Skip to main content

Offline SAST for 5 languages — #1 CVE recall (100%), #2 OWASP score (+0.8% Youden), 93.3% OWASP recall. Detects IDOR, auth bypass, and injection flaws that Semgrep and CodeQL miss.

Project description

Ansede Static

Finds the vulnerabilities other SAST tools miss.
#1 CVE recall (100%) · 6 languages · 35+ CWE types · Fully offline
pip install ansede-static

CVE 100% OWASP 93% OWASP Score 6 langs MIT 1249 tests CI PyPI installs


Quick Start

pip install ansede-static
ansede-static src/                    # Scan a directory
ansede-static src/ --format sarif     # GitHub Code Scanning
ansede-static src/ --fail-on high     # CI gate (non-zero exit on findings)
ansede-static src/ --format html      # Interactive HTML report
ansede-static src/ --diff-only        # PR scan: only changed files (< 5s)
ansede-static src/ --suggest          # Adaptive rules: improve based on your codebase

No network, no API keys, no compilation. Just Python 3.9+ and rich.

Try the live playground → — no install required.


Why Ansede?

Most free SAST tools focus on injection bugs (SQLi, XSS). Ansede also catches the authorization flaws that cause real data breaches:

Bandit Semgrep CodeQL Ansede
SQL Injection, XSS
IDOR / Broken Access Control ✗* manual ✓ Built-in
Missing Auth on Routes ✗* manual ✓ Built-in
Ownership Bypass (CWE-285) ✓ Built-in
Offline / Air-gapped needs sync

*Possible with custom rules; no defaults ship.

@app.route("/invoice/<id>")
@login_required
def get_invoice(id):
    return Invoice.query.get(id)
    # ↑ CWE-639 IDOR: any user can view any invoice
    #   Bandit: silent. Semgrep: silent. Ansede: CRITICAL

Benchmarks

OWASP Benchmark v1.2 — 2,740 Java Tests

Tool Recall Score (Youden)
FBwFindSecBugs ~45% +35.8% 🥇
Ansede 6.0.0 93.3% 🥇 +0.8% 🥈
CodeQL ~30% ~-20%
Semgrep OSS ~20% ~-30%

#1 in recall. #2 in score. 9 of 11 categories at 100% TPR. Full scorecard →

CVE Recall — 164 Known Vulnerabilities

Language CVEs Found Recall
Python 68 68 100%
JavaScript 42 42 100%
Java 20 20 100%
C# 19 19 100%
Go 15 15 100%
Total 164 164 100%

Semgrep OSS finds 23% of the same corpus. CodeQL finds ~34%.

Real-World Scale

Scanned 58 open-source repos (21,871 files, 3.2M lines) with zero crashes. Detects 35+ CWE types. Average findings: ~0.11 per file on mature Apache/Google libraries.

Performance

Scenario Throughput
Single file ~0.05s
Batch (4 workers) 4–6 KLOC/s
Rust native grammars ~4,000 LOC/s

Comparison

Ansede Semgrep CodeQL FBwFindSec
CVE Recall 100% 🥇 23% 34% 40%
OWASP Recall 93% 🥇 20% 30% 45%
OWASP Score +0.8% 🥈 -30% -20% +36% 🥇
Languages 6 🥇 20+ 5+ 1
Auth/IDOR detection custom manual
Fully offline partial
Install pip install needs binary needs DB needs Java
IDE Plugins VS Code, IntelliJ, VS VS Code VS Code
Price Free + Pro Free Licensed Free

*Competitor OWASP figures from published scorecards. CVE recall from our 164-CVE benchmark.


