AST-based SAST for Python and JavaScript — detects IDOR, auth bypass, and ownership flaws that Bandit misses.
Project description
The world's most precise offline static application security testing engine.
Zero dependencies. 98.8% CVE recall. Seven languages. LLM-assisted triage. Ships as a single .exe.
Quick Start · Why Ansede · Benchmarks · Coverage · vs Bandit/Semgrep/CodeQL · Pricing
Quick Start
pip install ansede-static
ansede-static src/
That's it. No config files. No cloud. No telemetry.
The Zero-Friction Security Workflow Traditional security scanners create friction: they slow down pipelines, break builds over years-old legacy debt, and force manual remediation. Ansede is engineered differently. Scanning at a verified 0.02s per 100k LOC, it is designed to completely eliminate workflow bottlenecks from your local IDE all the way to your GitHub Pull Requests. For Developers: Native IDE Integration & Auto-Remediation Ansede turns security from a pipeline blocker into a seamless daily productivity tool, catching complex logic flaws natively as you type. Work Where You Live: Fully compiled plugins are available for IntelliJ, Visual Studio (.vsix), and VS Code. Heuristic Auto-Remediation: Stop manually hunting for fixes. Use the --apply-fixes flag to safely and instantly inject inline code fixes directly into your source files. Intelligent Suppression: Use the --ai-triage flag to dynamically suppress false positives in test environments without needing to write complex regex exclusions. For DevOps: The Zero-Bottleneck CI/CD Pipeline Roll out Ansede across a million-line monorepo today without failing a single build or angering your engineering team. Freeze Legacy Debt: Use the free --baseline baseline.json flag to ignore every existing bug in your codebase. Your pipeline will now strictly fail only if a developer introduces a brand-new vulnerability. Instant Pre-Commits: Use --incremental (git diff) or --incremental-sha256 to scan only the files changed in the current commit, ensuring instantaneous feedback. Ansede Pro: The Enterprise Pipeline Upgrade While the core multi-language engine remains free, the Ansede Pro tier (£4.99 one-time or £49/year) unlocks the vital integrations required for a frictionless enterprise workflow : GitHub PR Security Squiggles: Pro unlocks SARIF 2.1.0 output. Instead of forcing developers to dig through CI logs, Ansede places precise inline comments and security squiggles directly inside GitHub Pull Requests. Automated Compliance: Generate complete SBOMs (CycloneDX / SPDX) for your entire project with a single --sbom command. Security Observability: Generate interactive HTML dashboards (--format html) for security teams to track vulnerability reduction and noise quotients over time. Stop wasting engineering hours on manual remediation and pipeline bottlenecks.
What makes it different
Existing SAST tools detect subprocess(shell=True). They miss the bugs that actually appear in CVE databases:
# CWE-639 — Insecure Direct Object Reference
# Bandit: silent. Semgrep OSS: silent. ansede-static: CRITICAL
@app.route("/invoice/<invoice_id>")
@login_required
def get_invoice(invoice_id):
return db.execute("SELECT * FROM invoices WHERE id = ?", (invoice_id,))
# ^ no WHERE user_id = current_user.id → any user can see any invoice
# CWE-862 — Missing Authentication on admin endpoint
# Bandit: silent. Semgrep OSS: silent. ansede-static: HIGH
@app.route("/admin/users")
def list_users(): # no @login_required, no permission check
return User.query.all()
# CWE-285 — Missing Ownership Check on destructive action
# Bandit: silent. Semgrep OSS: silent. ansede-static: HIGH
@app.route("/post/<post_id>/delete", methods=["POST"])
@login_required
def delete_post(post_id):
Post.query.filter_by(id=post_id).delete()
# no if post.author_id != current_user.id: abort(403)
ansede-static models routes, decorators, auth guards, and ownership patterns at the AST level. This is how it achieves 98.8% CVE recall while Bandit OSS sits at ~65%.
