I spent the last few months building a fully offline SAST security scanner that I think deserves more attention.
The Problem
Most free static analysis tools (Bandit, Semgrep OSS) focus on injection bugs like SQLi and XSS. They completely miss authorization flaws — the IDOR, auth bypass, and ownership verification issues that cause real data breaches. Tools like CodeQL can find these but require manual query writing and a massive database.
What Ansede Static Does Differently
- Built-in IDOR/auth bypass detection — no custom rules needed
- 100% offline — no API keys, no network calls, no compilation
- 6 languages — Python, JavaScript/TypeScript, Go, Java, C#, Rust
- 100% CVE recall (164/164 across 5 languages) — Semgrep OSS: 23%, CodeQL: 34%
- 93.3% OWASP recall — #1 among free tools
Real-World Performance (v6.1.0, today's release)
I just finished scanning 43 random repos with the new taint-aware demotion engine. Results:
- 1,075 HIGH/CRITICAL findings → 205 suspected real vulns
- 19.1% precision on HIGH/CRIT — up from ~0% in previous versions
- 0% HIGH/CRIT false negative rate (confirmed across 1,941+ findings)
Try It
Live playground (no install): https://ansede.onrender.com/scan
pip install ansede-static
ansede-static src/
GitHub: https://github.com/mattybellx/Ansede
Would love feedback from the security community!
Top comments (0)