World's first open-source SAST with CWE-639 IDOR detection.
100% CVE recall · 91.4% vuln detection · 0.04 findings/kLOC on production code
Finds the authorization flaws Semgrep, CodeQL, and Bandit miss.
pip install ansede-static && ansede-static src/
→ ansede.onrender.com/scan ←
Paste code, click Scan, see results in seconds. No signup. No install. Fully free.
| Capability | Ansede | Semgrep | CodeQL |
|---|---|---|---|
| CVE Recall | 100% (164/164) | ~23% | ~34% |
| CWE-639 IDOR | ✅ World-first | ❌ No rules | ❌ No rules |
| Production noise | 0.04/kLOC | Config-dependent | Config-dependent |
| Languages | 5 deep | 30+ shallow | 7 deep |
| Offline | ✅ No network | ❌ Needs registry | ❌ Needs build |
Most free SAST tools focus on injection bugs. Ansede also catches authorization flaws that cause real data breaches:
| Bandit | Semgrep | CodeQL | Ansede | |
|---|---|---|---|---|
| SQL Injection, XSS | ✓ | ✓ | ✓ | ✓ |
| IDOR (CWE-639) | ✗ | ✗ | ✗ | ✓ Built-in |
| Missing Auth (CWE-862) | ✗ | ✗ | ✗ | ✓ Built-in |
| Ownership Bypass | ✗ | ✗ | ✗ | ✓ Built-in |
| Fully offline | ✓ | ✗ | ✗ | ✓ |
@app.route("/invoice/<id>")
def get_invoice(id):
return Invoice.query.get(id)
# ↑ CWE-639 IDOR: any user can view any invoice
# Bandit: silent. Semgrep: silent. Ansede: 🚨 CRITICALpip install ansede-static
ansede-static src/ # Scan a directory
ansede-static src/ --format sarif # GitHub Code Scanning
ansede-static src/ --fail-on high # CI gate
ansede-static src/ --format html # Interactive HTML report
ansede-static src/ --diff-only # PR scan (< 5s)No network. No API keys. No compilation. Just Python 3.9+.
| Language | CVEs | Found | Recall |
|---|---|---|---|
| Python | 68 | 68 | 100% |
| JavaScript | 42 | 42 | 100% |
| Java | 20 | 20 | 100% |
| C# | 19 | 19 | 100% |
| Go | 15 | 15 | 100% |
| Total | 164 | 164 | 100% |
Semgrep finds 23%. CodeQL finds ~34%.
0.04 findings per 1,000 lines. The scanner correctly treats well-written production code as clean. Tested on go-redis, gin, echo, zap, cobra, viper, gorilla-websocket, zod, supabase, grafana, and more.
| Tool | Recall | Score |
|---|---|---|
| Ansede 6.0.0 | 93.3% 🥇 | +0.8% 🥈 |
| FBwFindSecBugs | ~45% | +35.8% 🥇 |
| CodeQL | ~30% | ~-20% |
| Semgrep OSS | ~20% | ~-30% |
- 35+ CWE types — SQLi, XSS, IDOR, auth bypass, SSRF, path traversal, command injection, hardcoded secrets, deserialization
- 5 languages — Python, JavaScript/TypeScript, Go, Java, C#
- Route-aware — maps HTTP routes → auth guards → data sinks
- Framework profiles — Django, Flask, Express, Spring, ASP.NET, Gin
- Incident clustering — groups related findings, ~49% noise reduction
- Confidence scoring — 0–100% per finding; low-signal filtered by default
- Guard detection —
@login_required,@PreAuthorize,[Authorize], Go middleware - Test-context awareness — auto-suppresses findings in test/benchmark files (96% FP reduction)
- Output formats — SARIF (GitHub Code Scanning), CycloneDX SBOM, HTML, JSON
- CI/CD ready —
--diff-only,--fail-on,--baseline - IDE plugins — VS Code, IntelliJ IDEA, Visual Studio 2022
- uses: mattybellx/Ansede@v6.3.0
with:
path: src/
fail-on: high
upload-sarif: truegit clone https://github.com/mattybellx/Ansede.git
cd Ansede && pip install -e ".[dev]"
pytest tests/ -qPRs welcome. See CONTRIBUTING.md.
MIT · Matty Bell
Zero telemetry · Zero cloud · 100% offline · ⭐ Star on GitHub