Skip to main content

Offline SAST for 5 languages — 100% precision, 1,266 tests. Detects IDOR, auth bypass, injection flaws, hardcoded secrets, prototype pollution, and 28+ CWE categories missed by Semgrep and CodeQL.

Project description

🔍 Ansede Static · v6.3.0

World's first open-source SAST with CWE-639 IDOR detection.
100% CVE recall · 91.4% vuln detection · 0.04 findings/kLOC on production code
Finds the authorization flaws Semgrep, CodeQL, and Bandit miss.

Try Online Scanner

pip install ansede-static && ansede-static src/

CVE 100% 91.4% 0.04/kLOC IDOR 5 langs MIT 1215 tests CI PyPI


🚀 Try It Right Now — No Install

→ ansede.onrender.com/scan ←
Paste code, click Scan, see results in seconds. No signup. No install. Fully free.


Why Ansede?

Capability Ansede Semgrep CodeQL
CVE Recall 100% (164/164) ~23% ~34%
CWE-639 IDOR ✅ World-first ❌ No rules ❌ No rules
Production noise 0.04/kLOC Config-dependent Config-dependent
Languages 5 deep 30+ shallow 7 deep
Offline ✅ No network ❌ Needs registry ❌ Needs build

Most free SAST tools focus on injection bugs. Ansede also catches authorization flaws that cause real data breaches:

Bandit Semgrep CodeQL Ansede
SQL Injection, XSS
IDOR (CWE-639) ✓ Built-in
Missing Auth (CWE-862) ✓ Built-in
Ownership Bypass ✓ Built-in
Fully offline
@app.route("/invoice/<id>")
def get_invoice(id):
    return Invoice.query.get(id)
    # ↑ CWE-639 IDOR: any user can view any invoice
    #   Bandit: silent. Semgrep: silent. Ansede: 🚨 CRITICAL

Quick Start

pip install ansede-static
ansede-static src/                    # Scan a directory
ansede-static src/ --format sarif     # GitHub Code Scanning
ansede-static src/ --fail-on high     # CI gate
ansede-static src/ --format html      # Interactive HTML report
ansede-static src/ --diff-only        # PR scan (< 5s)

No network. No API keys. No compilation. Just Python 3.9+.


Benchmarks

CVE Recall — 164 Known Vulnerabilities

Language CVEs Found Recall
Python 68 68 100%
JavaScript 42 42 100%
Java 20 20 100%
C# 19 19 100%
Go 15 15 100%
Total 164 164 100%

Semgrep finds 23%. CodeQL finds ~34%.

Production Noise — 16 Repos, 366K LOC

0.04 findings per 1,000 lines. The scanner correctly treats well-written production code as clean. Tested on go-redis, gin, echo, zap, cobra, viper, gorilla-websocket, zod, supabase, grafana, and more.

OWASP Benchmark v1.2

Tool Recall Score
Ansede 6.0.0 93.3% 🥇 +0.8% 🥈
FBwFindSecBugs ~45% +35.8% 🥇
CodeQL ~30% ~-20%
Semgrep OSS ~20% ~-30%

Full benchmarks →


Features

  • 35+ CWE types — SQLi, XSS, IDOR, auth bypass, SSRF, path traversal, command injection, hardcoded secrets, deserialization
  • 5 languages — Python, JavaScript/TypeScript, Go, Java, C#
  • Route-aware — maps HTTP routes → auth guards → data sinks
  • Framework profiles — Django, Flask, Express, Spring, ASP.NET, Gin
  • Incident clustering — groups related findings, ~49% noise reduction
  • Confidence scoring — 0–100% per finding; low-signal filtered by default
  • Guard detection@login_required, @PreAuthorize, [Authorize], Go middleware
  • Test-context awareness — auto-suppresses findings in test/benchmark files (96% FP reduction)
  • Output formats — SARIF (GitHub Code Scanning), CycloneDX SBOM, HTML, JSON
  • CI/CD ready--diff-only, --fail-on, --baseline
  • IDE plugins — VS Code, IntelliJ IDEA, Visual Studio 2022

GitHub Actions

- uses: mattybellx/Ansede@v6.3.0
  with:
    path: src/
    fail-on: high
    upload-sarif: true

Contributing

git clone https://github.com/mattybellx/Ansede.git
cd Ansede && pip install -e ".[dev]"
pytest tests/ -q

PRs welcome. See CONTRIBUTING.md.


License

MIT · Matty Bell

Zero telemetry · Zero cloud · 100% offline · ⭐ Star on GitHub

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ansede_static-6.4.0.tar.gz (886.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ansede_static-6.4.0-py3-none-any.whl (861.2 kB view details)

Uploaded Python 3

File details

Details for the file ansede_static-6.4.0.tar.gz.

File metadata

  • Download URL: ansede_static-6.4.0.tar.gz
  • Upload date:
  • Size: 886.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ansede_static-6.4.0.tar.gz
Algorithm Hash digest
SHA256 39f30be1ee58792239e24f104734d6474a3d8114d1c77aed1f6436f67f64af16
MD5 bf92c283574f979a2f51f91379068492
BLAKE2b-256 c4b73ac3aa7e265d0e67956c484907d845e42a9a1dcb2b7905eab70c8d7d10a2

See more details on using hashes here.

Provenance

The following attestation bundles were made for ansede_static-6.4.0.tar.gz:

Publisher: publish.yml on mattybellx/Ansede

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ansede_static-6.4.0-py3-none-any.whl.

File metadata

  • Download URL: ansede_static-6.4.0-py3-none-any.whl
  • Upload date:
  • Size: 861.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ansede_static-6.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 352368cf36857e1b4cf31efff33f5bb53c228b33995859b3accaf37cd917b5e7
MD5 2aef3601601ed28b43fdcfd24216eb1e
BLAKE2b-256 a9d5ab05b28c0a614d68a89daaad61d960aed3a99e8b0b3997f0eb0acebbb7f6

See more details on using hashes here.

Provenance

The following attestation bundles were made for ansede_static-6.4.0-py3-none-any.whl:

Publisher: publish.yml on mattybellx/Ansede

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page