Using this GitHub Action, scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code¹.
The workflow, usually declared in .github/workflows/gokart.yaml under your Go project repository, looks like:
name: GoKart
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
schedule:
- cron: 0 0 * * *
jobs:
gokart:
name: GoKart scanner
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout the code
uses: actions/checkout@v2
- name: Run GoKart
uses: kitabisa/[email protected]
with:
globalsTainted: true
- name: Upload GoKart results
uses: github/codeql-action/upload-sarif@v1You can change the analysis base directory and/or analyzer config by using optional input like this:
uses: kitabisa/gokart-action@v1
with:
directory: "./path/to/go-project"
input: "./.github/gokart-analyzers.yaml"directory- scan on a Go module in the directory (default:.).input- input path to custom yml (analyzer config) file.output- (Required) file path to write findings output (default:results).globalsTainted- marks global variables as dangerous.
- [1] https://github.com/praetorian-inc/gokart#gokart---go-security-static-analysis
- https://www.praetorian.com/blog/introducing-gokart/
The Dockerfile and associated scripts and documentation in this project are released under the MIT.
Container images built with this project include third party materials.
GoKart Scanner is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
About
GoKart Scanner is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.