Skip to main content

Offline SAST for 5 languages — #1 CVE recall (100%), #2 OWASP score (+0.8% Youden), 93.3% OWASP recall. Detects IDOR, auth bypass, and injection flaws that Semgrep and CodeQL miss.

Project description

Ansede Static

Finds the vulnerabilities other SAST tools miss.
#1 CVE recall (100%) · 6 languages · 35+ CWE types · Fully offline
pip install ansede-static

CVE 100% OWASP 93% OWASP Score 6 langs MIT 1239 tests CI PyPI installs


Quick Start

pip install ansede-static
ansede-static src/                    # Scan a directory
ansede-static src/ --format sarif     # GitHub Code Scanning
ansede-static src/ --fail-on high     # CI gate (non-zero exit on findings)
ansede-static src/ --format html      # Interactive HTML report
ansede-static src/ --diff-only        # PR scan: only changed files (< 5s)
ansede-static src/ --suggest          # Adaptive rules: improve based on your codebase

No network, no API keys, no compilation. Just Python 3.9+ and rich.

Try the live playground → — no install required.


Why Ansede?

Most free SAST tools focus on injection bugs (SQLi, XSS). Ansede also catches the authorization flaws that cause real data breaches:

Bandit Semgrep CodeQL Ansede
SQL Injection, XSS
IDOR / Broken Access Control ✗* manual ✓ Built-in
Missing Auth on Routes ✗* manual ✓ Built-in
Ownership Bypass (CWE-285) ✓ Built-in
Offline / Air-gapped needs sync

*Possible with custom rules; no defaults ship.

@app.route("/invoice/<id>")
@login_required
def get_invoice(id):
    return Invoice.query.get(id)
    # ↑ CWE-639 IDOR: any user can view any invoice
    #   Bandit: silent. Semgrep: silent. Ansede: CRITICAL

Benchmarks

OWASP Benchmark v1.2 — 2,740 Java Tests

Tool Recall Score (Youden)
FBwFindSecBugs ~45% +35.8% 🥇
Ansede 6.0.0 93.3% 🥇 +0.8% 🥈
CodeQL ~30% ~-20%
Semgrep OSS ~20% ~-30%

#1 in recall. #2 in score. 9 of 11 categories at 100% TPR. Full scorecard →

CVE Recall — 164 Known Vulnerabilities

Language CVEs Found Recall
Python 68 68 100%
JavaScript 42 42 100%
Java 20 20 100%
C# 19 19 100%
Go 15 15 100%
Total 164 164 100%

Semgrep OSS finds 23% of the same corpus. CodeQL finds ~34%.

Precision (v6.2.2)

Metric Score
Blind audit (400 snippets, 4 runs) ~90% recall, ~97% precision
Real GitHub repos (22 repos, 1,027 files) 0 crashes
CRITICAL on safe parameterized SQL 0 (eliminated)
Test/benchmark/tutorial FP suppression 96% reduction
Quality corpus 56 cases, 96/96 checks (100%)

Real-World Scale

Scanned 58 open-source repos (21,871 files, 3.2M lines) with zero crashes. Detects 35+ CWE types. Average findings: ~0.11 per file on mature Apache/Google libraries.

Performance

Scenario Throughput
Single file ~0.05s
Batch (4 workers) 4–6 KLOC/s
Rust native grammars ~4,000 LOC/s

Comparison

Ansede Semgrep CodeQL FBwFindSec
CVE Recall 100% 🥇 23% 34% 40%
OWASP Recall 93% 🥇 20% 30% 45%
OWASP Score +0.8% 🥈 -30% -20% +36% 🥇
Languages 6 🥇 20+ 5+ 1
Auth/IDOR detection custom manual
Fully offline partial
Install pip install needs binary needs DB needs Java
IDE Plugins VS Code, IntelliJ, VS VS Code VS Code
Price Free + Pro Free Licensed Free

*Competitor OWASP figures from published scorecards. CVE recall from our 164-CVE benchmark.