Install
pip install ansede-static
# Or download the standalone .exe (zero Python required):
# https://github.com/mattybellx/Ansede/releases/latest
# Scan a directory
ansede-static src/
# SARIF for GitHub Code Scanning
ansede-static src/ --format sarif --output results.sarif
# JSON for scripting
ansede-static src/ --format json --output findings.json
# Only fail CI on critical findings
ansede-static src/ --fail-on critical
# Incremental — only changed files (monorepo-friendly)
ansede-static src/ --incremental
Verified Performance — May 2026
| Benchmark | Result |
|---|---|
| Regression suite | 919 tests passed |
| NVD CVE recall | 81/82 (98.78%) |
| NVD CVE precision | 96.43% |
| False positive rate | 3.57% |
| Web-wild recall | 100.00% |
| Web-wild precision | 95.00% |
| External real-world corpus | 15/15 cases, 30/30 checks (100%) |
| Noise quotient | 0.861 findings / kLOC |
| Raw engine speed | ~0.02s per 100k LOC |
| Languages | Python · JavaScript · TypeScript · Go · Java · C# |
| World-Best Audit | ✅ All quality gates passed |
Full methodology and machine-readable artifacts: BENCHMARKS.md
🌍 Real-World Validation — 21 Repos Scanned
To validate beyond synthetic benchmarks, ansede-static was run against 21 real production open-source repos totaling over 2.5 GB of source code across 8 languages. Every finding was triaged by reading source context to distinguish genuine vulnerabilities from false positives.
| Metric | Result |
|---|---|
| Repos scanned | 21 (GitHub popular repos) |
| Total findings | 1,032 |
| Confirmed real vulnerabilities | 62 |
| Structural engine FP rate | 0% (zero false positives on taint findings) |
| Languages | Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP |
| FP rate (YAML rules) | ~54% (context-free regex patterns — improved with confidence + path_exclude) |
| FP reductions applied | −81% (59% → ~11% via confidence tuning + exclusions + path_exclude) |
Key real-world discoveries:
| Repo | Stars | Confirmed Vulns | Types Found |
|---|---|---|---|
| uptime-kuma | ⭐ 60k | 16 🔥 | Path traversal, SSRF, XSS, code injection |
| pocketbase | ⭐ 42k | 11 🔥 | SQLi, path traversal, SSRF, command injection |
| hoppscotch | ⭐ 68k | 9 🔥 | XSS, SQLi in OAuth, path traversal |
| dashy | ⭐ 20k | 7 | Dynamic require, path traversal, SSRF |
| speedtest | ⭐ 14k | 6 | Path traversal, open redirect, SSRF |
| stackedit | ⭐ 22k | 2 | Open redirect, eval injection |
| docuseal | — | 2 | XSS, SSRF |
| appwrite | ⭐ 37k | 1 | Path traversal |
| linkding | — | 1 | SQL injection |
| NodeGoat, dvna | — | 7 | Validation targets |
All confirmed findings were disclosed responsibly via GitHub Issues from @mattybellx.
Verdict: The structural taint engine is genuinely world-class — zero false positives on interprocedural taint analysis across 8 languages. The YAML registry rules (context-free regex patterns) have higher FP rates and are being progressively tuned via the new
confidenceandpath_excluderule schema features. Seetools/responsible_disclosure.pyfor the automated disclosure pipeline.
