Original Post: Python static analysis comparison: Bandit vs Semgrep
GitLab recently announced it will transition most of its SAST analyzers to Semgrep, starting with phasing out Bandit and ESLint in the GitLab 14.0 release in June 2021. As maintainers of Semgrep, the post provides a comparative analysis of Bandit and Semgrep, focusing on:
-
Security Coverage: Bandit offers 68 security checks for Python, while Semgrep, using its community-maintained registry, covers over 166 rules for Python and supports multiple languages.
-
Custom Rules: Bandit rules are written in Python using the Bandit API and can be complex. Semgrep rules are more user-friendly, often resembling patterns in the code itself and using YAML files for more complex rules.
-
Performance: Bandit is generally faster on smaller repositories, while Semgrep’s performance improves with larger repositories, especially with multithreading.
- Usage in CI/CD & Integrations: Both tools are CLI-based and integrate easily into CI/CD pipelines. Bandit has more established integrations, but Semgrep provides broader support for various CI tools and has a comprehensive GitHub Action.
Semgrep shows advantages in ease of writing custom rules, multilingual support, rapid development, and integration flexibility. Bandit, however, tends to report more accurate results for Python-specific checks. Both tools support ignoring specific lines or paths and can be integrated during development with pre-commit hooks and IDE extensions.
Overall, this transition aims to leverage Semgrep’s broad security coverage, ease of rule customization and integration benefits.
Go here to read the Original Post