Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/kitabisa/gokart-action
Integrate GoKart security static analysis to GitHub Actions
https://github.com/kitabisa/gokart-action
actions advanced-security ci code-review gokart golang security static-analysis static-code-analysis static-code-analyzer
Last synced: about 2 months ago
JSON representation
Integrate GoKart security static analysis to GitHub Actions
- Host: GitHub
- URL: https://github.com/kitabisa/gokart-action
- Owner: kitabisa
- License: mit
- Created: 2021-08-29T14:56:27.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2023-01-11T10:29:59.000Z (almost 2 years ago)
- Last Synced: 2024-09-18T17:17:03.826Z (3 months ago)
- Topics: actions, advanced-security, ci, code-review, gokart, golang, security, static-analysis, static-code-analysis, static-code-analyzer
- Language: Dockerfile
- Homepage:
- Size: 2.93 KB
- Stars: 9
- Watchers: 8
- Forks: 3
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
# GoKart Action
Using this GitHub Action, scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code¹.
![GoKart Action Proof-of-Concept](https://user-images.githubusercontent.com/25837540/131348481-b57e230b-7472-4fe6-9599-aee2d09dd3e4.png)
## Usage
The workflow, usually declared in `.github/workflows/gokart.yaml` under your Go project repository, looks like:
```yaml
name: GoKarton:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
schedule:
- cron: 0 0 * * *jobs:
gokart:
name: GoKart scanner
runs-on: ubuntu-latest
permissions:
contents: read
security-events: writesteps:
- name: Checkout the code
uses: actions/checkout@v2- name: Run GoKart
uses: kitabisa/[email protected]
with:
globalsTainted: true- name: Upload GoKart results
uses: github/codeql-action/upload-sarif@v1
```You can change the analysis base directory and/or analyzer config by using optional input like this:
```yaml
uses: kitabisa/gokart-action@v1
with:
directory: "./path/to/go-project"
input: "./.github/gokart-analyzers.yaml"
```## Inputs
- `directory` - scan on a Go module in the directory **(default: `.`)**.
- `input` - input path to custom yml _(analyzer config)_ file.
- `output` - _**(Required)**_ file path to write findings output **(default: `results`)**.
- `globalsTainted` - marks global variables as dangerous.## References
- [1] https://github.com/praetorian-inc/gokart#gokart---go-security-static-analysis
- https://www.praetorian.com/blog/introducing-gokart/## License
The Dockerfile and associated scripts and documentation in this project are released under the MIT.
Container images built with this project include third party materials.