/gokart-action

Integrate GoKart security static analysis to GitHub Actions

Primary LanguageDockerfileMIT LicenseMIT

GoKart Action

Using this GitHub Action, scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code¹.

GoKart Action Proof-of-Concept

Usage

The workflow, usually declared in .github/workflows/gokart.yaml under your Go project repository, looks like:

name: GoKart

on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]
  schedule:
    - cron: 0 0 * * *

jobs:
  gokart:
    name: GoKart scanner
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
    - name: Checkout the code
      uses: actions/checkout@v2

    - name: Run GoKart
      uses: kitabisa/gokart-action@v1.0.0
      with:
        globalsTainted: true
        output: results.sarif

    - name: Upload GoKart results
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: results.sarif

You can change the analysis base directory and/or analyzer config by using optional input like this:

uses: kitabisa/gokart-action@v1
with:
  directory: "./path/to/go-project"
  input: "./.github/gokart-analyzers.yaml"

Inputs

  • directory - scan on a Go module in the directory (default: .).
  • input - input path to custom yml (analyzer config) file.
  • output - (Required) file path to write findings output (default: results).
  • globalsTainted - marks global variables as dangerous.

References

License

The Dockerfile and associated scripts and documentation in this project are released under the MIT.

Container images built with this project include third party materials.