# Sajjetti - AI Audit AI-assisted theme and plugin scanner for security, performance, and best practices. Provides clear, actionable insights. [![Buy Me a Coffee](https://img.shields.io/badge/Buy%20Me%20a%20Coffee-Support-yellow)](https://buymeacoffee.com/sajjetti) [![License: GPL v2+](https://img.shields.io/badge/License-GPL%20v2%2B-blue.svg)](https://www.gnu.org/licenses/gpl-2.0.html) --- ## What it helps you find - **Security:** unescaped output, missing nonces and capability checks, unsafe file operations, risky SQL patterns, and other common vulnerability indicators. - **Performance:** expensive loops, heavy queries, oversized assets, and inefficient patterns that slow down page loads. - **Code quality and compatibility:** deprecated APIs, version-specific pitfalls, and patterns that conflict with WordPress coding standards. ## How it works - Scans are **user-triggered** (nothing runs automatically) and analyze code **statically** (never executed). - **Remote analysis is opt-in**; no code is sent until you enable **Allow remote analysis** in Settings. - When enabled, selected file contents are sent over **HTTPS** to the Sajjetti API for analysis. Temporary analysis data is discarded after results are returned. - The plugin is designed to comply with WordPress.org privacy guidelines. --- ## Key Features - Detects vulnerabilities, warnings, and performance issues - Provides AI-assisted analysis with actionable suggestions - Offers file-by-file drill-down and detailed reports - Built with a security-first design, including VIP-compliant validation and sanitization --- ## Pricing and API Access The plugin includes a small allowance of free scans. Additional scans require an API key, available through a paid subscription. --- ## Installation 1. Upload the plugin folder to `/wp-content/plugins/` or install via **Plugins > Add New**. 2. Activate via the WordPress Plugins menu. 3. Go to **Audit > New Scan** to start your first scan. 4. (Optional) Enter your Sajjetti API key under **Settings > API Credentials** for additional scans. 5. Enable **Allow remote analysis** in **Settings > API Credentials** to send code for analysis. --- ## Frequently Asked Questions **What information is sent to the Sajjetti API?** When you start a scan with remote analysis enabled, the following data is transmitted: - Selected file contents (Base64-encoded PHP, HTML, CSS, JS) - Your website IP address and URL (for API license validation) - Your Sajjetti API username (account identifier, not your WordPress username) - File metadata: filename, file type, file size, and internal scan identifiers No WordPress user account data, passwords, or database content is transmitted. **When does this plugin send data to external servers?** Only when you start a scan and have enabled **Allow remote analysis** in **Settings > API Credentials**. If remote analysis is disabled, nothing is sent. **What happens if the Sajjetti API is unavailable?** Remote analysis scans will not run and no files will be sent. You will see an error in the admin UI and can retry later. Your settings and scan history remain intact. **Does this plugin automatically upload files?** No. All scans are user-triggered. Nothing is sent unless you manually start a scan with remote analysis enabled. **Are my files executed on your servers?** No. Analysis is static only. Files are never executed, only analyzed for patterns and potential issues. **Do you store my files or data?** No. Transmitted data is used only for analysis and is deleted after results are returned. **Why do you need my site IP address and URL?** They are used to validate that your API license is authorized for your website. This helps prevent unauthorized use of API credentials. --- ## Privacy When you initiate a scan with remote analysis enabled, this plugin may transmit selected file contents (Base64-encoded PHP/HTML/CSS/JS), limited file metadata (filename, relative path, size, cryptographic hash), your site IP address and URL (for license validation), and your Sajjetti API username to the Sajjetti API for static analysis. No WordPress user account data, passwords, or database content is transmitted or stored. Temporary analysis data is deleted after results are returned. Remote analysis is disabled by default. Scans cannot start until the site owner explicitly enables Allow remote analysis in Settings. --- ## External Services This plugin connects to the **Sajjetti Hub API** (https://sajjetti.ai) to: - Validate license status and usage limits - Upload selected code snippets for static analysis (when remote analysis is enabled) - Fetch audit results (security, performance, and code quality insights) **Data sent (only when remote analysis is enabled):** - Selected PHP/JS/CSS/HTML source files (Base64-encoded) - Website URL and IP address (for license validation) - Sajjetti API username and API key - File metadata (filename, relative path, size, hash) **Data returned:** - License type and remaining scan quota - Audit results including identified issues and recommendations All transmissions are over HTTPS. Analysis data is temporary and deleted after results are returned. **Legal & Privacy:** - Terms of Service: https://sajjetti.ai/terms-of-service/ - Privacy Policy: https://sajjetti.ai/privacy-policy/ --- ## Changelog ### 1.0.0 - 2025-09-01 - Initial release. - Static code analysis for PHP, HTML, CSS, and JS files. - AI-assisted security, performance, and code quality detection. - Secure API integration with license validation. - File-by-file detailed reporting with actionable recommendations. --- ## Upgrade Notice ### 1.0.0 Initial release of Sajjetti - AI Audit --- ## License This plugin is licensed under the [GPL-2.0-or-later](https://www.gnu.org/licenses/gpl-2.0.html). See `license.txt` for details.