Metadata-Version: 2.4
Name: ansede-static
Version: 6.4.0
Summary: Offline SAST for 5 languages — 100% precision, 1,266 tests. Detects IDOR, auth bypass, injection flaws, hardcoded secrets, prototype pollution, and 28+ CWE categories missed by Semgrep and CodeQL.
Project-URL: Homepage, https://github.com/mattybellx/Ansede
Project-URL: Repository, https://github.com/mattybellx/Ansede
Project-URL: Issues, https://github.com/mattybellx/Ansede/issues
Project-URL: Documentation, https://github.com/mattybellx/Ansede#readme
Project-URL: Changelog, https://github.com/mattybellx/Ansede/blob/main/CHANGELOG.md
Author: Matty Bell
Maintainer: Matty Bell
License-Expression: MIT
License-File: LICENSE
Keywords: access-control,air-gapped,authentication,authorization,cli,code-review,cwe,devsecops,idor,injection,javascript,linter,offline,owasp,python,sarif,sast,security,static-analysis,vulnerability
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.9
Requires-Dist: rich>=13.0.0
Provides-Extra: dev
Requires-Dist: mypy>=1.10; extra == 'dev'
Requires-Dist: pytest-cov>=5; extra == 'dev'
Requires-Dist: pytest>=8; extra == 'dev'
Requires-Dist: ruff>=0.5; extra == 'dev'
Requires-Dist: tree-sitter-java>=0.21; (python_version >= '3.9') and extra == 'dev'
Requires-Dist: tree-sitter>=0.20; (python_version >= '3.9') and extra == 'dev'
Provides-Extra: enterprise
Requires-Dist: jsonschema>=4.0; extra == 'enterprise'
Requires-Dist: networkx>=3.0; extra == 'enterprise'
Requires-Dist: tree-sitter-java>=0.21; extra == 'enterprise'
Requires-Dist: tree-sitter>=0.20; extra == 'enterprise'
Provides-Extra: fast
Requires-Dist: tree-sitter-java>=0.21; extra == 'fast'
Requires-Dist: tree-sitter>=0.20; extra == 'fast'
Provides-Extra: full
Requires-Dist: jsonschema>=4.0; extra == 'full'
Requires-Dist: networkx>=3.0; extra == 'full'
Requires-Dist: tree-sitter-java>=0.21; extra == 'full'
Requires-Dist: tree-sitter>=0.20; extra == 'full'
Provides-Extra: graph
Requires-Dist: networkx>=3.0; extra == 'graph'
Provides-Extra: schema
Requires-Dist: jsonschema>=4.0; extra == 'schema'
Provides-Extra: test
Requires-Dist: pytest-cov>=5; extra == 'test'
Requires-Dist: pytest>=8; extra == 'test'
Provides-Extra: treesitter
Requires-Dist: tree-sitter-java>=0.21; extra == 'treesitter'
Requires-Dist: tree-sitter>=0.20; extra == 'treesitter'
Provides-Extra: v2
Requires-Dist: jsonschema>=4.0; extra == 'v2'
Requires-Dist: networkx>=3.0; extra == 'v2'
Requires-Dist: tree-sitter-java>=0.21; extra == 'v2'
Requires-Dist: tree-sitter>=0.20; extra == 'v2'
Description-Content-Type: text/markdown

﻿# 🔍 Ansede Static · v6.3.0

<p align="center">
  <strong>World's first open-source SAST with CWE-639 IDOR detection.</strong><br>
  100% CVE recall · 91.4% vuln detection · 0.04 findings/kLOC on production code<br>
  <sub>Finds the authorization flaws Semgrep, CodeQL, and Bandit miss.</sub>
</p>

<p align="center">
  <a href="https://ansede.onrender.com/scan"><img src="https://img.shields.io/badge/🚀%20Try%20Online%20Scanner-ansede.onrender.com-6366F1?style=for-the-badge" alt="Try Online Scanner"></a>
</p>

```bash
pip install ansede-static && ansede-static src/
```

<p align="center">
  <a href="docs/BENCHMARKS.md"><img src="https://img.shields.io/badge/CVE%20Recall-100%25-success" alt="CVE 100%"></a>
  <a href="docs/BENCHMARKS.md"><img src="https://img.shields.io/badge/Vuln%20Detection-91.4%25-success" alt="91.4%"></a>
  <a href="docs/BENCHMARKS.md"><img src="https://img.shields.io/badge/Noise-0.04%2FkLOC-success" alt="0.04/kLOC"></a>
  <a href=""><img src="https://img.shields.io/badge/CWE--639%20IDOR-World%20First-blue" alt="IDOR"></a>
  <a href=""><img src="https://img.shields.io/badge/Languages-5-blue" alt="5 langs"></a>
  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue" alt="MIT"></a>
  <a href=""><img src="https://img.shields.io/badge/tests-1215%20passed-success" alt="1215 tests"></a>
  <a href="https://github.com/mattybellx/Ansede/actions/workflows/ci.yml"><img src="https://github.com/mattybellx/Ansede/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
  <a href="https://pypi.org/project/ansede-static/"><img src="https://img.shields.io/pypi/dm/ansede-static?label=installs&color=blue" alt="PyPI"></a>
</p>

