gosec vs flake8-bandit

Our great sponsors

WorkOS - The modern identity platform for B2B SaaS

InfluxDB - Power Real-Time Data Analytics at Scale

SaaSHub - Software Alternatives and Reviews

Our great sponsors

gosec		flake8-bandit
	Project
19	Mentions	3
7,441	Stars	111
1.4%	Growth	-
8.8	Activity	0.0
18 days ago	Latest Commit	8 months ago
Go	Language	Python
Apache License 2.0	License	MIT License

The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

gosec

Posts with mentions or reviews of gosec. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-08-31.

Top 10 Snyk Alternatives for Code Security
3 projects | dev.to | 31 Aug 2023

6. Gosec
Safety in Go
2 projects | /r/golang | 4 Jul 2023

You can (and definitely should!) also use gosec.
We have getrandom at home
8 projects | /r/rust | 11 Mar 2023

The crypto source in Go is great, no complaints there. Lints like gosec even recommend using it when generating crypto entropy. Go did a good job here, and I expect Rust will do the same sometime after getrandom reaches 1.0 so the API questions are settled, plus whatever makes sense for the future-proofing the standard library needs.
any open source that checks security vulnerabilities in code?
3 projects | /r/golang | 8 Mar 2023

i think there's https://github.com/securego/gosec linter
Goast: Generic static analysis for Go Abstract Syntax Tree by OPA/Rego
5 projects | dev.to | 12 Sep 2022

Various static analysis tools are available for the Go language, and existing static analysis tools can check general best practices. For example, gosec is a tool to check secure Go coding, and I use it myself. However, coding rules in software development are not only based on best practices, but can also be software- or team-specific. For example
Vulnerability Management for Go
4 projects | news.ycombinator.com | 6 Sep 2022

What's the difference between this a https://github.com/securego/gosec?
Github template for Golang services
6 projects | dev.to | 19 Jun 2022

A github actions workflow is provided to run go fmt, vet, test and gosec. An initial configuration for dependabot is also provided.
gosec
1 project | /r/devopspro | 28 Feb 2022
What tools exists, or you recommend, for code review, quality and/or security review
2 projects | /r/golang | 12 Dec 2021

Besides what was mentioned, we use : staticcheck.io and https://github.com/securego/gosec
Container security best practices: Comprehensive guide
17 projects | dev.to | 16 Nov 2021

For application code, there are different SAST (Static Application Security Testing) tools like sonarqube, which provide vulnerability scanners for different languages, gosec for analyzing go code and detecting issues based on rules, linters, etc.

flake8-bandit

Posts with mentions or reviews of flake8-bandit. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-03-16.

The Ruff python linter is insanely good
10 projects | /r/Python | 16 Mar 2023

flake8-bandit uses bandit behind the scenes: https://github.com/tylerwince/flake8-bandit/blob/main/flake8_bandit.py ruff doesn't and implements the rules directly
Python toolkits
38 projects | /r/Python | 15 Jul 2022

flake8-black which uses black for code formatting check.
Hardening and Simplifying Python's urlopen
1 project | dev.to | 10 Mar 2021

A little disturbing, yes? Bandit agrees. Perhaps you want to consider scanning with that security tool or its related flake8 plugin.

What are some alternatives?

When comparing gosec and flake8-bandit you can also consider the following projects:

golangci-lint - Fast linters Runner for Go

bandit - Bandit is a tool designed to find common security issues in Python code.

gokart - A static analysis tool for securing Go code

vulnerablecode - A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/

go-tools - Staticcheck - The advanced Go linter

content - Security automation content in SCAP, Bash, Ansible, and other formats

pre-commit-golang - Pre-commit hooks for Golang with support for monorepos, the ability to pass arguments and environment variables to all hooks, and the ability to invoke custom go tools.

monkey - Infection Monkey - An open-source adversary emulation platform

docker-bench-security - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

wazuh-ruleset - Wazuh - Ruleset

rustsec - RustSec API & Tooling

Check-WP-CVE-2020-35489 - The (WordPress) website test script can be exploited for Unlimited File Upload via CVE-2020-35489