Features

  • 35+ CWE types — SQLi, XSS, IDOR, auth bypass, SSRF, path traversal, command injection, hardcoded secrets, deserialization
  • 6 languages — Python, JavaScript/TypeScript, Go, Java, C#, Rust
  • Route-aware analysis — maps HTTP routes → auth guards → data sinks
  • Framework profiles — Spring, ASP.NET, Django, Express, Gin, Quarkus
  • Incident clustering — groups related findings, cuts noise ~49%
  • Confidence scoring — every finding rated 0–100%; low-signal results filtered by default
  • Guard detection — recognizes @login_required, @PreAuthorize, [Authorize], Go middleware, HMAC webhooks
  • Test-context awareness — automatically suppresses findings in test/benchmark/tutorial files (96% FP reduction)
  • Output formats — SARIF (GitHub Code Scanning), CycloneDX SBOM, HTML, JSON
  • CI/CD ready--diff-only PR scanning, --fail-on exit codes, --baseline
  • IDE plugins — inline diagnostics + one-click fixes in VS Code, IntelliJ IDEA, Visual Studio 2022

Adaptive Rules

Ansede learns from your codebase to reduce false positives over time:

ansede-static src/ --suggest          # Analyze gaps, propose new heuristics
ansede-static src/ --all-findings     # Override confidence filter — see everything
ansede-static src/ --min-confidence 0 # Same as --all-findings

After scanning multiple codebases, Ansede generates suppression rules that match your specific framework patterns — fully offline, no ML API required.


CI/CD Templates

Platform Template
GitHub Actions Built-in (uses: mattybellx/Ansede@v6.2.0)
GitLab CI docs/ci-templates/gitlab-ci.yml
Azure DevOps docs/ci-templates/azure-pipelines.yml
Jenkins docs/ci-templates/Jenkinsfile

GitHub Actions

Basic scan on push:

- uses: mattybellx/Ansede@v6.2.0
  with:
    path: src/
    fail-on: high
    upload-sarif: true
    post-pr-comments: true      # Inline review comments on every PR finding

Auto-scan + open PR with findings (try it on any repo):

# Copy ansede-scan-pr.yml to .github/workflows/
# Then trigger from Actions tab → "Ansede Security Scan + PR"
# Scans your code and opens a PR with the results

Copy the workflow template


Docs

Getting Started Installation and first scan
Benchmarks Full methodology and results
CI Integration GitHub Actions, GitLab CI, Jenkins
IDE Setup VS Code, IntelliJ, Visual Studio
Configuration All CLI flags and config options
Writing Rules Create custom detection rules
FAQ Common questions
Roadmap What's coming next
Changelog Version history

Contributing

git clone https://github.com/mattybellx/Ansede.git
cd Ansede
pip install -e ".[dev]"
pytest tests/ -q          # 1249 tests

PRs welcome. See CONTRIBUTING.md.


Ansede Static Results

## License

MIT · Matty Bell

Zero telemetry · Zero cloud · 100% offline · ⭐ Star on GitHub

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ansede_static-6.2.2.tar.gz (863.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ansede_static-6.2.2-py3-none-any.whl (835.5 kB view details)

Uploaded Python 3

File details

Details for the file ansede_static-6.2.2.tar.gz.

File metadata

  • Download URL: ansede_static-6.2.2.tar.gz
  • Upload date:
  • Size: 863.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.4

File hashes

Hashes for ansede_static-6.2.2.tar.gz
Algorithm Hash digest
SHA256 d83182f9b6dc966afa1f14fb0a73763af354c95107fdaea069c528c11fb81ed0
MD5 a0776504f0561d2aad5f7cbbbf6f8ce5
BLAKE2b-256 5b1955162cdae0e05cef80b447e192dd9785c51237fce5c3ec601704c52f833c

See more details on using hashes here.

File details

Details for the file ansede_static-6.2.2-py3-none-any.whl.

File metadata

  • Download URL: ansede_static-6.2.2-py3-none-any.whl
  • Upload date:
  • Size: 835.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.4

File hashes

Hashes for ansede_static-6.2.2-py3-none-any.whl
Algorithm Hash digest
SHA256 55f24f9462027525ebb7336eeb1773af003644b48a144afe178cc190440b63ca
MD5 fe538c7c9b686422b8cb68a79749b7cd
BLAKE2b-256 076b25de6f5eeca31b2f17369156f42f2ae403b872b4fed379e4c016c54b236b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page