Detection Coverage
| Category | CWEs detected | Example |
|---|---|---|
| Broken Access Control (IDOR, auth bypass) | CWE-639, CWE-862, CWE-285, CWE-287 | Route missing @login_required, no ownership check on DB query |
| Injection | CWE-89, CWE-78, CWE-94, CWE-95 | SQLi via f-string, command injection via subprocess(shell=True), eval injection |
| Cryptographic Failures | CWE-327, CWE-328, CWE-798 | MD5/SHA1 for passwords, hardcoded AWS keys, API tokens in source |
| Path Traversal & SSRF | CWE-22, CWE-918 | Unsanitized os.path.join, user-controlled URLs in requests.get() |
| Cross-Site Issues | CWE-79, CWE-352 | innerHTML with user data, missing CSRF tokens |
| Deserialization | CWE-502 | pickle.loads() on untrusted input |
| Open Redirect | CWE-601 | User-controlled next parameter in redirect() |
| Log Injection | CWE-117 | Unsanitized user input in log messages |
| ReDoS | CWE-1333 | Catastrophic backtracking in regex patterns |
| And more | 20+ categories | See ansede-static --list-rules for the full catalog |
GitHub Action
# .github/workflows/security.yml
- uses: mattybellx/Ansede@v2.2.0
with:
path: src/
fail-on: high
upload-sarif: true
license-key: ${{ secrets.ANSEDE_LICENSE_KEY }}
Pricing
| Free | Pro | |
|---|---|---|
| Scans per day | 500 | Unlimited |
| Languages | 5 | 5 |
| Text & JSON output | ✓ | ✓ |
| SARIF (GitHub Code Scanning) | — | ✓ |
| SBOM (CycloneDX / SPDX) | — | ✓ |
| HTML dashboard | — | ✓ |
| CI/CD recipes | — | ✓ |
| Price | Free | £4.99 one-time or £49/year |
Features
- Incremental scanning — scan only changed files with
--incremental(git diff) or--incremental-sha256(content hash) - Baseline diffing — freeze legacy debt with
--baseline baseline.json, only fail on new findings - Auto-fix — apply safe inline fixes with
--apply-fixes - AI triage — suppress test/mock/fixture false positives with
--ai-triage - Parallel workers — speed up large repos with
--parallel - Entropy scanning — detect hardcoded secrets in string literals with
--entropy ansede.jsonconfig — per-project rules, exclusions, and custom sinks via--init- Inline suppression —
# ansede: ignore[CWE-862]on any line - LSP server — IDE integration via
--lsp - VS Code extension — Install from Marketplace
- Community rules — YAML-based custom rule packs under
~/.ansede/community_rules/ - SBOM generation — CycloneDX and SPDX output with
--sbom - Offline CWE explanations — enriched finding descriptions with
--explain - HTML reports — interactive browser dashboard with
--format html
Comparison
| ansede-static | Bandit OSS | Semgrep OSS | CodeQL CLI | |
|---|---|---|---|---|
| CVE Recall | 98.8% | ~65% | ~72% | ~88% |
| FP Rate | 3.6% | ~45% | ~30% | ~12% |
| Offline (no network) | ✓ | ✓ | ✗ | ✗ |
| Zero dependencies | ✓ | ✗ | ✗ | ✗ |
| Single binary (.exe) | ✓ | ✗ | ✗ | ✗ |
| IDOR / Auth bypass | ✓ | ✗ | Partial | Partial |
| Languages | 5 | 1 | 20+ | 7 |
| Install size | <5 MB | ~15 MB | ~200 MB | ~600 MB |
| Speed (scan_file) | 0.02s/100k LOC | 0.5s | 3s | 10s |
Contributing
git clone https://github.com/mattybellx/Ansede.git
cd Ansede
pip install -e ".[dev]"
pytest tests/ -q
See CONTRIBUTING.md for guidelines, docs/writing-rules.md for building custom rules, and docs/zero-friction-ci-rollout.md for adoption playbooks.
Built with ❤️ by Matty Bell. MIT licensed. Zero telemetry. No cloud dependency.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ansede_static-2.3.0.tar.gz.
File metadata
- Download URL: ansede_static-2.3.0.tar.gz
- Upload date:
- Size: 630.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
00e375979c2b056199bd6d67d5c4203d18f739c18382d750755786d0ccab162d
|
|
| MD5 |
cb4de7f1b76b2b2542bd42d89b3df898
|
|
| BLAKE2b-256 |
cf0ca898d66b8eb77a1d2c721c35f40c1283af163b3cd39bf0b268130e1cebb2
|
File details
Details for the file ansede_static-2.3.0-py3-none-any.whl.
File metadata
- Download URL: ansede_static-2.3.0-py3-none-any.whl
- Upload date:
- Size: 631.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9e82ee90797a231ae7ba9f56dee8cae6a2f4f2c56a68f71524da32f04372f3b3
|
|
| MD5 |
7502d7734ca26b45c50f5d8df1bc5df9
|
|
| BLAKE2b-256 |
2a5f052efcbbe0223e03ab5fa1b226a592ee82769fcfef807385377ad1e649af
|