The marketing site for Scanipy — vulnerability detection by CWE class, multi-SCM, deterministic by default.
Static-export Next.js 16 site, deployed to GitHub Pages on
scanipy.com via the workflow at
.github/workflows/deploy.yml.
npm install
npm run dev # http://localhost:3000
npm run build # static export to ./out| Route | Source | Purpose |
|---|---|---|
/ |
app/page.tsx |
SaaS marketing pitch — the v2 platform |
/oss |
app/oss/page.tsx |
The open-source edition overview (taint-tracking CLI) |
/oss/docs/... |
app/oss/docs/[[...slug]]/page.tsx |
OSS CLI documentation, synced from scanipy/scanipy-oss (banner makes the scope explicit) |
/research |
app/research/page.tsx |
Academic-bibliography credibility doc (footer-linked only) |
/cli, /docs |
app/cli/page.tsx, app/docs/page.tsx |
Client-side redirect stubs → /oss and /oss/docs (keep old links alive) |
The footer always carries a Documentation link (→ /oss/docs) so a visitor
on any page can reach the docs in one click. Note: <SiteNav> accepts a
showDocs prop but currently ignores it (no Docs link is rendered in the top
nav) — wire it up if you want a header docs link.
Three constants drive most of the visible copy. Edit these instead of the page bodies when you're updating data, not narrative.
| File | What it owns |
|---|---|
lib/cta.ts |
demoBookingUrl — the "Get a demo" target. Replace the placeholder Cal.com URL with your real booking link. |
lib/detectors.ts |
The 10-class catalog table. Move a class from roadmap to ga here when its content ships. |
lib/scms.ts |
The four SCM-coverage tiles (auth-mode notes). |
lib/proof.ts |
Build-time GitHub-stars fetch for the proof band. STAR_FALLBACK is the floor a failed network fetch falls back to — bump it to roughly track reality so a broken build doesn't visibly under-state social proof. |
lib/citations.ts |
The five academic references rendered on /research. Cap is five; if a sixth lands, retire one. |
lib/site.ts |
siteTitle, siteDescription — used in the <title> tag and OG / Twitter cards. |
Don't ship copy that violates these — they're the levers that keep this site from reading like a v0.app scaffold.
- No vague stats. No "1M+ scanned" / "millions of repos." If a number ships, it cites a specific advisory.
- No banned generic adjectives. A pre-deploy grep on
out/index.htmlandout/oss.htmlchecks forpowerful|robust|advanced|seamless|unleash|supercharge|comprehensive|transformative|empower. Zero matches expected. - No academic citations on marketing pages. The marketing audience doesn't lead with academic references; the same grep also flags
Yamaguchi|Engler|IRIS|Mariana|CWE-1000as zero-match on the homepage and/oss. Those references live on/researchinstead, footer-linked only. - One CTA per page.
<DemoCTA />is the only conversion target on/. No[Get a demo] [See pricing]pairs. - No fake customer logos. The proof band renders SCM wordmarks + a build-time GitHub stars chip + a real CVE chip. No vendor-logo PNGs masquerading as customers.
- Real artefacts inline. SARIF excerpts, CLI command snippets, and the dataflow pipeline are real syntax / real architecture (no fake-looking terminal mockups).
- Editorial layout cues. Every H2 carries a
<SectionEyebrow>label (small caps, tracking-wide). That single rule is the strongest "this isn't a v0 scaffold" tell.
These were left as TODO items by the rewrite plan (see commit history):
-
public/og-image.png— replace the v0.app-era OG image with a 1200×630 designed card showing either the architecture diagram or the catalog table with the new tagline. The metadata wiring (app/layout.tsx) already references/og-image.png; just swap the file. - Lighthouse pass. Run incognito Chrome Lighthouse on
/and/ossand confirm Performance / Accessibility / Best Practices / SEO ≥ 95. - Real CLI screenshot. The hero right-column currently uses a
<SarifExcerpt>block with literal text. A captured PNG ofscanipy scan .printing a real witness-backed finding would be more visually striking; commit it aspublic/hero-cli.pngand reference fromapp/page.tsx.
.github/workflows/deploy.yml builds on push to main and deploys via the GitHub Pages action. The CNAME is scanipy.com.
The documentation served at /oss/docs is not committed here — it is sourced
from scanipy/scanipy-oss. On every
build, scripts/sync-oss-docs.mjs (run via the predev / prebuild npm hooks)
pulls that repo's docs/ tree into a gitignored oss-docs/ directory, and the
Next.js build renders the nav, pages, and landing index from it. Locally it
reuses a sibling ../scanipy-oss/docs checkout if present, otherwise it does a
shallow sparse clone; set OSS_DOCS_DIR to override the source.
So docs stay in sync automatically: the deploy workflow rebuilds on every push,
on a daily cron, and on a manual Run workflow — each rebuild re-pulls
the latest docs. To publish a docs change immediately, trigger the workflow
manually. To run it once locally: npm run sync:docs.
| Layer | Technology |
|---|---|
| Framework | Next.js 16 (App Router) |
| UI primitives | shadcn/ui + Radix |
| Styling | Tailwind CSS v4 |
| Fonts | Geist + Geist Mono (Google Fonts) |
| Markdown rendering (docs) | remark-gfm, remark-rehype, rehype-highlight, rehype-slug (heading anchors) + inter-doc link rewriting |
| Theming | next-themes |
| Analytics | @vercel/analytics |
| Build target | next build with output: 'export' (static HTML to out/) |
| Hosting | GitHub Pages (custom domain via CNAME) |