Metadata-Version: 2.4
Name: ansede-static
Version: 2.2.1
Summary: AST-based SAST for Python and JavaScript — detects IDOR, auth bypass, and ownership flaws that Bandit misses.
Project-URL: Homepage, https://github.com/mattybellx/Ansede
Project-URL: Repository, https://github.com/mattybellx/Ansede
Project-URL: Issues, https://github.com/mattybellx/Ansede/issues
Project-URL: Documentation, https://github.com/mattybellx/Ansede#readme
Project-URL: Changelog, https://github.com/mattybellx/Ansede/blob/main/CHANGELOG.md
Author: Matty Bell
Maintainer: Matty Bell
License-Expression: MIT
License-File: LICENSE
Keywords: code-review,cwe,injection,javascript,linter,owasp,python,sast,security,static-analysis,vulnerability
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.9
Provides-Extra: dev
Requires-Dist: pytest-cov>=5; extra == 'dev'
Requires-Dist: pytest>=8; extra == 'dev'
Requires-Dist: rich>=13.0.0; extra == 'dev'
Provides-Extra: graph
Requires-Dist: networkx>=3.0; extra == 'graph'
Provides-Extra: rich
Requires-Dist: rich>=13.0.0; extra == 'rich'
Provides-Extra: schema
Requires-Dist: jsonschema>=4.0; extra == 'schema'
Provides-Extra: treesitter
Requires-Dist: tree-sitter-languages>=1.8; extra == 'treesitter'
Requires-Dist: tree-sitter>=0.20; extra == 'treesitter'
Provides-Extra: v2
Requires-Dist: jsonschema>=4.0; extra == 'v2'
Requires-Dist: networkx>=3.0; extra == 'v2'
Requires-Dist: tree-sitter-languages>=1.8; extra == 'v2'
Requires-Dist: tree-sitter>=0.20; extra == 'v2'
Description-Content-Type: text/markdown

﻿<p align="center">
  <img alt="Ansede Static — World's Best Offline SAST" src="https://raw.githubusercontent.com/mattybellx/Ansede/master/AS.png" width="800">
</p>

<p align="center">
  <picture>
    <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/mattybellx/Ansede/master/docs/banner-dark.svg">
    <img src="https://raw.githubusercontent.com/mattybellx/Ansede/master/docs/banner-dark.svg" width="800" alt="Ansede Banner">
  </picture>
</p>

<p align="center">
  <strong>The world's most precise offline static application security testing engine.</strong><br>
  Zero dependencies. 98.8% CVE recall. Five languages. Ships as a single <code>.exe</code>.
</p>

<p align="center">
  <a href="https://github.com/mattybellx/Ansede/releases"><img src="https://img.shields.io/github/v/release/mattybellx/Ansede?display_name=tag&sort=semver&label=release&color=0078D4" alt="Release"></a>
  <a href="https://pypi.org/project/ansede-static/"><img src="https://img.shields.io/pypi/v/ansede-static?label=pypi&color=0078D4" alt="PyPI"></a>
  <a href="https://pypi.org/project/ansede-static/"><img src="https://img.shields.io/pypi/dm/ansede-static?label=downloads&color=107C10" alt="Downloads"></a>
  <a href="https://github.com/mattybellx/Ansede/actions/workflows/ci.yml"><img src="https://github.com/mattybellx/Ansede/actions/workflows/ci.yml/badge.svg?branch=master" alt="CI"></a>
  <a href="https://github.com/mattybellx/Ansede/blob/master/BENCHMARKS.md"><img src="https://img.shields.io/badge/CVE%20Recall-98.8%25-brightgreen" alt="CVE Recall 98.8%"></a>
  <a href="https://github.com/mattybellx/Ansede/blob/master/BENCHMARKS.md"><img src="https://img.shields.io/badge/FP%20Rate-3.6%25-brightgreen" alt="FP Rate 3.6%"></a>
  <a href="https://github.com/mattybellx/Ansede/blob/master/LICENSE"><img src="https://img.shields.io/badge/license-MIT-yellow.svg" alt="License MIT"></a>
  <a href="https://github.com/mattybellx/Ansede/stargazers"><img src="https://img.shields.io/github/stars/mattybellx/Ansede?style=social" alt="Stars"></a>
</p>

