init 1

Dockerfile

@@ -0,0 +1,19 @@
+FROM golang:1.16-alpine
+
+LABEL com.github.actions.color="green"
+LABEL com.github.actions.description="Scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code."
+LABEL com.github.actions.icon="check"
+LABEL com.github.actions.name="GoKart Scanner"
+LABEL description="Integrate GoKart security static analysis to GitHub Actions"
+LABEL maintainer="dwisiswant0"
+LABEL repository="https://github.com/kitabisa/gokart-action"
+
+ARG version="v0.2.0"
+ENV CGO_ENABLED=0
+RUN \
+	go install github.com/praetorian-inc/gokart@${version} && \
+	apk add --no-cache bash findutils
+COPY entrypoint.sh /bin/entrypoint
+RUN chmod +x /bin/entrypoint
+
+ENTRYPOINT ["/bin/entrypoint"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Dwi Siswanto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,76 @@
+# GoKart Action
+
+Using this GitHub Action, scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code¹.
+
+![GoKart Action Proof-of-Concept](https://user-images.githubusercontent.com/25837540/131348481-b57e230b-7472-4fe6-9599-aee2d09dd3e4.png)
+
+## Usage
+
+The workflow, usually declared in `.github/workflows/gokart.yaml` under your Go project repository, looks like:
+
+```yaml
+name: GoKart
+
+on:
+  push:
+    branches: [ master, main ]
+  pull_request:
+    branches: [ master, main ]
+  schedule:
+    - cron: 0 0 * * *
+
+env:
+  GOKART_OUTPUT: "output.sarif"
+
+jobs:
+  gokart:
+    name: GoKart scanner
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+    - name: Checkout the code
+      uses: actions/checkout@v2
+
+    - name: Run GoKart
+      uses: kitabisa/gokart-action@v1
+      with:
+        globalsTainted: true
+        output: ${{ env.GOKART_OUTPUT }}
+
+    - name: Upload GoKart results
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: ${{ env.GOKART_OUTPUT }}
+```
+
+You can change the analysis base directory and/or analyzer config by using optional input like this:
+
+```yaml
+uses: kitabisa/gokart-action@v1
+with:
+  directory: "./path/to/go-project"
+  input: "./.github/gokart-analyzers.yaml"
+```
+
+## Inputs
+
+- `directory` - scan on a Go module in the directory **(default: `.`)**.
+- `input` - input path to custom yml _(analyzer config)_ file.
+- `output` - _**(Required)**_ file path to write findings output **(default: `results`)**.
+- `globalsTainted` - marks global variables as dangerous.
+<!-- - `remoteModule` - remote go module to scan.
+- `debug` - outputs debug logs.
+- `verbose` - outputs full trace of taint analysis. -->
+
+## References
+
+- [1] https://github.com/praetorian-inc/gokart#gokart---go-security-static-analysis
+- https://www.praetorian.com/blog/introducing-gokart/
+
+## License
+
+The Dockerfile and associated scripts and documentation in this project are released under the MIT.
+
+Container images built with this project include third party materials.

action.yaml

@@ -0,0 +1,36 @@
+name: "GoKart Scanner"
+description: "Scan your code with GoKart to finds vulnerabilities using the SSA (single static assignment) form of Go source code."
+author: "Dwi Siswanto"
+
+branding:
+  icon: "check"
+  color: "green"
+
+runs:
+  using: "docker"
+  image: "Dockerfile"
+
+inputs:
+  directory:
+    description: "scan on a Go module in the directory"
+    required: false
+    default: "."
+  input:
+    description: "input path to custom yml file"
+    required: false
+  output:
+    description: "file path to write findings output"
+    required: true
+    default: "results"
+  globalsTainted:
+    description: "marks global variables as dangerous"
+    required: false
+  remoteModule:
+    description: "Remote gomodule to scan"
+    required: false
+  debug:
+    description: "outputs debug logs"
+    required: false
+  verbose:
+    description: "outputs full trace of taint analysis"
+    required: false

entrypoint.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+if [[ ! -f "${INPUT_DIRECTORY}/go.mod" ]] || [[ $(find "${INPUT_DIRECTORY}" -name "*.go" -type f -printf "." | wc -c) == "0" ]]; then
+	echo "There's no Go module inside and/or it's not Go project. No need to run analysis."
+	exit 1
+fi
+
+CMD="/go/bin/gokart scan ${INPUT_DIRECTORY}"
+CMD+=" -s -o ${INPUT_OUTPUT}"
+[[ ! -z ${INPUT_INPUT} ]] && CMD+=" -i ${INPUT_INPUT}"
+[[ ! -z ${INPUT_GLOBALSTAINTED} ]] && CMD+=" -g"
+[[ ! -z ${INPUT_REMOTEMODULE} ]] && CMD+=" -r ${INPUT_REMOTEMODULE}"
+[[ ! -z ${INPUT_DEBUG} ]] && CMD+=" -d"
+[[ ! -z ${INPUT_VERBOSE} ]] && CMD+=" -v"
+
+eval "${CMD}"
+
+if [[ ! -f "${INPUT_OUTPUT}" ]]; then
+	echo "No results. ¯\_(ツ)_/¯"
+	exit 1
+fi