---

## 🚀 Try It Right Now — No Install

<p align="center">
  <a href="https://ansede.onrender.com/scan"><strong>→ ansede.onrender.com/scan ←</strong></a><br>
  <sub>Paste code, click Scan, see results in seconds. No signup. No install. Fully free.</sub>
</p>

---

## Why Ansede?

| Capability | Ansede | Semgrep | CodeQL |
|-----------|--------|---------|--------|
| **CVE Recall** | **100%** (164/164) | ~23% | ~34% |
| **CWE-639 IDOR** | ✅ World-first | ❌ No rules | ❌ No rules |
| **Production noise** | **0.04/kLOC** | Config-dependent | Config-dependent |
| **Languages** | 5 deep | 30+ shallow | 7 deep |
| **Offline** | ✅ No network | ❌ Needs registry | ❌ Needs build |

Most free SAST tools focus on injection bugs. Ansede also catches **authorization flaws** that cause real data breaches:

| | Bandit | Semgrep | CodeQL | **Ansede** |
|---|---|---|---|---|
| SQL Injection, XSS | ✓ | ✓ | ✓ | ✓ |
| **IDOR (CWE-639)** | ✗ | ✗ | ✗ | **✓ Built-in** |
| **Missing Auth (CWE-862)** | ✗ | ✗ | ✗ | **✓ Built-in** |
| **Ownership Bypass** | ✗ | ✗ | ✗ | **✓ Built-in** |
| Fully offline | ✓ | ✗ | ✗ | **✓** |

```python
@app.route("/invoice/<id>")
def get_invoice(id):
    return Invoice.query.get(id)
    # ↑ CWE-639 IDOR: any user can view any invoice
    #   Bandit: silent. Semgrep: silent. Ansede: 🚨 CRITICAL
```

---

## Quick Start

```bash
pip install ansede-static
ansede-static src/                    # Scan a directory
ansede-static src/ --format sarif     # GitHub Code Scanning
ansede-static src/ --fail-on high     # CI gate
ansede-static src/ --format html      # Interactive HTML report
ansede-static src/ --diff-only        # PR scan (< 5s)
```

No network. No API keys. No compilation. Just Python 3.9+.

---

## Benchmarks

### CVE Recall — 164 Known Vulnerabilities

| Language | CVEs | Found | Recall |
|---|---|---|---|
| Python | 68 | 68 | 100% |
| JavaScript | 42 | 42 | 100% |
| Java | 20 | 20 | 100% |
| C# | 19 | 19 | 100% |
| Go | 15 | 15 | 100% |
| **Total** | **164** | **164** | **100%** |

Semgrep finds 23%. CodeQL finds ~34%.

### Production Noise — 16 Repos, 366K LOC

**0.04 findings per 1,000 lines.** The scanner correctly treats well-written production code as clean. Tested on go-redis, gin, echo, zap, cobra, viper, gorilla-websocket, zod, supabase, grafana, and more.

### OWASP Benchmark v1.2

| Tool | Recall | Score |
|---|---|---|
| **Ansede 6.0.0** | **93.3%** 🥇 | +0.8% 🥈 |
| FBwFindSecBugs | ~45% | +35.8% 🥇 |
| CodeQL | ~30% | ~-20% |
| Semgrep OSS | ~20% | ~-30% |

[Full benchmarks →](docs/BENCHMARKS.md)

---

## Features

- **35+ CWE types** — SQLi, XSS, IDOR, auth bypass, SSRF, path traversal, command injection, hardcoded secrets, deserialization
- **5 languages** — Python, JavaScript/TypeScript, Go, Java, C#
- **Route-aware** — maps HTTP routes → auth guards → data sinks
- **Framework profiles** — Django, Flask, Express, Spring, ASP.NET, Gin
- **Incident clustering** — groups related findings, ~49% noise reduction
- **Confidence scoring** — 0–100% per finding; low-signal filtered by default
- **Guard detection** — `@login_required`, `@PreAuthorize`, `[Authorize]`, Go middleware
- **Test-context awareness** — auto-suppresses findings in test/benchmark files (96% FP reduction)
- **Output formats** — SARIF (GitHub Code Scanning), CycloneDX SBOM, HTML, JSON
- **CI/CD ready** — `--diff-only`, `--fail-on`, `--baseline`
- **IDE plugins** — VS Code, IntelliJ IDEA, Visual Studio 2022

---

## GitHub Actions

```yaml
- uses: mattybellx/Ansede@v6.3.0
  with:
    path: src/
    fail-on: high
    upload-sarif: true
```

---

## Contributing

```bash
git clone https://github.com/mattybellx/Ansede.git
cd Ansede && pip install -e ".[dev]"
pytest tests/ -q
```

PRs welcome. See [CONTRIBUTING.md](CONTRIBUTING.md).

---

## License

MIT · [Matty Bell](https://github.com/mattybellx)

<p align="center">
  <sub>Zero telemetry · Zero cloud · 100% offline · <a href="https://github.com/mattybellx/Ansede">⭐ Star on GitHub</a></sub>
</p>
