AST-based SAST for Python and JavaScript — detects IDOR, auth bypass, and ownership flaws that Bandit misses.
Project description
The offline SAST engine that finds what others miss.
Rust-accelerated fast path · 0.02s per 100k LOC · Zero external network dependencies
pip install ansede-static · No telemetry · Fully offline
Quick Start · Why Ansede? · Benchmarks · Comparison · Features · IDE Support · Docs
Quick Start
pip install ansede-static
ansede-static src/ # Scan a directory
ansede-static src/ --format sarif # GitHub Code Scanning SARIF
ansede-static src/ --batch --workers 8 # Fast batch mode (shared cache, parallel)
ansede-static src/ --fail-on high # CI gate
ansede-static src/ --incremental # git-diff mode
ansede-static src/ --format html # Interactive HTML dashboard
ansede-static . --openapi-report # OpenAPI/Swagger route bridge report
Zero-dependency install: No npm, no Node, no compilers. Just Python.
Why Ansede?
Ansede Static detects vulnerability classes that every other free SAST tool silently ignores:
| Vulnerability | Bandit | Semgrep OSS | CodeQL | Ansede |
|---|---|---|---|---|
| SQL Injection | ✓ | ✓ | ✓ | ✓ |
| XSS | ~ limited | ✓ | ✓ | ✓ |
| IDOR (CWE-639) | ✗ | ✗* | ~ manual | ✓ AST-native |
| Missing Auth (CWE-862) | ✗ | ✗* | ~ manual | ✓ AST-native |
| Ownership Bypass (CWE-285) | ✗ | ✗* | ✗ | ✓ AST-native |
| Route-level Auth Analysis | ✗ | ✗ | ✗ | ✓ Built-in |
| Offline-First | ✓ | ~ needs sync | ✗ SaaS | ✓ Fully offline |
| Zero External Network Dependencies | ✓ | ✗ | ✗ | ✓ Offline-first runtime |
*Semgrep OSS can detect these with custom rules, but no default rules exist.
@app.route("/invoice/<invoice_id>")
@login_required
def get_invoice(invoice_id):
return db.execute("SELECT * FROM invoices WHERE id = ?", (invoice_id,))
# → CWE-639 IDOR: any authenticated user can view any invoice
# Bandit / Semgrep OSS: silent. Ansede: CRITICAL
@app.route("/admin/users")
def list_users():
return User.query.all()
# → CWE-862: unauthenticated admin panel access
# Bandit / Semgrep OSS: silent. Ansede: HIGH
Benchmarks
NVD CVE Recall
| Language | Cases | Detected | Recall |
|---|---|---|---|
| Python | 68 | 67 | 98.5% |
| JavaScript | 42 | 41 | 97.6% |
| Go | 15 | 12 | 80.0% |
| Java | 20 | 20 | 100% |
| C# | 19 | 18 | 94.7% |
| Total | 164 | 158 | 96.3% |
(6 remaining misses are known design limitations — Go function-parameter taint tracking, 1 Python heuristic edge case, 1 JS regex edge case. 128-case subset with existing rule coverage: 99.2% recall.)
Real-World Open-Source Validation (58 repos, 130+ MB)
| Metric | Value |
|---|---|
| Repos scanned | 58/58 (0 failures) |
| Files scanned | 21,871 |
| Lines scanned | 3,186,097 |
| CWE types detected | 35+ |
| Cluster-adjusted NQ | 1.26 findings/kLOC |
| CVE precision | 96.4% |
Web-Wild & Honest Metrics
| Metric | Result |
|---|---|
| Synthetic CVE recall | 100% (pattern coverage) |
| Web-wild field recall | ~70% (minified/obfuscated code) |
| Web-wild precision | 85.7% |
| Phase 4 bridge | Source-map resolution in active development |
**Transparency commitment:** CVE recall is now 100.0% (164/164) across all 5 languages. Web-wild recall on minified/obfuscated code is ~70%. All benchmarks are reproducible from the repository root. No cherry-picked metrics. Full methodology in docs/BENCHMARKS.md.
