Home / Linux / System utilities

Static analysis tool for Go that finds vulnerabilities using SSA (single static assignment).

GitHub Action: GoKart Security Static Analysis GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignm
Information
Category: Linux / System utilities
Watchers: 1
Star: 3
Fork: 0
Last update: Jan 13, 2022
Resource links
https://github.com/bryk-io/gokart-scan-action

GitHub Action: GoKart Security Static Analysis

Status Version Software License Contributor Covenant

GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe, which reduces the number of false positives compared to other Go security scanners. For instance, a SQL query that is concatenated with a variable might traditionally be flagged as SQL injection; however, GoKart can figure out if the variable is actually a constant or constant equivalent, in which case there is no vulnerability.

More information: original project.

Usage

Inputs

  • globalsTainted: Marks global variables as dangerous. Either "yes" or "no".
  • verbose: Outputs full trace of taint analysis. Either "yes" or "no".
  • config: Custom configuration file. (path relative to the root of your repository)

Sample step configuration.

steps:
  - name: GoKart scan
    uses: bryk-io/[email protected]
    # example with all parameters
    with:
      globalsTainted: yes
      verbose: yes
      config: tools/gokart_analyzers.yml

Note: The path set on config is relative to the root of your repository.

Code Scanning Integration

In order for GitHub to be able to parse and display the scan results make sure to upload the SARIF results using the github/codeql-action/upload-sarif action.

SARIF (Static Analysis Results Interchange Format) is an OASIS Standard that defines an output file format. The SARIF standard is used to streamline how static analysis tools share their results. Code scanning supports a subset of the SARIF 2.1.0 JSON schema.

To upload a SARIF file from a third-party static code analysis engine, you'll need to ensure that uploaded files use the SARIF 2.1.0 version. GitHub will parse the SARIF file and show alerts using the results in your repository as a part of the code scanning experience.

- name: Upload GoKart results
  uses: github/codeql-action/[email protected]

More information: Code scan integration.

Workflow

Sample workflow file.

name: scan
on:
  # To manually run
  workflow_dispatch: {}
  # To automatically run for all commits on branch 'main'
  push:
    branches:
      - main
jobs:
  # GoKart scan
  scan:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      # Checkout code
      - name: Checkout repository
        uses: actions/[email protected]

      # GoKart scan
      - name: GoKart scan
        uses: bryk-io/[email protected]
      
      # Upload scan results
      - name: Upload GoKart results
        uses: github/codeql-action/[email protected]

To manually trigger this workflow using GitHub's CLI tool.

gh workflow run scan
0 Open More issues
Closed

Bump goreleaser/goreleaser-action from 2.9.1 to 3.0.0

Bumps goreleaser/goreleaser-action from 2.9.1 to 3.0.0.

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v3.0.0

What's Changed

New Contributors

Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v2.9.1...v3.0.0

Commits
  • 68acf3b chore(deps): bump @​actions/tool-cache from 1.7.2 to 2.0.1 (#355)
  • 46da113 chore: node 16 as default runtime (#343)
  • 223909a chore: update
  • c56d8df Revert "chore(deps): bump @​actions/core from 1.6.0 to 1.8.2 (#354)"
  • d1c2f83 chore(deps): bump @​actions/core from 1.6.0 to 1.8.2 (#354)
  • 5c65fd8 chore(deps): bump @​actions/http-client from 1.0.11 to 2.0.1 (#353)
  • 46cd12b chore(deps): bump yargs from 17.4.1 to 17.5.1 (#352)
  • 822d1bf chore(deps): bump docker/bake-action from 1 to 2 (#346)
  • c25888f chore: update dev dependencies and workflow (#342)
  • ec57748 chore(deps): bump yargs from 17.4.0 to 17.4.1 (#339)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependencies 
opened Jun 1, 2022 by dependabot[bot] 1
Closed

Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.1

Bumps goreleaser/goreleaser-action from 2.8.1 to 2.9.1.

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v2.9.1

What's Changed

Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v2...v2.9.1

v2.9.0

What's Changed

Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v2.8.1...v2.9.0

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependencies 
opened Feb 28, 2022 by dependabot[bot] 1
Closed

Bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1

Bumps goreleaser/goreleaser-action from 2.8.0 to 2.8.1.

