ansede-static 2.2.1

AST-based SAST for Python and JavaScript — detects IDOR, auth bypass, and ownership flaws that Bandit misses.

The world's most precise offline static application security testing engine.
Zero dependencies. 98.8% CVE recall. Five languages. Ships as a single .exe.

---

What makes it different

Existing SAST tools detect subprocess(shell=True). They miss the bugs that actually appear in CVE databases:

# CWE-639 — Insecure Direct Object Reference
# Bandit: silent.   Semgrep OSS: silent.   ansede-static: CRITICAL

@app.route("/invoice/<invoice_id>")
@login_required
def get_invoice(invoice_id):
    return db.execute("SELECT * FROM invoices WHERE id = ?", (invoice_id,))
    #     ^ no WHERE user_id = current_user.id  →  any user can see any invoice

# CWE-862 — Missing Authentication on admin endpoint
# Bandit: silent.   Semgrep OSS: silent.   ansede-static: HIGH

@app.route("/admin/users")
def list_users():      # no @login_required, no permission check
    return User.query.all()

# CWE-285 — Missing Ownership Check on destructive action
# Bandit: silent.   Semgrep OSS: silent.   ansede-static: HIGH

@app.route("/post/<post_id>/delete", methods=["POST"])
@login_required
def delete_post(post_id):
    Post.query.filter_by(id=post_id).delete()
    # no if post.author_id != current_user.id: abort(403)

ansede-static models routes, decorators, auth guards, and ownership patterns at the AST level. This is how it achieves 98.8% CVE recall while Bandit OSS sits at ~65%.

---

Install

pip install ansede-static

# Or download the standalone .exe (zero Python required):
# https://github.com/mattybellx/Ansede/releases/latest

# Scan a directory
ansede-static src/

# SARIF for GitHub Code Scanning
ansede-static src/ --format sarif --output results.sarif

# JSON for scripting
ansede-static src/ --format json --output findings.json

# Only fail CI on critical findings
ansede-static src/ --fail-on critical

# Incremental — only changed files (monorepo-friendly)
ansede-static src/ --incremental

---

Verified Performance — May 2026

Benchmark	Result
Regression suite	919 tests passed
NVD CVE recall	81/82 (98.78%)
NVD CVE precision	96.43%
False positive rate	3.57%
Web-wild recall	100.00%
Web-wild precision	95.00%
External real-world corpus	15/15 cases, 30/30 checks (100%)
Noise quotient	0.861 findings / kLOC
Raw engine speed	~0.02s per 100k LOC
Languages	Python · JavaScript · TypeScript · Go · Java · C#
World-Best Audit	✅ All quality gates passed

Full methodology and machine-readable artifacts: BENCHMARKS.md

---

Detection Coverage

Category	CWEs detected	Example
Broken Access Control (IDOR, auth bypass)	CWE-639, CWE-862, CWE-285, CWE-287	Route missing @login_required, no ownership check on DB query
Injection	CWE-89, CWE-78, CWE-94, CWE-95	SQLi via f-string, command injection via subprocess(shell=True), eval injection
Cryptographic Failures	CWE-327, CWE-328, CWE-798	MD5/SHA1 for passwords, hardcoded AWS keys, API tokens in source
Path Traversal & SSRF	CWE-22, CWE-918	Unsanitized os.path.join, user-controlled URLs in requests.get()
Cross-Site Issues	CWE-79, CWE-352	innerHTML with user data, missing CSRF tokens
Deserialization	CWE-502	pickle.loads() on untrusted input
Open Redirect	CWE-601	User-controlled next parameter in redirect()
Log Injection	CWE-117	Unsanitized user input in log messages
ReDoS	CWE-1333	Catastrophic backtracking in regex patterns
And more	20+ categories	See ansede-static --list-rules for the full catalog

---

GitHub Action

# .github/workflows/security.yml
- uses: mattybellx/Ansede@v2.2.0
  with:
    path: src/
    fail-on: high
    upload-sarif: true
    license-key: ${{ secrets.ANSEDE_LICENSE_KEY }}

---

Pricing

	Free	Pro
Scans per day	500	Unlimited
Languages	5	5
Text & JSON output	✓	✓
SARIF (GitHub Code Scanning)	—	✓
SBOM (CycloneDX / SPDX)	—	✓
HTML dashboard	—	✓
CI/CD recipes	—	✓
Price	Free	£4.99 one-time or £49/year

Upgrade to Pro →

---

Features

• Incremental scanning — scan only changed files with --incremental (git diff) or --incremental-sha256 (content hash)
• Baseline diffing — freeze legacy debt with --baseline baseline.json, only fail on new findings
• Auto-fix — apply safe inline fixes with --apply-fixes
• AI triage — suppress test/mock/fixture false positives with --ai-triage
• Parallel workers — speed up large repos with --parallel
• Entropy scanning — detect hardcoded secrets in string literals with --entropy
• ansede.json config — per-project rules, exclusions, and custom sinks via --init
• Inline suppression — # ansede: ignore[CWE-862] on any line
• LSP server — IDE integration via --lsp
• VS Code extension — Install from Marketplace
• Community rules — YAML-based custom rule packs under ~/.ansede/community_rules/
• SBOM generation — CycloneDX and SPDX output with --sbom
• Offline CWE explanations — enriched finding descriptions with --explain
• HTML reports — interactive browser dashboard with --format html

---

Comparison

	ansede-static	Bandit OSS	Semgrep OSS	CodeQL CLI
CVE Recall	98.8%	~65%	~72%	~88%
FP Rate	3.6%	~45%	~30%	~12%
Offline (no network)	✓	✓	✗	✗
Zero dependencies	✓	✗	✗	✗
Single binary (.exe)	✓	✗	✗	✗
IDOR / Auth bypass	✓	✗	Partial	Partial
Languages	5	1	20+	7
Install size	<5 MB	~15 MB	~200 MB	~600 MB
Speed (scan_file)	0.02s/100k LOC	0.5s	3s	10s

---

Contributing

git clone https://github.com/mattybellx/Ansede.git
cd Ansede
pip install -e ".[dev]"
pytest tests/ -q

See CONTRIBUTING.md for guidelines, docs/writing-rules.md for building custom rules, and docs/zero-friction-ci-rollout.md for adoption playbooks.

---

_{Built with ❤️ by Matty Bell. MIT licensed. Zero telemetry. No cloud dependency.}