fix: replace gokart with staticcheck

Gokart is seemingly abandoned. Using go > 1.19 causes panics. Looking at their github shows an open issue since Feburary about it with no comment. staticheck is another SAST tool with sarif output, so let's try that.
in-toto · Jun 22, 2023 · fd6b26d · fd6b26d
1 parent 8335488
commit fd6b26d
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -27,15 +27,16 @@ jobs:
             ${{ runner.os }}-go-
       - name: Format Unix
         run: test -z $(go fmt ./...)
+
       - name: Install GoKart
-        run: go install github.com/praetorian-inc/gokart@latest
+        run: go install honnef.co/go/tools/cmd/staticcheck@2023.1.1 
 
       - name: Static Analysis
         uses: testifysec/witness-run-action@bdd82729b316d071606007cc9eecae326429caaf
         with:
           step: static-analysis
           attestations: "github sarif"
-          command: gokart scan . -o sarif-results.json -s
+          command: staticcheck -f sarif ./... > sarif-results.json
 
       - name: Test
         uses: testifysec/witness-run-action@bdd82729b316d071606007cc9eecae326429caaf