Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kitabisa/gokart-action

Integrate GoKart security static analysis to GitHub Actions
https://github.com/kitabisa/gokart-action

actions advanced-security ci code-review gokart golang security static-analysis static-code-analysis static-code-analyzer

Last synced: 7 days ago
JSON representation

Integrate GoKart security static analysis to GitHub Actions

Host: GitHub
URL: https://github.com/kitabisa/gokart-action
Owner: kitabisa
License: mit
Created: 2021-08-29T14:56:27.000Z (about 3 years ago)
Default Branch: master
Last Pushed: 2023-01-11T10:29:59.000Z (almost 2 years ago)
Last Synced: 2024-09-18T17:17:03.826Z (about 2 months ago)
Topics: actions, advanced-security, ci, code-review, gokart, golang, security, static-analysis, static-code-analysis, static-code-analyzer
Language: Dockerfile
Homepage:
Size: 2.93 KB
Stars: 9
Watchers: 8
Forks: 3
Open Issues: 5
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS

Awesome Lists containing this project

README

# GoKart Action

Using this GitHub Action, scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code¹.

![GoKart Action Proof-of-Concept](https://user-images.githubusercontent.com/25837540/131348481-b57e230b-7472-4fe6-9599-aee2d09dd3e4.png)

## Usage

The workflow, usually declared in `.github/workflows/gokart.yaml` under your Go project repository, looks like:

```yaml
name: GoKart

on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
schedule:
- cron: 0 0 * * *

jobs:
gokart:
name: GoKart scanner
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write

steps:
- name: Checkout the code
uses: actions/checkout@v2

- name: Run GoKart
uses: kitabisa/[email protected]
with:
globalsTainted: true

- name: Upload GoKart results
uses: github/codeql-action/upload-sarif@v1
```

You can change the analysis base directory and/or analyzer config by using optional input like this:

```yaml
uses: kitabisa/gokart-action@v1
with:
directory: "./path/to/go-project"
input: "./.github/gokart-analyzers.yaml"
```

## Inputs

- `directory` - scan on a Go module in the directory **(default: `.`)**.
- `input` - input path to custom yml _(analyzer config)_ file.
- `output` - _**(Required)**_ file path to write findings output **(default: `results`)**.
- `globalsTainted` - marks global variables as dangerous.

## References

- [1] https://github.com/praetorian-inc/gokart#gokart---go-security-static-analysis
- https://www.praetorian.com/blog/introducing-gokart/

## License

The Dockerfile and associated scripts and documentation in this project are released under the MIT.

Container images built with this project include third party materials.