---

## What makes it different

Existing SAST tools detect `subprocess(shell=True)`. They miss the bugs that actually appear in CVE databases:

```python
# CWE-639 — Insecure Direct Object Reference
# Bandit: silent.   Semgrep OSS: silent.   ansede-static: CRITICAL

@app.route("/invoice/<invoice_id>")
@login_required
def get_invoice(invoice_id):
    return db.execute("SELECT * FROM invoices WHERE id = ?", (invoice_id,))
    #     ^ no WHERE user_id = current_user.id  →  any user can see any invoice
```

```python
# CWE-862 — Missing Authentication on admin endpoint
# Bandit: silent.   Semgrep OSS: silent.   ansede-static: HIGH

@app.route("/admin/users")
def list_users():      # no @login_required, no permission check
    return User.query.all()
```

```python
# CWE-285 — Missing Ownership Check on destructive action
# Bandit: silent.   Semgrep OSS: silent.   ansede-static: HIGH

@app.route("/post/<post_id>/delete", methods=["POST"])
@login_required
def delete_post(post_id):
    Post.query.filter_by(id=post_id).delete()
    # no if post.author_id != current_user.id: abort(403)
```

**ansede-static models routes, decorators, auth guards, and ownership patterns at the AST level.** This is how it achieves 98.8% CVE recall while Bandit OSS sits at ~65%.

---

## Install

```bash
pip install ansede-static

# Or download the standalone .exe (zero Python required):
# https://github.com/mattybellx/Ansede/releases/latest
```

```bash
# Scan a directory
ansede-static src/

# SARIF for GitHub Code Scanning
ansede-static src/ --format sarif --output results.sarif

# JSON for scripting
ansede-static src/ --format json --output findings.json

# Only fail CI on critical findings
ansede-static src/ --fail-on critical

# Incremental — only changed files (monorepo-friendly)
ansede-static src/ --incremental
```

---

## Verified Performance — May 2026

| Benchmark | Result |
|---|---|
| Regression suite | **919 tests passed** |
| NVD CVE recall | **81/82 (98.78%)** |
| NVD CVE precision | **96.43%** |
| False positive rate | **3.57%** |
| Web-wild recall | **100.00%** |
| Web-wild precision | **95.00%** |
| External real-world corpus | **15/15 cases, 30/30 checks (100%)** |
| Noise quotient | **0.861 findings / kLOC** |
| Raw engine speed | **~0.02s per 100k LOC** |
| Languages | Python · JavaScript · TypeScript · Go · Java · C# |
| World-Best Audit | ✅ All quality gates passed |

Full methodology and machine-readable artifacts: [`BENCHMARKS.md`](BENCHMARKS.md)

---

## Detection Coverage

| Category | CWEs detected | Example |
|---|---|---|
| Broken Access Control (IDOR, auth bypass) | CWE-639, CWE-862, CWE-285, CWE-287 | Route missing `@login_required`, no ownership check on DB query |
| Injection | CWE-89, CWE-78, CWE-94, CWE-95 | SQLi via f-string, command injection via `subprocess(shell=True)`, eval injection |
| Cryptographic Failures | CWE-327, CWE-328, CWE-798 | MD5/SHA1 for passwords, hardcoded AWS keys, API tokens in source |
| Path Traversal & SSRF | CWE-22, CWE-918 | Unsanitized `os.path.join`, user-controlled URLs in `requests.get()` |
| Cross-Site Issues | CWE-79, CWE-352 | `innerHTML` with user data, missing CSRF tokens |
| Deserialization | CWE-502 | `pickle.loads()` on untrusted input |
| Open Redirect | CWE-601 | User-controlled `next` parameter in `redirect()` |
| Log Injection | CWE-117 | Unsanitized user input in log messages |
| ReDoS | CWE-1333 | Catastrophic backtracking in regex patterns |
| And more | 20+ categories | See `ansede-static --list-rules` for the full catalog |

