Skip to content
check

GitHub Action

GoKart Scanner

v1.0.0 Latest version

GoKart Scanner

check

GoKart Scanner

Scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code

Installation

Copy and paste the following snippet into your .yml file.

              

- name: GoKart Scanner

uses: kitabisa/gokart-action@v1.0.0

Learn more about this action in kitabisa/gokart-action

Choose a version

GoKart Action

Using this GitHub Action, scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code¹.

GoKart Action Proof-of-Concept

Usage

The workflow, usually declared in .github/workflows/gokart.yaml under your Go project repository, looks like:

name: GoKart

on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]
  schedule:
    - cron: 0 0 * * *

env:
  GOKART_OUTPUT: "output.sarif"

jobs:
  gokart:
    name: GoKart scanner
    runs-on: ubuntu-latest
    permissions:
      security-events: write

    steps:
    - name: Checkout the code
      uses: actions/checkout@v2

    - name: Run GoKart
      uses: kitabisa/gokart-action@v1
      with:
        globalsTainted: true
        output: ${{ env.GOKART_OUTPUT }}

    - name: Upload GoKart results
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: ${{ env.GOKART_OUTPUT }}

You can change the analysis base directory and/or analyzer config by using optional input like this:

uses: kitabisa/gokart-action@v1
with:
  directory: "./path/to/go-project"
  input: "./.github/gokart-analyzers.yaml"

Inputs

  • directory - scan on a Go module in the directory (default: .).
  • input - input path to custom yml (analyzer config) file.
  • output - (Required) file path to write findings output (default: results).
  • globalsTainted - marks global variables as dangerous.

References

License

The Dockerfile and associated scripts and documentation in this project are released under the MIT.

Container images built with this project include third party materials.