Using this GitHub Action, scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code¹.

The workflow, usually declared in .github/workflows/gokart.yaml under your Go project repository, looks like:

name: GoKart

on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]
  schedule:
    - cron: 0 0 * * *

jobs:
  gokart:
    name: GoKart scanner
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
    - name: Checkout the code
      uses: actions/checkout@v2

    - name: Run GoKart
      uses: kitabisa/gokart-action@v1.0.0
      with:
        globalsTainted: true

    - name: Upload GoKart results
      uses: github/codeql-action/upload-sarif@v1

You can change the analysis base directory and/or analyzer config by using optional input like this:

uses: kitabisa/gokart-action@v1
with:
  directory: "./path/to/go-project"
  input: "./.github/gokart-analyzers.yaml"

• directory - scan on a Go module in the directory (default: .).
• input - input path to custom yml (analyzer config) file.
• output - (Required) file path to write findings output (default: results).
• globalsTainted - marks global variables as dangerous.

• [1] https://github.com/praetorian-inc/gokart#gokart---go-security-static-analysis
• https://www.praetorian.com/blog/introducing-gokart/

The Dockerfile and associated scripts and documentation in this project are released under the MIT.

Container images built with this project include third party materials.