Features

  • 35+ CWE types — SQLi, XSS, IDOR, auth bypass, SSRF, path traversal, command injection, hardcoded secrets, deserialization
  • 6 languages — Python, JavaScript/TypeScript, Go, Java, C#, Rust
  • Route-aware analysis — maps HTTP routes → auth guards → data sinks
  • Framework profiles — Spring, ASP.NET, Django, Express, Gin, Quarkus
  • Incident clustering — groups related findings, cuts noise ~49%
  • Confidence scoring — every finding rated 0–100%; low-signal results filtered by default
  • Guard detection — recognizes @login_required, if user.is_authenticated
  • Output formats — SARIF (GitHub Code Scanning), CycloneDX SBOM, HTML, JSON
  • CI/CD ready--diff-only PR scanning, --fail-on exit codes, --baseline
  • IDE plugins — inline diagnostics + one-click fixes in VS Code, IntelliJ IDEA, Visual Studio 2022

Adaptive Rules

Ansede learns from your codebase to reduce false positives over time:

ansede-static src/ --suggest          # Analyze gaps, propose new heuristics
ansede-static src/ --all-findings     # Override confidence filter — see everything
ansede-static src/ --min-confidence 0 # Same as --all-findings

After scanning multiple codebases, Ansede generates suppression rules that match your specific framework patterns — fully offline, no ML API required.


CI/CD Templates

Platform Template
GitHub Actions Built-in (uses: mattybellx/Ansede@v6.0.0)
GitLab CI docs/ci-templates/gitlab-ci.yml
Azure DevOps docs/ci-templates/azure-pipelines.yml
Jenkins docs/ci-templates/Jenkinsfile

GitHub Actions

Basic scan on push:

- uses: mattybellx/Ansede@v6.0.0
  with:
    path: src/
    fail-on: high
    upload-sarif: true
    post-pr-comments: true      # Inline review comments on every PR finding

Auto-scan + open PR with findings (try it on any repo):

# Copy ansede-scan-pr.yml to .github/workflows/
# Then trigger from Actions tab → "Ansede Security Scan + PR"
# Scans your code and opens a PR with the results

Copy the workflow template


Docs

Getting Started Installation and first scan
Benchmarks Full methodology and results
CI Integration GitHub Actions, GitLab CI, Jenkins
IDE Setup VS Code, IntelliJ, Visual Studio
Configuration All CLI flags and config options
Writing Rules Create custom detection rules
FAQ Common questions
Roadmap What's coming next
Changelog Version history

Contributing

git clone https://github.com/mattybellx/Ansede.git
cd Ansede
pip install -e ".[dev]"
pytest tests/ -q          # 1249 tests

PRs welcome. See CONTRIBUTING.md.


Ansede Static Results

## License

MIT · Matty Bell

Zero telemetry · Zero cloud · 100% offline · ⭐ Star on GitHub

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ansede_static-6.1.0.tar.gz (849.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ansede_static-6.1.0-py3-none-any.whl (826.1 kB view details)

Uploaded Python 3

File details

Details for the file ansede_static-6.1.0.tar.gz.

File metadata

  • Download URL: ansede_static-6.1.0.tar.gz
  • Upload date:
  • Size: 849.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ansede_static-6.1.0.tar.gz
Algorithm Hash digest
SHA256 0277239c8ad7ae0fb59bda5d373ed288a1c1be5ea65b403d6cb7a363a6401167
MD5 933af88751220129699bb30e8070e0cb
BLAKE2b-256 0d25d3d3c6d76f9a035e8c24b77af7456d358bf3b4919681ca2b67fa169312f4

See more details on using hashes here.

Provenance

The following attestation bundles were made for ansede_static-6.1.0.tar.gz:

Publisher: publish.yml on mattybellx/Ansede

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ansede_static-6.1.0-py3-none-any.whl.

File metadata

  • Download URL: ansede_static-6.1.0-py3-none-any.whl
  • Upload date:
  • Size: 826.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ansede_static-6.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 79db235082f79e3117aa84ed4df6a4f85fc767168c2ab23ebed1b9dce13dea9d
MD5 3940f78c704813d2fa75ddade373e5ac
BLAKE2b-256 66271130531c0fa48a7326d4cc75aca4ea2824fb8c10acb01f02a1fe9ba8ad72

See more details on using hashes here.

Provenance

The following attestation bundles were made for ansede_static-6.1.0-py3-none-any.whl:

Publisher: publish.yml on mattybellx/Ansede

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page