Using this GitHub Action, scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code¹.
The workflow, usually declared in .github/workflows/gokart.yaml
under your Go project repository, looks like:
name: GoKart
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
schedule:
- cron: 0 0 * * *
jobs:
gokart:
name: GoKart scanner
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout the code
uses: actions/checkout@v2
- name: Run GoKart
uses: kitabisa/gokart-action@v1.0.0
with:
globalsTainted: true
output: results.sarif
- name: Upload GoKart results
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
You can change the analysis base directory and/or analyzer config by using optional input like this:
uses: kitabisa/gokart-action@v1
with:
directory: "./path/to/go-project"
input: "./.github/gokart-analyzers.yaml"
directory
- scan on a Go module in the directory (default:.
).input
- input path to custom yml (analyzer config) file.output
- (Required) file path to write findings output (default:results
).globalsTainted
- marks global variables as dangerous.
- [1] https://github.com/praetorian-inc/gokart#gokart---go-security-static-analysis
- https://www.praetorian.com/blog/introducing-gokart/
The Dockerfile and associated scripts and documentation in this project are released under the MIT.
Container images built with this project include third party materials.