DEV Community

mattybellx
mattybellx

Posted on

I Built a 100% Offline SAST Scanner That Finds What Semgrep and CodeQL Miss

I spent the last few months building a fully offline SAST security scanner that I think deserves more attention.

The Problem

Most free static analysis tools (Bandit, Semgrep OSS) focus on injection bugs like SQLi and XSS. They completely miss authorization flaws — the IDOR, auth bypass, and ownership verification issues that cause real data breaches. Tools like CodeQL can find these but require manual query writing and a massive database.

What Ansede Static Does Differently

  • Built-in IDOR/auth bypass detection — no custom rules needed
  • 100% offline — no API keys, no network calls, no compilation
  • 6 languages — Python, JavaScript/TypeScript, Go, Java, C#, Rust
  • 100% CVE recall (164/164 across 5 languages) — Semgrep OSS: 23%, CodeQL: 34%
  • 93.3% OWASP recall — #1 among free tools

Real-World Performance (v6.1.0, today's release)

I just finished scanning 43 random repos with the new taint-aware demotion engine. Results:

  • 1,075 HIGH/CRITICAL findings → 205 suspected real vulns
  • 19.1% precision on HIGH/CRIT — up from ~0% in previous versions
  • 0% HIGH/CRIT false negative rate (confirmed across 1,941+ findings)

Try It

Live playground (no install): https://ansede.onrender.com/scan

pip install ansede-static
ansede-static src/
Enter fullscreen mode Exit fullscreen mode

GitHub: https://github.com/mattybellx/Ansede

Would love feedback from the security community!

Top comments (0)