist for AWS, GCP, Azure, and general cloud infrastructure

Features

18 security checks across 4 platforms (AWS, GCP, Azure, General)
Covers Storage, Identity, Network, Database, Logging, Encryption, and Data categories
Severity-rated checks (Critical, High, Medium)
Pass/Fail tracking with percentage score
Specific fix guidance for every failing check
Platform-specific and cross-platform checks

How to Use

1
Navigate to ShieldX → Cloud Security tab
2
For each question, click 'Yes' if compliant or 'No' if not
3
Failed checks immediately show the risk and recommended fix
4
Review your score for each platform section
5
Prioritize Critical and High severity failures first
6
Re-assess periodically as infrastructure changes

What's Covered

AWS: S3, IAM, RDS, VPC, CloudTrail, Security Groups
GCP: GCS, Service Accounts, Audit Logging
Azure: NSGs, Storage Accounts, Key Vault
General: HTTPS, TLS, Centralized Logging, Backups

API Security Scanner
Module 4/14

Test any HTTP endpoint against OWASP API Top 10 2023 security standards

Features

Real HTTP requests to analyze endpoint security
Checks 10+ security headers (HSTS, CSP, X-Frame-Options, etc.)
OWASP API Top 10 2023 coverage indicators
CORS configuration analysis
Authentication and session management checks
Rate limiting detection
Sensitive data exposure detection
Error leakage analysis (stack traces, debug info)
Security score from 0-10

How to Use

1
Navigate to ShieldX → API Scanner tab
2
Enter any URL (e.g., https://api.example.com/v1/health)
3
Click 'Scan Endpoint' to perform the analysis
4
Review security headers (Pass/Fail/Warning)
5
Check OWASP API Top 10 coverage badges
6
Review your API security score out of 10
7
Implement missing headers and security controls

What's Covered

Security Headers: HSTS, CSP, X-Content-Type-Options, X-Frame-Options, etc.
OWASP API Top 10 2023 coverage
CORS analysis
Authentication checks
Rate limiting detection
Error leakage detection

Log Threat Analyzer
Module 5/14

AI-powered pattern detection to find security threats in your application logs

Features

Brute force detection (multiple failed login patterns)
High-frequency IP activity monitoring
Off-hours activity detection (00:00-05:59 events)
SQL injection and XSS pattern detection in logs
Privilege escalation activity monitoring
Data exfiltration command detection
Error spike analysis
Severity-rated findings with evidence

How to Use

1
Navigate to ShieldX → Log Analyzer tab
2
Paste your application logs, server logs, or access logs
3
Click 'Analyze Logs' to run the pattern engine
4
Review findings sorted by severity (Critical > High > Medium > Low)
5
Check the evidence column for specific log lines
6
Follow remediation steps for each finding

What's Covered

Auth logs (failed logins, brute force)
Web server logs (Apache, Nginx)
Application logs (error stacks, exceptions)
Security event logs
Cloud audit logs (CloudTrail, Stackdriver)

SAST Code Analyzer
Module 6/14

AST-based static analysis with multi-file project scanning, cross-file taint tracking, and exploit proof-of-concept generation

Features

Full AST parsing via acorn — not regex-based
Taint tracking from sources (req.body, req.query, req.params, req.headers, cookies) to sinks
Detects SQL injection, command injection, XSS, SSRF, path traversal, NoSQL injection, code injection
Pattern checks for eval(), weak crypto (MD5/SHA1), prototype pollution, hardcoded JWT secrets
Multi-file project scanning — upload ZIP or folder for cross-file analysis
Cross-file taint tracking — traces data across imports/exports between files
Exploit PoC Generator — generates real exploit payloads showing how each vulnerability is attacked
Timing attack detection on password comparisons
Authentication rate-limiting checks, CORS misconfiguration, ReDoS detection
Dataflow evidence showing source → sink traces with line numbers
15+ vulnerability classes with CWE and OWASP mappings
Downloadable HTML reports with findings, fixes, and exploit PoCs
Supports JavaScript, TypeScript, Java, C/C++, and C#

