Skip to content

mattybellx/Ansede

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

295 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Ansede Static

Finds the vulnerabilities other SAST tools miss.
#1 CVE recall (100%) · 6 languages · 35+ CWE types · Fully offline
pip install ansede-static

CVE 100% OWASP 93% OWASP Score 6 langs MIT 1239 tests CI PyPI installs


Quick Start

pip install ansede-static
ansede-static src/                    # Scan a directory
ansede-static src/ --format sarif     # GitHub Code Scanning
ansede-static src/ --fail-on high     # CI gate (non-zero exit on findings)
ansede-static src/ --format html      # Interactive HTML report
ansede-static src/ --diff-only        # PR scan: only changed files (< 5s)
ansede-static src/ --suggest          # Adaptive rules: improve based on your codebase

No network, no API keys, no compilation. Just Python 3.9+ and rich.

Try the live playground → — no install required.


Why Ansede?

Most free SAST tools focus on injection bugs (SQLi, XSS). Ansede also catches the authorization flaws that cause real data breaches:

Bandit Semgrep CodeQL Ansede
SQL Injection, XSS
IDOR / Broken Access Control ✗* manual ✓ Built-in
Missing Auth on Routes ✗* manual ✓ Built-in
Ownership Bypass (CWE-285) ✓ Built-in
Offline / Air-gapped needs sync

*Possible with custom rules; no defaults ship.

@app.route("/invoice/<id>")
@login_required
def get_invoice(id):
    return Invoice.query.get(id)
    # ↑ CWE-639 IDOR: any user can view any invoice
    #   Bandit: silent. Semgrep: silent. Ansede: CRITICAL

Benchmarks

OWASP Benchmark v1.2 — 2,740 Java Tests

Tool Recall Score (Youden)
FBwFindSecBugs ~45% +35.8% 🥇
Ansede 6.0.0 93.3% 🥇 +0.8% 🥈
CodeQL ~30% ~-20%
Semgrep OSS ~20% ~-30%

#1 in recall. #2 in score. 9 of 11 categories at 100% TPR. Full scorecard →

CVE Recall — 164 Known Vulnerabilities

Language CVEs Found Recall
Python 68 68 100%
JavaScript 42 42 100%
Java 20 20 100%
C# 19 19 100%
Go 15 15 100%
Total 164 164 100%

Semgrep OSS finds 23% of the same corpus. CodeQL finds ~34%.

Precision (v6.2.2)

Metric Score
Blind audit (400 snippets, 4 runs) ~90% recall, ~97% precision
Real GitHub repos (22 repos, 1,027 files) 0 crashes
CRITICAL on safe parameterized SQL 0 (eliminated)
Test/benchmark/tutorial FP suppression 96% reduction
Quality corpus 56 cases, 96/96 checks (100%)

Real-World Scale

Scanned 58 open-source repos (21,871 files, 3.2M lines) with zero crashes. Detects 35+ CWE types. Average findings: ~0.11 per file on mature Apache/Google libraries.

Performance

Scenario Throughput
Single file ~0.05s
Batch (4 workers) 4–6 KLOC/s
Rust native grammars ~4,000 LOC/s

Comparison

Ansede Semgrep CodeQL FBwFindSec
CVE Recall 100% 🥇 23% 34% 40%
OWASP Recall 93% 🥇 20% 30% 45%
OWASP Score +0.8% 🥈 -30% -20% +36% 🥇
Languages 6 🥇 20+ 5+ 1
Auth/IDOR detection custom manual
Fully offline partial
Install pip install needs binary needs DB needs Java
IDE Plugins VS Code, IntelliJ, VS VS Code VS Code
Price Free + Pro Free Licensed Free

*Competitor OWASP figures from published scorecards. CVE recall from our 164-CVE benchmark.


Features

  • 35+ CWE types — SQLi, XSS, IDOR, auth bypass, SSRF, path traversal, command injection, hardcoded secrets, deserialization
  • 6 languages — Python, JavaScript/TypeScript, Go, Java, C#, Rust
  • Route-aware analysis — maps HTTP routes → auth guards → data sinks
  • Framework profiles — Spring, ASP.NET, Django, Express, Gin, Quarkus
  • Incident clustering — groups related findings, cuts noise ~49%
  • Confidence scoring — every finding rated 0–100%; low-signal results filtered by default
  • Guard detection — recognizes @login_required, @PreAuthorize, [Authorize], Go middleware, HMAC webhooks
  • Test-context awareness — automatically suppresses findings in test/benchmark/tutorial files (96% FP reduction)
  • Output formats — SARIF (GitHub Code Scanning), CycloneDX SBOM, HTML, JSON
  • CI/CD ready--diff-only PR scanning, --fail-on exit codes, --baseline
  • IDE plugins — inline diagnostics + one-click fixes in VS Code, IntelliJ IDEA, Visual Studio 2022

Adaptive Rules

Ansede learns from your codebase to reduce false positives over time:

ansede-static src/ --suggest          # Analyze gaps, propose new heuristics
ansede-static src/ --all-findings     # Override confidence filter — see everything
ansede-static src/ --min-confidence 0 # Same as --all-findings

After scanning multiple codebases, Ansede generates suppression rules that match your specific framework patterns — fully offline, no ML API required.


CI/CD Templates

Platform Template
GitHub Actions Built-in (uses: mattybellx/Ansede@v6.2.0)
GitLab CI docs/ci-templates/gitlab-ci.yml
Azure DevOps docs/ci-templates/azure-pipelines.yml
Jenkins docs/ci-templates/Jenkinsfile

GitHub Actions

Basic scan on push:

- uses: mattybellx/Ansede@v6.2.0
  with:
    path: src/
    fail-on: high
    upload-sarif: true
    post-pr-comments: true      # Inline review comments on every PR finding

Auto-scan + open PR with findings (try it on any repo):

# Copy ansede-scan-pr.yml to .github/workflows/
# Then trigger from Actions tab → "Ansede Security Scan + PR"
# Scans your code and opens a PR with the results

Copy the workflow template


Docs

Getting Started Installation and first scan
Benchmarks Full methodology and results
CI Integration GitHub Actions, GitLab CI, Jenkins
IDE Setup VS Code, IntelliJ, Visual Studio
Configuration All CLI flags and config options
Writing Rules Create custom detection rules
FAQ Common questions
Roadmap What's coming next
Changelog Version history

Contributing

git clone https://github.com/mattybellx/Ansede.git
cd Ansede
pip install -e ".[dev]"
pytest tests/ -q          # 1249 tests

PRs welcome. See CONTRIBUTING.md.


Ansede Static Results

## License

MIT · Matty Bell

Zero telemetry · Zero cloud · 100% offline · ⭐ Star on GitHub

About

No.1 CVE recall (100%) | 93% OWASP recall | 6 languages | Taint-aware SAST — finds what Semgrep & CodeQL miss: IDOR, auth bypass, SQLi, XSS | Fully offline | pip install ansede-static | v6.1.0

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

11 stars

Watchers

3 watching

Forks

Packages

 
 
 

Contributors