Skip to main content

AST-based SAST for Python and JavaScript — detects IDOR, auth bypass, and ownership flaws that Bandit misses.

Project description

Ansede Static — Offline SAST Engine

The offline SAST engine that finds what others miss.
Rust-accelerated fast path · 0.02s per 100k LOC · Zero external network dependencies
pip install ansede-static  ·  No telemetry  ·  Fully offline

PyPI CI CVE Recall 98.8% 96.4% precision 7 languages MIT

Quick Start · Why Ansede? · Benchmarks · Comparison · Features · IDE Support · Docs


Quick Start

pip install ansede-static
ansede-static src/                         # Scan a directory
ansede-static src/ --format sarif          # GitHub Code Scanning SARIF
ansede-static --batch "src/ tests/"        # Batch API — multi-path scan
ansede-static src/ --fail-on high          # CI gate
ansede-static src/ --incremental           # git-diff mode

Zero-dependency binary also available — download the standalone executable from Releases.


Why Ansede?

Ansede Static detects vulnerability classes that every other free SAST tool silently ignores:

Vulnerability Bandit Semgrep OSS CodeQL Ansede
SQL Injection
XSS ~ limited
IDOR (CWE-639) ✗* ~ manual ✓ AST-native
Missing Auth (CWE-862) ✗* ~ manual ✓ AST-native
Ownership Bypass (CWE-285) ✗* ✓ AST-native
Route-level Auth Analysis ✓ Built-in
Offline-First ~ needs sync ✗ SaaS ✓ Fully offline
Zero External Network Dependencies ✓ Offline-first runtime

*Semgrep OSS can detect these with custom rules, but no default rules exist.

@app.route("/invoice/<invoice_id>")
@login_required
def get_invoice(invoice_id):
    return db.execute("SELECT * FROM invoices WHERE id = ?", (invoice_id,))
    # → CWE-639 IDOR: any authenticated user can view any invoice
    # Bandit / Semgrep OSS: silent.  Ansede: CRITICAL
@app.route("/admin/users")
def list_users():
    return User.query.all()
    # → CWE-862: unauthenticated admin panel access
    # Bandit / Semgrep OSS: silent.  Ansede: HIGH

Benchmarks

NVD CVE Recall (Synthetic Corpus)

Language Cases Detected Recall
Python 55 55 100%
JavaScript 31 31 100%
Go 7 7 100%
Java 12 12 100%
C# 10 10 100%
Total 115 115 100%

Real-World Open-Source Validation (35 repos, 71 MB)

Metric Value
Repos scanned 35/35 (0 failures)
Files scanned 12,372
Lines scanned 1,759,954
CWE types detected 35+
Cluster-adjusted NQ 1.28 findings/kLOC
CVE precision 96.4%

Web-Wild & Honest Metrics

Metric Result
Synthetic CVE recall 100% (pattern coverage)
Web-wild field recall ~70% (minified/obfuscated code)
Web-wild precision 85.7%
Phase 4 bridge Source-map resolution in active development

Transparency commitment: 100% synthetic CVE recall measures pattern coverage — not field performance. Web-wild recall on minified/obfuscated code is ~70%. The Phase 4 roadmap (source-map resolution, symbolic guards) bridges this gap. No cherry-picked metrics. Full methodology in docs/BENCHMARKS.md.

Performance

Scenario Throughput
Rust fast-path (trivially clean files) ~0.02s per 100k LOC
Small repos (≤2 MB, 4 workers) 4.05 KLOC/s
Medium repos (2–10 MB, 4 workers) 2.03 KLOC/s
Single-file scan ~0.01–0.05s

Comparison

Feature Ansede Static Semgrep OSS CodeQL
NVD CVE Recall 98.8% ~70%* ~85%*
IDOR / Auth Bypass ✓ Native AST ✗ No default rules ~ Manual QL
Incident Clustering ✓ 49% noise reduction
Offline-First ✓ Fully ~ Needs rule sync ✗ SaaS-only
Zero Dep Install pip install ✗ Requires semgrep ✗ DB build req.
SBOM Output ✓ CycloneDX/SPDX
SARIF ✓ Free tier
LLM Triage ✓ (local Ollama)
IDE Plugins VS Code, IntelliJ, VS VS Code only VS Code only
Price Free + Pro Free + Managed SaaS-licensed

*Estimated based on default rule coverage. Exact figures vary by deployment.