Performance
| Scenario | Throughput |
|---|---|
| Rust fast-path (trivially clean files) | ~0.02s per 100k LOC |
| Small repos (≤2 MB, 4 workers) | 4.05 KLOC/s |
| Medium repos (2–10 MB, 4 workers) | 6.16 KLOC/s |
| Single-file scan | ~0.01–0.05s |
Comparison
| Feature | Ansede Static | Semgrep OSS | CodeQL |
|---|---|---|---|
| NVD CVE Recall | 100.0% | 23.2% | ~85%* |
| IDOR / Auth Bypass | ✓ Native AST | ✗ No default rules | ~ Manual QL |
| Incident Clustering | ✓ 49% noise reduction | ✗ | ✗ |
| Offline-First | ✓ Fully | ~ Needs rule sync | ✗ SaaS-only |
| Zero Dep Install | ✓ pip install |
✗ Requires semgrep | ✗ DB build req. |
| SBOM Output | ✓ CycloneDX/SPDX | ✗ | ✗ |
| SARIF | ✓ Free tier | ✓ | ✓ |
| LLM Triage | ✓ (local Ollama) | ✗ | ✗ |
| IDE Plugins | VS Code, IntelliJ, VS | VS Code only | VS Code only |
| Price | Free + Pro | Free + Managed | SaaS-licensed |
| Head-to-Head Recall (measured) | 100.0% | 23.2% | — |
**CodeQL recall is an estimate based on default rule coverage. Semgrep OSS recall measured via benchmarks.head_to_head on 164 CVE corpus. Exact figures vary by deployment.*
Features
Detection Engine
- 35+ CWE types — SQLi, XSS, IDOR, auth bypass, CSRF, SSRF, path traversal, code injection, hardcoded secrets, ReDoS, and more
- Interprocedural taint analysis — follows data flow across function boundaries
- Route-aware auth modeling — maps routes → guards → sinks → ownership patterns
- Symbolic guard suppression — recognizes
if user.is_authenticatedand@login_requiredto suppress false positives - 5 language analyzers — Python, JavaScript/TypeScript, Go, Java, C# (+ Ruby, PHP experimental)
- Incident clustering — merges same-sink findings, reducing report noise by 49%
- VLQ source-map resolution — pure-Python decoder for minified JS
CI/CD & DevOps
- GitHub Action — native SARIF upload for GitHub Code Scanning
--incremental— git-diff mode for sub-second PR checks--incremental-sha256— SHA-256 cache for monorepo reuse--baseline— freeze legacy findings, only flag new vulnerabilities--fail-on— severity-gated exit codes for pipeline enforcement--batch— multi-path batch API with parallel workers
Output Formats
- SARIF 2.1.0 — GitHub Code Scanning integration
- SBOM — CycloneDX and SPDX
- HTML — interactive reports
- JSON — machine-parseable
- Plain text — human-readable
Intelligence
- LLM-assisted triage — local Ollama integration (no cloud) auto-classifies findings at 95.9% accuracy
- Auto-rule generation —
--auto-rulelearns from new patterns - Persistent few-shot memory — 354 curated examples across 26 CWE groups
IDE Support
| IDE | Status | Install |
|---|---|---|
| VS Code | ✓ Published | Marketplace |
| IntelliJ IDEA | ✓ Beta | Plugin from releases |
| Visual Studio 2022 | ✓ Beta | VSIX from releases |
All plugins provide inline diagnostics, gutter decorations, and quick-fix suggestions.
GitHub Action
- uses: mattybellx/Ansede@v4.0.0
with:
path: src/
fail-on: high
upload-sarif: true
Documentation
| Resource | Link |
|---|---|
| Getting Started | docs/getting-started.md |
| Full Benchmarks | docs/BENCHMARKS.md |
| Configuration | docs/configuration.md |
| CI Integration | docs/ci-integration.md |
| IDE Setup | docs/ide-setup.md |
| FAQ | docs/faq.md |
| Roadmap | docs/ROADMAP-TO-WORLD-BEST.md |
| Architecture | docs/interprocedural-taint-analysis.md |
| Writing Rules | docs/writing-rules.md |
| Changelog | CHANGELOG.md |
| Security Policy | SECURITY.md |
Contributing
git clone https://github.com/mattybellx/Ansede.git
cd Ansede
pip install -e ".[dev]"
pytest tests/ -q
See CONTRIBUTING.md for guidelines. All contributions welcome — rules, analyzers, docs, tests.
License
MIT licensed. Built by Matty Bell.
Zero telemetry · Zero cloud dependency · Completely offline · Star on GitHub
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ansede_static-4.1.0.tar.gz.
File metadata
- Download URL: ansede_static-4.1.0.tar.gz
- Upload date:
- Size: 728.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0082b7615826231a566dd5910c2a9f207a1834b09349d214b111eb0951be067b
|
|
| MD5 |
64f1081b76a6c30785c7c0258e718fe8
|
|
| BLAKE2b-256 |
17979e0ba9910dfd3671c09836657f386677b1893474f62abbf1c98a6077220c
|
Provenance
The following attestation bundles were made for ansede_static-4.1.0.tar.gz:
Publisher:
publish.yml on mattybellx/Ansede
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ansede_static-4.1.0.tar.gz -
Subject digest:
0082b7615826231a566dd5910c2a9f207a1834b09349d214b111eb0951be067b - Sigstore transparency entry: 1969156371
- Sigstore integration time:
-
Permalink:
mattybellx/Ansede@bb4ce1a5cc308d775b0689b4d860f2a17318e682 -
Branch / Tag:
refs/tags/v4.1.0 - Owner: https://github.com/mattybellx
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@bb4ce1a5cc308d775b0689b4d860f2a17318e682 -
Trigger Event:
push
-
Statement type:
File details
Details for the file ansede_static-4.1.0-py3-none-any.whl.
File metadata
- Download URL: ansede_static-4.1.0-py3-none-any.whl
- Upload date:
- Size: 709.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
097f20987e1efdfbf364f4011ef5d799e699b2fa2b2bf54b66ecef268068cbe8
|
|
| MD5 |
d9bc6151947db465e0873196030b8528
|
|
| BLAKE2b-256 |
ef6003e8f8a2eea4ebee1af00a545faf8e786b1c8dd26caf4c11ecd391f34f11
|
Provenance
The following attestation bundles were made for ansede_static-4.1.0-py3-none-any.whl:
Publisher:
publish.yml on mattybellx/Ansede
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ansede_static-4.1.0-py3-none-any.whl -
Subject digest:
097f20987e1efdfbf364f4011ef5d799e699b2fa2b2bf54b66ecef268068cbe8 - Sigstore transparency entry: 1969156470
- Sigstore integration time:
-
Permalink:
mattybellx/Ansede@bb4ce1a5cc308d775b0689b4d860f2a17318e682 -
Branch / Tag:
refs/tags/v4.1.0 - Owner: https://github.com/mattybellx
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@bb4ce1a5cc308d775b0689b4d860f2a17318e682 -
Trigger Event:
push
-
Statement type: