Precaution versus Bandit
When choosing a Static Application Security Testing (SAST) tool for Python
projects, it’s important to consider how different tools align with your
development workflow and security needs. This comparison focuses on Precaution
and Bandit, two popular options with distinct approaches and feature sets.
Programming Languages
Language Precaution Bandit ✅ ❌ ✅ ❌ ✅ ✅
Rule Coverage
Precaution vs. Bandit Bandit vs. Precaution Precaution Rule Bandit Check PY001: assert B101: assert_used PY002: crypt - weak hash PY003: ftplib - cleartext B321: ftplib PY004: hashlib - weak hash PY005: hmac - timing attack PY006: hmac - weak hash PY007: http url secret PY008: imaplib - cleartext PY009: json - load PY010: logging - insecure listen config B612: logging_config_insecure_listen PY011: marshal - load B302: marshal PY012: nntplib - cleartext PY013: pickle - load B301: pickle, dill, shelve, jsonpickle, pandas.read) PY014: poplib - cleartext PY015: shelve - open B301: pickle, dill, shelve, jsonpickle, pandas.read) PY016: smtplib - cleartext PY017: ssl - unverified context B321: ftplib PY018: ssl - insecure tls version B502: ssl_with_bad_version PY019: ssl - weak key PY020: telnetlib - cleartext B312: telnetlib PY021: tempfile - mktemp race condition B304: ciphers PY022: ftplib - unverified context PY023: imaplib - unverified context PY024: nntplib - unverified context PY025: poplib - unverified context PY026: smtplib - unverified context PY027: argparse - sensitive info PY028: secrets - weak token PY029: socket - unrestricted bind B104: hardcoded_bind_all_interfaces PY030: socketserver - unrestricted bind B104: hardcoded_bind_all_interfaces PY031: http - unrestricted bind B104: hardcoded_bind_all_interfaces PY032: xmlrpc - unrestricted bind B104: hardcoded_bind_all_interfaces PY033: re - denial of service PY034: hmac - weak key PY035: hashlib - improper prng B311: random PY036: os - incorrect permission B103: set_bad_file_permissions PY037: pathlib - incorrect permission B103: set_bad_file_permissions PY038: os - unnessary privileges PY039: socket - no timeout PY040: smtplib - no timeout PY041: imaplib - no timeout PY042: nntplib - no timeout PY043: poplib - no timeout PY044: telnetlib - no timeout PY045: ftplib - no timeout PY046: ssl - no timeout PY501: aiohttp - no certificate verify PY502: cryptography - weak cipher B304: ciphers PY503: cryptography - weak cipher mode PY504: cryptography - weak hash B303: md5 PY505: cryptography - weak key B505: weak_crytographic_key PY506: dill - load B301: pickle, dill, shelve, jsonpickle, pandas.read) PY507: flask - code injection B201: flask_debug_true PY508: httpx - no certificate verify PY509: jsonpickle - decode B301: pickle, dill, shelve, jsonpickle, pandas.read) PY510: m2crypto - weak key PY511: pandas - read_pickle B301: pickle, dill, shelve, jsonpickle, pandas.read) PY512: policy - no host key verify B507: ssh_no_host_key_verification PY513: pycrypto - weak cipher B304: ciphers PY514: pycrypto - weak hash B303: md5 PY515: pycrypto - weak key B505: weak_crytographic_key PY516: pycryptodomex - weak cipher B304: ciphers PY517: pycryptodomex - weak hash B303: md5 PY518: pycryptodomex - weak key B505: weak_crytographic_key PY519: command - cleartext PY520: pyopenssl - insecure tls version B502: ssl_with_bad_version PY521: pyopenssl - weak key PY522: yaml - load B506: yaml_load PY523: requests - no certificate verify B501: request_with_no_cert_validation PY524: fastapi - debug PY525: ruamel.yaml - yaml PY526: Jinja2 - no autoescape B701: jinja2_autoescape_false PY527: ldap3 - anonymous bind PY528: python-ldap - anonymous bind PY529: websockets - cleartext PY530: websocket-client - cleartext PY531: pyjwt - no verify