How to Use

1
Navigate to ShieldX → SAST Code Analyzer tab
2
Choose Single File mode to paste code or Project Scan to upload ZIP/folder
3
Select your language (auto-detected in project mode)
4
Click 'Run SAST Analysis' to parse and analyze
5
Review findings sorted by severity (Critical > High > Medium)
6
Expand 'Exploit PoC' for each finding to see exactly how it can be attacked
7
Expand dataflow traces to see how tainted data flows from source to sink
8
Follow the remediation guidance and code examples for each finding
9
Download an HTML report to share with your team

What's Covered

JavaScript (ES6+)
TypeScript
Java
C / C++
C#
JSX / React components
Express.js route handlers
Node.js server code

CI/CD Integration
Module 7/14

Ready-to-use pipeline templates for automated security scanning in your CI/CD

Features

GitHub Actions workflow template
GitLab CI configuration template
cURL command examples for any CI system
Secrets scan and dependency scan via API
Exit code-based pass/fail for pipeline gates
One-click copy for all templates
Test endpoint button to verify integration

How to Use

1
Navigate to ShieldX → CI/CD Integration tab
2
Choose your CI platform (GitHub Actions, GitLab CI, or cURL)
3
Copy the provided YAML/script template
4
Add it to your project's CI configuration
5
The pipeline will call ShieldX API on every push/PR
6
Failed security checks will fail the pipeline (exit code 1)
7
Use the 'Test' button to verify the integration works

What's Covered

GitHub Actions
GitLab CI
Any CI via cURL/REST API
Jenkins (via cURL)
CircleCI (via cURL)
Bitbucket Pipelines (via cURL)

AI Security Review
Module 8/14

AI-powered deep security review that finds business logic flaws, authorization gaps, IDOR, race conditions, and vulnerabilities that no pattern-based SAST tool can detect

Features

LLM-powered analysis using Google Gemini for deep security understanding
Business logic flaw detection — identifies authorization bypasses, IDOR, and trust boundary violations
Race condition detection in concurrent code paths
SSRF, open redirect, and insecure deserialization detection
Authentication and session management weakness identification
Privacy leakage detection (PII exposure, logging sensitive data)
Risk level assessment: Critical, High, Medium, Secure
Prioritized remediation actions with effort estimates
AI Executive Summary generation for stakeholder reports
Multi-language support: JavaScript, TypeScript, Python, Java, Go, Ruby, PHP, C#

How to Use

1
Navigate to ShieldX → AI Security Review tab
2
Select the programming language of your code
3
Paste your source code (focus on auth, API, or data handling logic)
4
Click 'Run Scan' to trigger AI-powered analysis
5
Review findings categorized by risk level and vulnerability type
6
Examine detailed explanations of business logic flaws and race conditions
7
Follow the prioritized remediation guidance

What's Covered

JavaScript / TypeScript
Python
Java
Go
Ruby
PHP
C#
Business logic flaws
IDOR detection
Race conditions
Authorization gaps

License Compliance Scanner
Module 9/14

Scan your dependency manifests to identify open source license obligations and compliance risks

Features

Identifies licenses for npm, pip, and Go dependencies
Risk classification: Copyleft (GPL), Weak Copyleft (LGPL, MPL), Permissive (MIT, Apache, BSD)
License compatibility checking for commercial use
Unknown/missing license flagging for manual review
Dual-license detection and resolution
SPDX license identifier mapping
Distribution obligation warnings for copyleft licenses
Export-ready license inventory reports

How to Use

1
Navigate to ShieldX → License Compliance tab
2
Paste your package.json, requirements.txt, or go.mod content
3
Click 'Check Licenses' to scan all dependencies
4
Review the license inventory sorted by risk level
5
Address copyleft license obligations before distribution
6
Flag unknown licenses for legal review

What's Covered

npm (package.json)
pip (requirements.txt)
Go (go.mod)
MIT
Apache 2.0
BSD
GPL v2/v3
LGPL
MPL
ISC
AGPL
Unlicense

Security Score Dashboard
Module 10/14

Unified security posture score across all ShieldX modules with radar visualization

