Action items
A curated queue of what to do next, separate from the main issue list.
Find issues no other
tool can catch.
350+ hard pass/fail checks across your code and your site, correlated with the third-party tools you already use. Seeing every signal together catches issues a single tool would miss, and regressions before your users notice.
Open SiteCMD. See the whole site.
It's all there the moment the app opens: current health, what changed since the last scan, and what needs fixing first. Every tool you've connected feeds in right alongside it. No tabs to flip. No dashboards to stitch together.
Alerts inbox
Background scans push notifications when something changes. Every alert opens into a full dossier.
Trends at a glance
Sparklines on the overall score and each category. See what's improved and what's slipped since your last scan.
Plus six views, each focused on one signal.
The dashboard is the overview. These are the close-ups. A purpose-built view for traffic, search, security, and deploys, with context raw integration data can't give you on its own.
Analytics
GA4 and Plausible sessions, top pages, and source shifts, lined up next to your scan health.
Search & SEO
Clicks, impressions, ranking shifts, and indexability. Caught the moment they happen.
Security
Web scan, code scan, and npm audit findings combined into a single security posture view.
Deploys
Recent GitHub Actions runs, release status, and deploy-correlated regressions in one timeline.
Events
Unified activity feed of every scan, deploy, uptime incident, and anomaly across the project.
Updates
Pending dependency updates across npm, pip, composer, cargo, and go. Severity, breaking-change risk, and post-fix verification tracked over time.
Every issue comes with a fix.
A scan is only useful if you act on it. SiteCMD pulls every finding into one list, opens each with full context and a ready-to-send fix prompt, then keeps watching so the same problem doesn't ship twice.
01 / 03
One list for every finding.
Every issue from Web Scan, Code Scan, and your connected tools flows into a single ranked list. Critical at the top, minor stuff at the bottom. Sort, filter, or group by page to clean up one area at a time.
02 / 03
Open any issue. See the whole story.
The dossier shows the file or URL, the offending code or response, why it matters, and a fix prompt ready for your AI editor. Related signals from your integrations are pulled in automatically, so you see the full context, not just the symptom.
03 / 03
Send the fix. Make sure it holds.
Hand the fix prompt to Cursor, Claude Code, Windsurf, or any AI editor with MCP support. Or fix it yourself. SiteCMD verifies the issue is resolved on the next scan, tracks recurrence over time, and pings you the moment a future deploy quietly reintroduces it.
Built for the long haul.
Scanning is just the start. SiteCMD keeps every scan in your local history, diffs new scans against old ones, exports reports for stakeholders and pipelines, and rolls everything up across every site you manage.
Full scan history
Every scan stored locally with its findings. Sort and filter by date, severity, or category to see exactly what changed and when.
Scan-to-scan comparison
Diff any two scans side by side. See which issues appeared, which got fixed, and which regressed between them.
Reports and exports
Generate PDF reports for stakeholders or JSON exports for downstream pipelines. A custom builder shapes the report for client deliverables.
Multi-site portfolio
Manage every site you own from one workspace. The Sites overview rolls up health, issues, and recent activity across the whole portfolio.
Under the hood: two scan engines.
SiteCMD runs its own checks through two engines. Web Scan audits your running site, whether that's local dev, staging, or production. Code Scan reads your source tree. Both run 100% locally on your machine, and together they cover 350+ distinct issue types.
Web Scan
Sees your site the way the internet does.
Point Web Scan at any URL. SiteCMD pulls the page, parses the HTML, probes the response, and runs every check in parallel.
- Security 30+ checks
Headers, SSL, CSP, mixed content, exposed files, cookies, clickjacking
- Performance 20+ checks
Core Web Vitals, compression, cache policy, render blocking, image optimization
- SEO 35+ checks
Canonicals, robots, sitemap, structured data, indexability, meta tags
- Accessibility 50+ checks
axe-core WCAG 2 A/AA engine plus native checks: contrast, ARIA, focus order, headings, landmarks
- Compliance 10+ checks
Privacy policy, cookie consent, data retention, legal footer
- Polish 20+ checks
Framework defaults, placeholder copy, AI aesthetic, HTML quality, meta gaps
Code Scan
Reads your code the way an engineer does.
Point Code Scan at any local source folder. SiteCMD walks the project, parses package manifests, inspects database access patterns, and flags the issues live scans can't see.
- AI safety 15+ checks
Timeouts, rate limits, spend caps, and observability on your AI integrations. Loop detection, output caps, and concurrency safety on every model call.
- Supply chain 10+ checks
Vulnerable packages, outdated majors, license risk, lockfile drift
- Security 30+ checks
Hardcoded secrets, exposed .env files, broken auth flows, unsafe request validation, webhook gaps
- Database 8+ checks
Migration drift, missing foreign keys, unsafe ORM patterns, schema-vs-runtime mismatch
- Architecture 25+ checks
Tight coupling, circular deps, dead code, leftover scaffolding
- Operations 20+ checks
console.log as error handling, debug code in production, missing rollbacks, broken error reporting
Where your stack finally talks to itself.
When traffic drops or rankings slip, the symptom shows up in one tool and the cause hides in another. SiteCMD pulls signals from the services you already use and correlates them against its own scan findings, so symptom and cause sit side by side.
GitHub
Deploy history, CI status, and PR context.
Cloudflare
Edge cache, threat events, and bandwidth.
Plausible
Privacy-first traffic and top pages.
Google Analytics
GA4 sessions and source breakdown.
Search Console
Clicks, impressions, and ranking shifts.
Bing Webmaster
Visibility and crawl data.
PageSpeed
Lighthouse lab metrics and real-user CrUX data.
UptimeRobot
Availability and incident history.
Jira
Issue ownership and follow-ups.
CodeRabbit
Coming soon: pull your CodeRabbit review findings into the unified list.
Semgrep
Coming soon: surface your Semgrep AppSec findings alongside SiteCMD's own scan.
Use it from anywhere you ship.
The desktop app is the primary command center, but the same engine runs from your terminal, inside your CI/CD pipeline, and through any AI editor with MCP support. Wherever you ship, SiteCMD goes with you.
CLI
For your terminal and your CI.
A standalone binary runs the full scan engine without the desktop app. Drop it into GitHub Actions, fail builds on severity thresholds, output JSON for downstream gates, or run a focused scan from staging in your terminal.
MCP
For Cursor, Claude Code, Windsurf, and any other MCP-compatible editor.
Built-in MCP server exposes scan results, issue data, and fix prompts to AI coding agents. Your editor stops guessing because it can actually read what's broken and where. The fix it writes is grounded in real findings, not vibes.
Local-first by design.
Your scans, your credentials, your source code all stay on your machine. SiteCMD has no cloud backend, no upload pipeline, no shared infrastructure. There's nothing to breach because there's nothing in the cloud.
Native desktop app
Tauri-based, runs natively on macOS, Windows, and Linux. Tiny binary, no Electron weight.
Credentials in OS keychain
API keys and OAuth tokens live in your system keychain, encrypted by your OS. They're never stored in a database file.
Scan data in local SQLite
Scan history, code findings, dossiers, and pulled-in integration data live in a SQLite file on your machine. Back it up like any other file.
You control telemetry
License checks and app updates are minimal. Optional usage analytics and crash reports only run if you opt in from the desktop app.