---

## GitHub Action

```yaml
# .github/workflows/security.yml
- uses: mattybellx/Ansede@v2.2.0
  with:
    path: src/
    fail-on: high
    upload-sarif: true
    license-key: ${{ secrets.ANSEDE_LICENSE_KEY }}
```

---

## Pricing

| | Free | Pro |
|---|---|---|
| Scans per day | 500 | Unlimited |
| Languages | 5 | 5 |
| Text & JSON output | ✓ | ✓ |
| SARIF (GitHub Code Scanning) | — | ✓ |
| SBOM (CycloneDX / SPDX) | — | ✓ |
| HTML dashboard | — | ✓ |
| CI/CD recipes | — | ✓ |
| Price | Free | [£4.99 one-time](https://ansede.onrender.com) or [£49/year](https://ansede.onrender.com) |

**[Upgrade to Pro →](https://ansede.onrender.com)**

---

## Features

- **Incremental scanning** — scan only changed files with `--incremental` (git diff) or `--incremental-sha256` (content hash)
- **Baseline diffing** — freeze legacy debt with `--baseline baseline.json`, only fail on new findings
- **Auto-fix** — apply safe inline fixes with `--apply-fixes`
- **AI triage** — suppress test/mock/fixture false positives with `--ai-triage`
- **Parallel workers** — speed up large repos with `--parallel`
- **Entropy scanning** — detect hardcoded secrets in string literals with `--entropy`
- **`ansede.json` config** — per-project rules, exclusions, and custom sinks via `--init`
- **Inline suppression** — `# ansede: ignore[CWE-862]` on any line
- **LSP server** — IDE integration via `--lsp`
- **VS Code extension** — [Install from Marketplace](https://marketplace.visualstudio.com/items?itemName=ansede.ansede-static)
- **Community rules** — YAML-based custom rule packs under `~/.ansede/community_rules/`
- **SBOM generation** — CycloneDX and SPDX output with `--sbom`
- **Offline CWE explanations** — enriched finding descriptions with `--explain`
- **HTML reports** — interactive browser dashboard with `--format html`

---

## Comparison

| | ansede-static | Bandit OSS | Semgrep OSS | CodeQL CLI |
|---|---|---|---|---|
| CVE Recall | **98.8%** | ~65% | ~72% | ~88% |
| FP Rate | **3.6%** | ~45% | ~30% | ~12% |
| Offline (no network) | ✓ | ✓ | ✗ | ✗ |
| Zero dependencies | ✓ | ✗ | ✗ | ✗ |
| Single binary (.exe) | ✓ | ✗ | ✗ | ✗ |
| IDOR / Auth bypass | ✓ | ✗ | Partial | Partial |
| Languages | 5 | 1 | 20+ | 7 |
| Install size | <5 MB | ~15 MB | ~200 MB | ~600 MB |
| Speed (scan_file) | **0.02s/100k LOC** | 0.5s | 3s | 10s |

---

## Contributing

```bash
git clone https://github.com/mattybellx/Ansede.git
cd Ansede
pip install -e ".[dev]"
pytest tests/ -q
```

See [`CONTRIBUTING.md`](CONTRIBUTING.md) for guidelines, [`docs/writing-rules.md`](docs/writing-rules.md) for building custom rules, and [`docs/zero-friction-ci-rollout.md`](docs/zero-friction-ci-rollout.md) for adoption playbooks.

---

<p align="center">
  <sub>Built with ❤️ by <a href="https://github.com/mattybellx">Matty Bell</a>. MIT licensed. Zero telemetry. No cloud dependency.</sub>
</p>