Features

Composite score from 0-10 across 5 dimensions
Radar chart visualization of security posture
Individual module scores: Secrets, Dependencies, Cloud, API, Logs, SAST
Penalty-based scoring (findings reduce score)
Score updates automatically as you run scans
Visual color coding (red < 4, yellow < 6, blue < 8, green >= 8)

How to Use

1
Run scans across multiple modules (Secrets, Dependencies, Cloud, API, Logs, SAST)
2
Navigate to ShieldX → Security Score tab
3
View your overall composite score
4
Analyze the radar chart for weak areas
5
Focus on improving the lowest-scoring dimensions first
6
Re-scan after implementing fixes to see improvement

What's Covered

5-dimension radar chart
Real-time score calculation
Module-level drill-down
Export-ready score summary

Container Security
Module 11/14

Dockerfile security scanner with 15 checks based on CIS Docker Benchmark.

Features

15 security checks (privilege, secrets, network, supply chain, hardening)
Running-as-root detection (no USER instruction)
Secrets in ENV/ARG detection with value masking
curl|bash supply chain pattern detection
Unnecessary port exposure (SSH, DB, Docker daemon ports)
chmod 777 / sudo usage detection
Missing HEALTHCHECK warnings
Base image analysis (full vs slim/alpine/distroless)
Multi-stage build detection
Package cache cleanup checks

How to Use

1
Navigate to ShieldX → Container Security tab
2
Paste your Dockerfile content in the input area
3
Click 'Run Scan' to analyze
4
Review findings sorted by severity (critical → low)
5
Apply recommended fixes for each finding
6
Re-scan to verify fixes

What's Covered

Dockerfile
Multi-stage builds
alpine/slim/distroless detection
CIS Docker Benchmark checks

IaC Scanner
Module 12/14

Infrastructure-as-Code misconfiguration scanner for Terraform, CloudFormation, and Kubernetes.

Features

22+ security checks across AWS, Kubernetes, and general patterns
Terraform HCL configuration analysis
CloudFormation YAML/JSON support
Kubernetes manifest security checks
S3 public bucket detection
Security group open ingress (0.0.0.0/0) detection
SSH port open to internet
RDS publicly accessible databases
IAM wildcard (*) policy detection
AdministratorAccess policy attachment
Kubernetes privileged container detection
Host network/PID namespace sharing
Missing resource limits
Hardcoded secrets in IaC
HTTP instead of HTTPS endpoints
Missing CloudTrail/logging
Unencrypted EBS/RDS

How to Use

1
Navigate to ShieldX → IaC Scanner tab
2
Paste Terraform (.tf), CloudFormation (YAML/JSON), or Kubernetes manifests
3
Click 'Run Scan' to analyze
4
Review misconfigurations by severity and provider
5
Apply recommended fixes before deploying infrastructure

What's Covered

Terraform HCL
AWS CloudFormation (YAML/JSON)
Kubernetes YAML
AWS
GCP
Azure
Kubernetes

SBOM Generator
Module 13/14

Generate CycloneDX 1.5 Software Bill of Materials from dependency manifests.

Features

CycloneDX 1.5 format (industry standard)
Package URL (PURL) generation for every component
License identification for common packages
Multi-ecosystem support (npm, PyPI, Go, Maven)
Component scope classification (required/dev/optional)
Downloadable JSON export
Regulatory compliance ready (US EO 14028, EU CRA)
Unknown license identification for manual review

How to Use

1
Navigate to ShieldX → SBOM Generator tab
2
Paste your package.json, requirements.txt, go.mod, or build.gradle
3
Click 'Run Scan' to generate the SBOM
4
Review components, licenses, and ecosystem breakdown
5
Download the CycloneDX JSON for compliance or audit

What's Covered

npm (package.json)
pip (requirements.txt)
Go (go.mod)
Gradle (build.gradle)
CycloneDX 1.5 output

Compliance Report
Module 14/14

Map scan findings to SOC 2, ISO 27001, PCI-DSS, HIPAA, NIST 800-53, CIS, and GDPR.

