Offline SAST for 5 languages — 100% precision, 1,266 tests. Detects IDOR, auth bypass, injection flaws, hardcoded secrets, prototype pollution, and 28+ CWE categories missed by Semgrep and CodeQL.
Project description
🔍 Ansede Static · v6.3.0
World's first open-source SAST with CWE-639 IDOR detection.
100% CVE recall · 91.4% vuln detection · 0.04 findings/kLOC on production code
Finds the authorization flaws Semgrep, CodeQL, and Bandit miss.
pip install ansede-static && ansede-static src/
🚀 Try It Right Now — No Install
→ ansede.onrender.com/scan ←
Paste code, click Scan, see results in seconds. No signup. No install. Fully free.
Why Ansede?
| Capability | Ansede | Semgrep | CodeQL |
|---|---|---|---|
| CVE Recall | 100% (164/164) | ~23% | ~34% |
| CWE-639 IDOR | ✅ World-first | ❌ No rules | ❌ No rules |
| Production noise | 0.04/kLOC | Config-dependent | Config-dependent |
| Languages | 5 deep | 30+ shallow | 7 deep |
| Offline | ✅ No network | ❌ Needs registry | ❌ Needs build |
Most free SAST tools focus on injection bugs. Ansede also catches authorization flaws that cause real data breaches:
| Bandit | Semgrep | CodeQL | Ansede | |
|---|---|---|---|---|
| SQL Injection, XSS | ✓ | ✓ | ✓ | ✓ |
| IDOR (CWE-639) | ✗ | ✗ | ✗ | ✓ Built-in |
| Missing Auth (CWE-862) | ✗ | ✗ | ✗ | ✓ Built-in |
| Ownership Bypass | ✗ | ✗ | ✗ | ✓ Built-in |
| Fully offline | ✓ | ✗ | ✗ | ✓ |
@app.route("/invoice/<id>")
def get_invoice(id):
return Invoice.query.get(id)
# ↑ CWE-639 IDOR: any user can view any invoice
# Bandit: silent. Semgrep: silent. Ansede: 🚨 CRITICAL
Quick Start
pip install ansede-static
ansede-static src/ # Scan a directory
ansede-static src/ --format sarif # GitHub Code Scanning
ansede-static src/ --fail-on high # CI gate
ansede-static src/ --format html # Interactive HTML report
ansede-static src/ --diff-only # PR scan (< 5s)
No network. No API keys. No compilation. Just Python 3.9+.
Benchmarks
CVE Recall — 164 Known Vulnerabilities
| Language | CVEs | Found | Recall |
|---|---|---|---|
| Python | 68 | 68 | 100% |
| JavaScript | 42 | 42 | 100% |
| Java | 20 | 20 | 100% |
| C# | 19 | 19 | 100% |
| Go | 15 | 15 | 100% |
| Total | 164 | 164 | 100% |
Semgrep finds 23%. CodeQL finds ~34%.
Production Noise — 16 Repos, 366K LOC
0.04 findings per 1,000 lines. The scanner correctly treats well-written production code as clean. Tested on go-redis, gin, echo, zap, cobra, viper, gorilla-websocket, zod, supabase, grafana, and more.
OWASP Benchmark v1.2
| Tool | Recall | Score |
|---|---|---|
| Ansede 6.0.0 | 93.3% 🥇 | +0.8% 🥈 |
| FBwFindSecBugs | ~45% | +35.8% 🥇 |
| CodeQL | ~30% | ~-20% |
| Semgrep OSS | ~20% | ~-30% |
Features
- 35+ CWE types — SQLi, XSS, IDOR, auth bypass, SSRF, path traversal, command injection, hardcoded secrets, deserialization
- 5 languages — Python, JavaScript/TypeScript, Go, Java, C#
- Route-aware — maps HTTP routes → auth guards → data sinks
- Framework profiles — Django, Flask, Express, Spring, ASP.NET, Gin
- Incident clustering — groups related findings, ~49% noise reduction
- Confidence scoring — 0–100% per finding; low-signal filtered by default
- Guard detection —
@login_required,@PreAuthorize,[Authorize], Go middleware - Test-context awareness — auto-suppresses findings in test/benchmark files (96% FP reduction)
- Output formats — SARIF (GitHub Code Scanning), CycloneDX SBOM, HTML, JSON
- CI/CD ready —
--diff-only,--fail-on,--baseline - IDE plugins — VS Code, IntelliJ IDEA, Visual Studio 2022
GitHub Actions
- uses: mattybellx/Ansede@v6.3.0
with:
path: src/
fail-on: high
upload-sarif: true
Contributing
git clone https://github.com/mattybellx/Ansede.git
cd Ansede && pip install -e ".[dev]"
pytest tests/ -q
PRs welcome. See CONTRIBUTING.md.
License
MIT · Matty Bell
Zero telemetry · Zero cloud · 100% offline · ⭐ Star on GitHub
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ansede_static-6.4.0.tar.gz.
File metadata
- Download URL: ansede_static-6.4.0.tar.gz
- Upload date:
- Size: 886.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
39f30be1ee58792239e24f104734d6474a3d8114d1c77aed1f6436f67f64af16
|
|
| MD5 |
bf92c283574f979a2f51f91379068492
|
|
| BLAKE2b-256 |
c4b73ac3aa7e265d0e67956c484907d845e42a9a1dcb2b7905eab70c8d7d10a2
|
Provenance
The following attestation bundles were made for ansede_static-6.4.0.tar.gz:
Publisher:
publish.yml on mattybellx/Ansede
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ansede_static-6.4.0.tar.gz -
Subject digest:
39f30be1ee58792239e24f104734d6474a3d8114d1c77aed1f6436f67f64af16 - Sigstore transparency entry: 2170024481
- Sigstore integration time:
-
Permalink:
mattybellx/Ansede@801204c1a09ffc74a23b3631db1ad6345b47e91e -
Branch / Tag:
refs/tags/v6.4.0 - Owner: https://github.com/mattybellx
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@801204c1a09ffc74a23b3631db1ad6345b47e91e -
Trigger Event:
push
-
Statement type:
File details
Details for the file ansede_static-6.4.0-py3-none-any.whl.
File metadata
- Download URL: ansede_static-6.4.0-py3-none-any.whl
- Upload date:
- Size: 861.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
352368cf36857e1b4cf31efff33f5bb53c228b33995859b3accaf37cd917b5e7
|
|
| MD5 |
2aef3601601ed28b43fdcfd24216eb1e
|
|
| BLAKE2b-256 |
a9d5ab05b28c0a614d68a89daaad61d960aed3a99e8b0b3997f0eb0acebbb7f6
|
Provenance
The following attestation bundles were made for ansede_static-6.4.0-py3-none-any.whl:
Publisher:
publish.yml on mattybellx/Ansede
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ansede_static-6.4.0-py3-none-any.whl -
Subject digest:
352368cf36857e1b4cf31efff33f5bb53c228b33995859b3accaf37cd917b5e7 - Sigstore transparency entry: 2170024541
- Sigstore integration time:
-
Permalink:
mattybellx/Ansede@801204c1a09ffc74a23b3631db1ad6345b47e91e -
Branch / Tag:
refs/tags/v6.4.0 - Owner: https://github.com/mattybellx
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@801204c1a09ffc74a23b3631db1ad6345b47e91e -
Trigger Event:
push
-
Statement type: