Skip to main content

AST-based SAST for Python and JavaScript — detects IDOR, auth bypass, and ownership flaws that Bandit misses.

Project description

Ansede Static — Offline SAST

Offline SAST engine.
pip install ansede-static  ·  Zero dependencies  ·  No telemetry

PyPI CI 100% recall 97.5% precision MIT


Quick Start

pip install ansede-static
ansede-static src/                        # scan a directory
ansede-static src/ --format sarif         # GitHub Code Scanning
ansede-static src/ --fail-on high         # CI gate
ansede-static src/ --incremental          # git-diff mode

Why ansede-static?

Most SAST tools find SQLi, command injection, and XSS. ansede-static finds the bugs they miss — broken access control, missing authentication, and IDOR — by modeling routes, auth guards, and ownership patterns at the AST level.

@app.route("/invoice/<invoice_id>")
@login_required
def get_invoice(invoice_id):
    return db.execute("SELECT * FROM invoices WHERE id = ?", (invoice_id,))
    # → CWE-639 IDOR: any user can see any invoice
    # Bandit/Semgrep OSS: silent.  ansede: CRITICAL
@app.route("/admin/users")
def list_users():
    return User.query.all()
    # → CWE-862: unauthenticated admin access
    # Bandit/Semgrep OSS: silent.  ansede: HIGH

Benchmarks

Metric Result
CVE recall (115/115 synthetic) 100%
CVE precision 97.5%
Quality benchmark 63/63 checks (100%)
Real repos scanned 35/35 — 12,372 files, 1.76M LOC, 71 MB
CWE types detected 35+
Languages Python, JS/TS, Go, Java, C#
Zero failures ✅ across all 35 repos
Zero dependencies ✅ pure Python stdlib

Full details in BENCHMARKS.md.

Who is it for?

  • Developers who want a pip install-and-scan experience
  • CI/CD pipelines that need SARIF output and fail-on gates
  • Security teams tired of triaging the same noise from heavier tools

GitHub Action

- uses: mattybellx/Ansede@v2.3.2
  with:
    path: src/
    fail-on: high
    upload-sarif: true

Features

Incremental--incremental (git diff) or --incremental-sha256 for monorepos
Baseline — freeze legacy debt with --baseline baseline.json
Clustering — 49% finding reduction via incident merging
AI triage — optional local Ollama integration for auto-classification
IDE plugins — VS Code, IntelliJ IDEA, Visual Studio 2022
Outputs — SARIF, JSON, HTML, SBOM, plain text

Contributing

git clone https://github.com/mattybellx/Ansede.git
cd Ansede
pip install -e ".[dev]"
pytest tests/ -q

MIT licensed · Zero telemetry · No cloud dependency · Built by Matty Bell

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ansede_static-2.3.2.tar.gz (688.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ansede_static-2.3.2-py3-none-any.whl (679.0 kB view details)

Uploaded Python 3

File details

Details for the file ansede_static-2.3.2.tar.gz.

File metadata

  • Download URL: ansede_static-2.3.2.tar.gz
  • Upload date:
  • Size: 688.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ansede_static-2.3.2.tar.gz
Algorithm Hash digest
SHA256 94f194fdd2a23032667bf85fc27719d5692ac23f9db2058b208bc7de6a3c7964
MD5 612fbe428ed46078d3da3bf66decc9fc
BLAKE2b-256 f2787dbbcec00d9d0bfc61d61e489324e96a34d1db21da2c12a0fa0841b2173a

See more details on using hashes here.

Provenance

The following attestation bundles were made for ansede_static-2.3.2.tar.gz:

Publisher: publish.yml on mattybellx/Ansede

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ansede_static-2.3.2-py3-none-any.whl.

File metadata

  • Download URL: ansede_static-2.3.2-py3-none-any.whl
  • Upload date:
  • Size: 679.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ansede_static-2.3.2-py3-none-any.whl
Algorithm Hash digest
SHA256 d4a3ccab744a9555803db1463d3855ae029bc0bd84fa9485f969e37e0924d43e
MD5 e44994f09db24c06363c662b06f2bda8
BLAKE2b-256 fa92827987f8f3d3ab5392cd2f27269ed4373cbc72feda133d4fd18a933154bd

See more details on using hashes here.

Provenance

The following attestation bundles were made for ansede_static-2.3.2-py3-none-any.whl:

Publisher: publish.yml on mattybellx/Ansede

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page