Features

8 compliance frameworks supported
Per-framework compliance posture scoring (0-100%)
Detailed control-level mapping for every finding
SOC 2 Type II trust services criteria mapping
ISO 27001:2022 Annex A control mapping
PCI DSS 4.0 requirement mapping
HIPAA technical safeguard mapping
NIST 800-53 Rev 5 control mapping
CIS Benchmark control mapping
GDPR article mapping
OWASP Top 10 2021 mapping
Actionable remediation recommendations

How to Use

1
Run scans across multiple modules first (Secrets, SAST, Cloud, Dependencies, etc.)
2
Navigate to ShieldX → Compliance Report tab
3
Click 'Run Scan' to generate the compliance report
4
Review overall compliance posture percentage
5
Drill into each framework to see failed controls
6
Follow actionable recommendations to improve scores

What's Covered

SOC 2 Type II
ISO 27001:2022
PCI DSS 4.0
HIPAA
NIST 800-53 Rev 5
CIS Benchmarks
GDPR
OWASP Top 10 2021

Privacy & Security Policy

ShieldX is built with a zero code storage architecture. Your intellectual property is never at risk.

Zero Code Storage

Your source code is analyzed in real-time memory and immediately discarded after scanning. It is never written to disk, logged, or stored in any database.

No Data Retention

Scan results are returned directly to your browser session. We do not retain copies of your findings, code snippets, or dependency lists on our servers.

HTTPS Only

All data transmission between your browser and ShieldX is encrypted via TLS 1.2+ (HTTPS). We enforce HSTS with a minimum 1-year max-age.

No Third-Party Sharing

Your data is never sold, shared, or transmitted to third parties. Dependency queries are anonymized and contain only package name/version pairs — no source code.

Session-Based Authentication

ShieldX uses JWT-based session tokens with configurable expiry. Sessions are server-validated and cannot be forged.

SOC 2 Ready Architecture

Our infrastructure follows SOC 2 Type II controls including access management, change management, and monitoring.

Frequently Asked Questions

Is ShieldX safe to use with proprietary code?

Yes. ShieldX has a strict Zero Code Storage policy. Your code is processed in-memory and immediately discarded. We never log, store, or transmit your source code to any third party.

How accurate is the Secrets Scanner?

The scanner uses 20+ curated regex patterns combined with Shannon entropy analysis and placeholder detection. High-confidence matches have very low false positive rates. Low-confidence matches are clearly labeled and collapsed by default.

Does the Dependency Scanner use real data?

Yes. Every query runs against a real-time vulnerability database. Vulnerabilities shown are actual CVEs from the National Vulnerability Database.

Can I integrate ShieldX into my CI/CD pipeline?

Yes. ShieldX provides ready-to-use templates for GitHub Actions and GitLab CI, plus cURL commands for any CI system. Failed security checks return exit code 1 to fail your pipeline.

What platforms does Cloud Security cover?

AWS, GCP, Azure, and general cloud infrastructure. Each platform has specific checks for storage, identity, network, database, logging, and encryption.

How is the Security Score calculated?

Each module produces a score from 0-10 based on penalty deductions. Critical findings deduct 3 points, High deducts 2, Medium deducts 1. The overall score is the average across all scanning dimensions.

How do Custom Rules work?

Custom Rules let you create your own detection patterns, suppress false positives, or add organization-specific security checks. Rules are written as regex patterns and are applied automatically during every SAST scan. You can manage up to 100 rules per account.

What is the AI Executive Summary?

The AI Executive Summary uses Google Gemini to translate security scan results into clear, actionable intelligence. It generates a risk assessment, prioritized fix order, and key insights suitable for engineering leads and non-technical stakeholders.

What compliance frameworks does ShieldX support?

The Compliance Report module maps findings to 8 frameworks: SOC 2 Type II, ISO 27001, PCI DSS 4.0, HIPAA, NIST 800-53, CIS Benchmarks, GDPR, and OWASP Top 10. Each framework shows control-level compliance scores.

What does the Enterprise plan include?

Everything in Pro plus: team management (up to 25 seats), priority support (< 4hr response), custom integrations, dedicated account manager, 99.9% SLA, white-label reports, and on-premise deployment option.

Can I cancel anytime?

Yes. Both Pro and Enterprise plans can be cancelled at any time. Contact support for details.

Ready to Secure Your Application?

Start scanning in seconds — no setup required.