Precaution versus Gosec

---

When choosing a Static Application Security Testing (SAST) tool for Python projects, it’s important to consider how different tools align with your development workflow and security needs. This comparison focuses on Precaution and Gosec, two popular options with distinct approaches and feature sets.

Programming Languages

Language	Precaution	Gosec
Go	✅	✅
Java	✅	❌
Python	✅	❌

Rule Coverage

Precaution vs. Gosec

Precaution Rule	Gosec Rules
GO001: crypto - weak cipher	G405: weakcrypto
GO002: crypto - weak hash	G401: weakcryptohash
GO003: crypto - weak key	G403: rsa
GO004: syscall - unnecessary privileges
GO005: crypto - unrestricted bind	G102: bind
GO006: net - unrestricted bind	G102: bind
GO007: net/http - no timeout	G114: http_serve
GO501: x/crypto - insecure ignore hostkey	G106: ssh
GO502: x/crypto - weak cipher
GO503: x/crypto - weak hash	G406: weakdepricatedcryptohash
GO504: unix - unnecessary privileges

Gosec vs. Precaution

Gosec Rule	Precaution Rule
G101: hardcoded_credentials
G102: bind	GO005: crypto - unrestricted bind GO006: net - unrestricted bind
G103: unsafe
G104: errors
G106: ssh	GO501: x/crypto - insecure ignore hostkey
G107: ssrf
G108: pprof
G109: integer_overflow
G110: decompression-bomb
G111: directory-traversal
G112: slowloris
G114: http_serve	GO007: net/http - no timeout
G115: conversion_overflow
G201: sql
G202: sql
G203: templates
G204: subproc
G301: fileperms
G302: fileperms
G303: tempfiles
G304: readfile
G305: archive
G306: fileperms
G307: fileperms
G401: weakcryptohash	GO002: crypto - weak hash
G402: tls_config
G403: rsa	GO003: crypto - weak key
G404: rand
G405: weakcrypto	GO001: crypto - weak cipher
G406: weakdepricatedcryptohash	GO503: x/crypto - weak hash
G407: hardcoded_nonce
G501: import crypto/md5	N/A1
G502: import crypto/des	N/A1
G503: import crypto/rc4	N/A1
G504: import net/http/cgi	N/A1
G505: import crypto/sha1	N/A1
G506: import x/crypto/md4	N/A1
G507: import x/crypto/ripemd160	N/A1
G601: implicit_aliasing
G602: slice_bounds

Footnotes

1. Precaution only checks on whether a function call introduces a vulnerability not simply a import of a module. ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶ ↩⁷