Features

Detection Engine

  • 35+ CWE types — SQLi, XSS, IDOR, auth bypass, CSRF, SSRF, path traversal, code injection, hardcoded secrets, ReDoS, and more
  • Interprocedural taint analysis — follows data flow across function boundaries
  • Route-aware auth modeling — maps routes → guards → sinks → ownership patterns
  • Symbolic guard suppression — recognizes if user.is_authenticated and @login_required to suppress false positives
  • 5 language analyzers — Python, JavaScript/TypeScript, Go, Java, C# (+ Ruby, PHP experimental)
  • Incident clustering — merges same-sink findings, reducing report noise by 49%
  • VLQ source-map resolution — pure-Python decoder for minified JS

CI/CD & DevOps

  • GitHub Action — native SARIF upload for GitHub Code Scanning
  • --incremental — git-diff mode for sub-second PR checks
  • --incremental-sha256 — SHA-256 cache for monorepo reuse
  • --baseline — freeze legacy findings, only flag new vulnerabilities
  • --fail-on — severity-gated exit codes for pipeline enforcement
  • --batch — multi-path batch API with parallel workers

Output Formats

  • SARIF 2.1.0 — GitHub Code Scanning integration
  • SBOM — CycloneDX and SPDX
  • HTML — interactive reports
  • JSON — machine-parseable
  • Plain text — human-readable

Intelligence

  • LLM-assisted triage — local Ollama integration (no cloud) auto-classifies findings at 95.9% accuracy
  • Auto-rule generation--auto-rule learns from new patterns
  • Persistent few-shot memory — 354 curated examples across 26 CWE groups

IDE Support

IDE Status Install
VS Code ✓ Published Marketplace
IntelliJ IDEA ✓ Beta Plugin from releases
Visual Studio 2022 ✓ Beta VSIX from releases

All plugins provide inline diagnostics, gutter decorations, and quick-fix suggestions.


GitHub Action

- uses: mattybellx/Ansede@v2.3.2
  with:
    path: src/
    fail-on: high
    upload-sarif: true

Documentation

Resource Link
Full Benchmarks docs/BENCHMARKS.md
Roadmap docs/ROADMAP.md
Architecture docs/interprocedural-taint-analysis.md
IDE Plugin Architecture docs/ide-plugin-architecture.md
Community Rule Guide docs/community-rule-conversion-guide.md
Writing Rules docs/writing-rules.md
Changelog CHANGELOG.md
Security Policy SECURITY.md

Contributing

git clone https://github.com/mattybellx/Ansede.git
cd Ansede
pip install -e ".[dev]"
pytest tests/ -q

See CONTRIBUTING.md for guidelines. All contributions welcome — rules, analyzers, docs, tests.


License

MIT licensed. Built by Matty Bell.

Zero telemetry · Zero cloud dependency · Completely offline · Star on GitHub

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ansede_static-4.0.0.tar.gz (714.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ansede_static-4.0.0-py3-none-any.whl (697.9 kB view details)

Uploaded Python 3

File details

Details for the file ansede_static-4.0.0.tar.gz.

File metadata

  • Download URL: ansede_static-4.0.0.tar.gz
  • Upload date:
  • Size: 714.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ansede_static-4.0.0.tar.gz
Algorithm Hash digest
SHA256 69c0526ecd52c5b105b7836fab8352603f0a0bc683e7791716a5e4996ded7f93
MD5 c4c2e9ebb9052e2723dce27f765fe34c
BLAKE2b-256 3600373f328b0404ac436b9566ce64e1786389c3f6594c3904ddad019ed0b707

See more details on using hashes here.

Provenance

The following attestation bundles were made for ansede_static-4.0.0.tar.gz:

Publisher: publish.yml on mattybellx/Ansede

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ansede_static-4.0.0-py3-none-any.whl.

File metadata

  • Download URL: ansede_static-4.0.0-py3-none-any.whl
  • Upload date:
  • Size: 697.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ansede_static-4.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 93340def0196c01ec99323bf3730859558e444addc8e74f3cb98477276f93f65
MD5 0d7e09aca724aafc7901fac806cb2819
BLAKE2b-256 ee2bea0ce00116d359b7a462515424d3f08fe6c7ffe8528bafa40aca07e95ed2

See more details on using hashes here.

Provenance

The following attestation bundles were made for ansede_static-4.0.0-py3-none-any.whl:

Publisher: publish.yml on mattybellx/Ansede

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page