fix: replace gokart with staticcheck

Gokart is seemingly abandoned. Using go > 1.19 causes panics. Looking at their github shows an open issue since Feburary about it with no comment. staticheck is another SAST tool with sarif output, so let's try that.
in-toto · Jun 22, 2023 · 06f983d · 06f983d
1 parent 8335488
commit 06f983d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -35,7 +35,7 @@ jobs:
         with:
           step: static-analysis
           attestations: "github sarif"
-          command: gokart scan . -o sarif-results.json -s
+          command: staticcheck -f sarif ./... > sarif-results.json
 
       - name: Test
         uses: testifysec/witness-run-action@bdd82729b316d071606007cc9eecae326429caaf