AST-based SAST for Python and JavaScript — detects IDOR, auth bypass, and ownership flaws that Bandit misses.
Project description
Offline SAST engine.
pip install ansede-static · Zero dependencies · No telemetry
Quick Start
pip install ansede-static
ansede-static src/ # scan a directory
ansede-static src/ --format sarif # GitHub Code Scanning
ansede-static src/ --fail-on high # CI gate
ansede-static src/ --incremental # git-diff mode
Why ansede-static?
Most SAST tools find SQLi, command injection, and XSS. ansede-static finds the bugs they miss — broken access control, missing authentication, and IDOR — by modeling routes, auth guards, and ownership patterns at the AST level.
@app.route("/invoice/<invoice_id>")
@login_required
def get_invoice(invoice_id):
return db.execute("SELECT * FROM invoices WHERE id = ?", (invoice_id,))
# → CWE-639 IDOR: any user can see any invoice
# Bandit/Semgrep OSS: silent. ansede: CRITICAL
@app.route("/admin/users")
def list_users():
return User.query.all()
# → CWE-862: unauthenticated admin access
# Bandit/Semgrep OSS: silent. ansede: HIGH
Benchmarks
| Metric | Result |
|---|---|
| CVE recall (115/115 synthetic) | 100% |
| CVE precision | 97.5% |
| Quality benchmark | 63/63 checks (100%) |
| Real repos scanned | 35/35 — 12,372 files, 1.76M LOC, 71 MB |
| CWE types detected | 35+ |
| Languages | Python, JS/TS, Go, Java, C# |
| Zero failures | ✅ across all 35 repos |
| Zero dependencies | ✅ pure Python stdlib |
Full details in BENCHMARKS.md.
Who is it for?
- Developers who want a
pip install-and-scan experience - CI/CD pipelines that need SARIF output and fail-on gates
- Security teams tired of triaging the same noise from heavier tools
GitHub Action
- uses: mattybellx/Ansede@v2.3.2
with:
path: src/
fail-on: high
upload-sarif: true
Features
Incremental — --incremental (git diff) or --incremental-sha256 for monorepos
Baseline — freeze legacy debt with --baseline baseline.json
Clustering — 49% finding reduction via incident merging
AI triage — optional local Ollama integration for auto-classification
IDE plugins — VS Code, IntelliJ IDEA, Visual Studio 2022
Outputs — SARIF, JSON, HTML, SBOM, plain text
Contributing
git clone https://github.com/mattybellx/Ansede.git
cd Ansede
pip install -e ".[dev]"
pytest tests/ -q
MIT licensed · Zero telemetry · No cloud dependency · Built by Matty Bell
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ansede_static-2.3.2.tar.gz.
File metadata
- Download URL: ansede_static-2.3.2.tar.gz
- Upload date:
- Size: 688.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
94f194fdd2a23032667bf85fc27719d5692ac23f9db2058b208bc7de6a3c7964
|
|
| MD5 |
612fbe428ed46078d3da3bf66decc9fc
|
|
| BLAKE2b-256 |
f2787dbbcec00d9d0bfc61d61e489324e96a34d1db21da2c12a0fa0841b2173a
|
Provenance
The following attestation bundles were made for ansede_static-2.3.2.tar.gz:
Publisher:
publish.yml on mattybellx/Ansede
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ansede_static-2.3.2.tar.gz -
Subject digest:
94f194fdd2a23032667bf85fc27719d5692ac23f9db2058b208bc7de6a3c7964 - Sigstore transparency entry: 1656566279
- Sigstore integration time:
-
Permalink:
mattybellx/Ansede@0ec1c0685194ddf5f20414d680247f794eda6182 -
Branch / Tag:
refs/heads/master - Owner: https://github.com/mattybellx
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@0ec1c0685194ddf5f20414d680247f794eda6182 -
Trigger Event:
workflow_run
-
Statement type:
File details
Details for the file ansede_static-2.3.2-py3-none-any.whl.
File metadata
- Download URL: ansede_static-2.3.2-py3-none-any.whl
- Upload date:
- Size: 679.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d4a3ccab744a9555803db1463d3855ae029bc0bd84fa9485f969e37e0924d43e
|
|
| MD5 |
e44994f09db24c06363c662b06f2bda8
|
|
| BLAKE2b-256 |
fa92827987f8f3d3ab5392cd2f27269ed4373cbc72feda133d4fd18a933154bd
|
Provenance
The following attestation bundles were made for ansede_static-2.3.2-py3-none-any.whl:
Publisher:
publish.yml on mattybellx/Ansede
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ansede_static-2.3.2-py3-none-any.whl -
Subject digest:
d4a3ccab744a9555803db1463d3855ae029bc0bd84fa9485f969e37e0924d43e - Sigstore transparency entry: 1656566467
- Sigstore integration time:
-
Permalink:
mattybellx/Ansede@0ec1c0685194ddf5f20414d680247f794eda6182 -
Branch / Tag:
refs/heads/master - Owner: https://github.com/mattybellx
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@0ec1c0685194ddf5f20414d680247f794eda6182 -
Trigger Event:
workflow_run
-
Statement type: