Skip to content

Integrate GoKart security static analysis to GitHub Actions

License

Notifications You must be signed in to change notification settings

kitabisa/gokart-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GoKart Action

Using this GitHub Action, scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code¹.

GoKart Action Proof-of-Concept

Usage

The workflow, usually declared in .github/workflows/gokart.yaml under your Go project repository, looks like:

name: GoKart

on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]
  schedule:
    - cron: 0 0 * * *

jobs:
  gokart:
    name: GoKart scanner
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
    - name: Checkout the code
      uses: actions/checkout@v2

    - name: Run GoKart
      uses: kitabisa/gokart-action@v1.0.0
      with:
        globalsTainted: true

    - name: Upload GoKart results
      uses: github/codeql-action/upload-sarif@v1

You can change the analysis base directory and/or analyzer config by using optional input like this:

uses: kitabisa/gokart-action@v1
with:
  directory: "./path/to/go-project"
  input: "./.github/gokart-analyzers.yaml"

Inputs

  • directory - scan on a Go module in the directory (default: .).
  • input - input path to custom yml (analyzer config) file.
  • output - (Required) file path to write findings output (default: results).
  • globalsTainted - marks global variables as dangerous.

References

License

The Dockerfile and associated scripts and documentation in this project are released under the MIT.

Container images built with this project include third party materials.