Sajjetti – AI Audit is a security-first code scanner for WordPress plugins and themes.
It performs static analysis of PHP, HTML, CSS, and JS files to detect vulnerabilities,
performance issues, and coding standard problems before they become real risks.
Privacy by design
– Nothing runs automatically; all scans are triggered manually by the site owner.
– Files are analyzed statically — never executed.
– Remote analysis is disabled by default. No code leaves your site until you explicitly enable 「Allow remote analysis」 in Settings.
– When enabled, selected file contents are sent securely over HTTPS to the Sajjetti API. Analysis data is temporary and discarded after results are returned.
– Complies with WordPress.org privacy and consent guidelines.
What it helps you find
– Security: unescaped output, missing nonces and capability checks, unsafe file operations, risky SQL patterns, and other common vulnerabilities.
– Performance: expensive loops, heavy queries, oversized assets, and inefficient patterns that slow down page loads.
– Code quality and compatibility: deprecated APIs, version-specific pitfalls, and conflicts with WordPress coding standards.
Optional AI assistance
When remote analysis is enabled, the Sajjetti API provides AI-powered suggestions with context-specific recommendations.
Results are presented with file-by-file drill-down, risk levels, and actionable insights. Human review is always recommended before making changes.
Key Features
- Detects vulnerabilities, warnings, and performance issues
- Provides optional AI-assisted analysis with actionable suggestions
- Offers file-by-file drill-down and detailed reports
- Built with a security-first design, including VIP-compliant validation and sanitization
Security Considerations
- All scans are user-initiated; nothing runs automatically.
- File contents are analyzed statically (never executed).
- REST endpoints require capability checks and nonces.
- All external requests use HTTPS with nonce and referer validation.
- Uninstall removes plugin data (options and tables) cleanly.
- All user-facing strings are escaped and translatable.
Pricing and API Access
The plugin includes a small allowance of free scans.
Additional scans require an API key, available through a paid subscription.
Privacy
When you initiate a scan with remote analysis enabled, this plugin may transmit selected file contents (Base64-encoded PHP, HTML, CSS, and JS), limited file metadata (filename, relative path, size, cryptographic hash such as SHA-256), your site IP address and URL (for license validation), and your Sajjetti API username to the Sajjetti API for static analysis. No WordPress user account data, passwords, or database content is transmitted or stored. Temporary analysis data is deleted after results are returned. For details, see the included privacy.md file.
Remote analysis is disabled by default. Scans cannot start until the site owner explicitly enables Allow remote analysis in Settings.
External services
This plugin connects to the Sajjetti Hub API (https://sajjetti.ai) to validate license status,
manage usage limits, upload code snippets for analysis, and fetch audit results.
Data sent:
– License key and username when validating or checking usage.
– Website URL and IP address when validating usage.
– Selected PHP/JS/CSS source files when submitting for auditing.
Data returned:
– License type and remaining file quota.
– Audit results (security, performance, and code quality insights).
Legal & Privacy:
– Terms of Service: https://sajjetti.ai/terms-of-service/
– Privacy Policy: https://sajjetti.ai/privacy-policy/