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v2.8.1

What's Changed

Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v2.8.0...v2.8.1

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependencies 
opened Jan 31, 2022 by dependabot[bot] 0

Contents

    praetorian-inc GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA form of Go source code
    trustin A command-line tool that converts SAMI (.smi) to SSA/ASS (.ass)
    okanaydin This assignment created for Storytel that gives you basically a post list and its detail with comments.🚀
    gostaticanalysis Tool: godump dumps AST and SSA IR of given source codes
    asticode Manipulate subtitles in GO (.srt, .ssa/.ass, .stl, .ttml, .vtt (webvtt), teletext, etc.)
    OUCyf Including AGU, SSA, CGU, and other meetings and talks...
    SoroushMehraban A game that is developed as an assignment for Computer Intelligence course.
    MattPD A categorized list of C++ resources.
    hlldz A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems.
    Roave Static analysis on top of mutation testing - prevents escaped mutants from being invalid according to static analysis
    R0X4R A vulnerability fuzzer tool written in bash, it contains most commonly used tools to perform vulnerability scan.
    eclipse Analyses your Java and Python applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. https://eclipse.github.io/steady/
    mandatoryprogrammer A Chrome extension static analysis tool to help aide in security reviews.
    robre Scripthunter is a tool that finds javascript files for a given website
    jeremylong OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
    presidentbeef A static analysis security vulnerability scanner for Ruby on Rails applications
    deepfence Identify vulnerabilities in running containers, images, hosts and repositories
    davidhalter Awesome autocompletion, static analysis and refactoring library for python
    asad70 This program goes thru reddit, finds the most mentioned tickers and uses Vader SentimentIntensityAnalyzer to calculate the ticker compound value.
    protolambda Callgraph analysis and visualization for Go
    nofeaturesonlybugs Package set is a small wrapper around the official reflect package that facilitates loose type conversion and assignment into native Go types.
    Share this repo

    Related Repos


    System utilities
    24
    Files used for reproducing Fuzzware's experiments
    fuzzware-fuzzer Fuzzware Experiments This directory contains the data required to reproduce the experiments from our USENIX 2022 publication Fuzzware: Using Precise M
     
    System utilities
    25
    Presentation plugin for neovim written in lua
    Chaitanyabsprip Presenting.nvim A Presentation plugin written for Neovim in Lua Installation You can install Present with your plugin manager of choice with packer.nv
     
    System utilities
    3
    Static analysis tool for Go that finds vulnerabilities using SSA (single static assignment...
    bryk-io GitHub Action: GoKart Security Static Analysis GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignm
     
    System utilities
    3
    Railway for Alist
    alist-org alist-railway Railway for Alist Usage Fork this repo Open Railway and click New Object Choose the repo that you forked and select the mysql branch Add
     
    System utilities
    19
    Basic Recon For Bug Bounty Hunter - "HuntTheBug" is Basic Scripts For Sub Domain Enumerati...
    vikrantbatra05 Basic Recon For Bug Bounty Hunter - "HuntTheBug" is Basic Scripts For Sub Domain Enumeration> Live Domain Enumeration > Sub Domain Hijack > URL + JavaScript Scan > Dir Brute Forcing > Open Port Check With Telegram Bot Notification
     
    System utilities
    84
    Extensible Neovim Scrollbar
    petertriho nvim-scrollbar Extensible Neovim Scrollbar 🚧 WORK IN PROGRESS 🚧 This is a work in progress and breaking changes to the setup/config could occur in t
     
    System utilities
    5
    😎😘 Free Windows 11 VPS for 4 Hours ! Easy Method!
    kmille36 Windows 11 RDP Here this tutorial using Azure Cloud Shell to create Virtual Machine on Microsoft Learn Sandbox. 😎 Its Four Hours RDP Completely Free
     
    System utilities
    3
    My configuraion files
    3Kevi Welcome! Here you can find my Void Linux dotfiles. Overview OS: Void Window manager: bspwm Terminal: kitty Shell: zsh Bar: Polybar Compositor: picom P
     
    System utilities
    3
    An especially small & quick & simple Algolia docsearch Indices upload action
    guzhongren algolia-docsearch-upload-action An especially small & quick & simple Algolia docsearch Indices upload action Usage - name: Algolia Docsearch Uploa
     
    System utilities
    35
    A simple and transparent alternative to boot2docker (backed by Vagrant)
    shyiko docker-vm The easiest way to get started with Docker on Mac OS X (tested on OS X Yosemite 10.10.1) and Windows (tested on Windows 10 Pro Insider Previ
     
    System utilities
    518
    GitOps powered K8s app suite with developer self-service
    redkubes Shift left with Otomi Otomi makes developers self-serving and helps DevOps teams to guarantee application security and availability at the earliest st
     
    System utilities
    102
    Awesome Bug bounty builder Project
    0xJin Awesome Bug Bounty Builder ¯\(ツ)/¯ Awesome Bug bounty builder Project - ALL common Tools for find your Vulnerabilities. Tested on Debian. Installation
     
    System utilities
    2
    Ready-to-use VSCode setup to preview/convert markdown documents
    logwolvy Ready-to-use VSCode setup to preview/convert markdown documents
     
    System utilities
    6.2k
    Testing TLS/SSL encryption anywhere on any port
    drwetter Testing TLS/SSL encryption anywhere on any port
     
    System utilities
    519
    Vegile - Ghost In The Shell
    Screetsec Vegile is a tool for Post exploitation Techniques in linux. Post Exploitation techniques will ensure that we maintain some level of access and can potentially lead to deeper footholds into our targets trusted network.