https://github.com/praetorian-inc/gokart Skip to content Sign up * Why GitHub? Features - + Mobile - + Actions - + Codespaces - + Packages - + Security - + Code review - + Issues - + Integrations - + GitHub Sponsors - + Customer stories- * Team * Enterprise * Explore + Explore GitHub - Learn and contribute + Topics - + Collections - + Trending - + Learning Lab - + Open source guides - Connect with others + The ReadME Project - + Events - + Community forum - + GitHub Education - + GitHub Stars program - * Marketplace * Pricing Plans - + Compare plans - + Contact Sales - + Education - [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this organization All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} praetorian-inc / gokart * Notifications * Star 35 * Fork 4 A static analysis tool for securing Go code Apache-2.0 License 35 stars 4 forks Star Notifications * Code * Issues 2 * Pull requests 0 * Actions * Wiki * Security * Insights More * Code * Issues * Pull requests * Actions * Wiki * Security * Insights main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags 1 branch 1 tag Code * Clone HTTPS GitHub CLI [https://github.com/p] Use Git or checkout with SVN using the web URL. [gh repo clone praeto] Work fast with our official CLI. Learn more. * Open with GitHub Desktop * Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. Latest commit @praetorian-harry @HCAdam @amlweems @garrettgu10 @praetorian-james @jstawinski @michaelweber @dickyford @qwetboy10 @isp1r0 @mjl-praetorian 14 authors Initial commit ... ab61976 Aug 18, 2021 Initial commit Co-authored-by: Adam Batori Co-authored-by: Anthony Weems Co-authored-by: Brian Co-authored-by: Garrett Gu Co-authored-by: Harry Wallace <58926491+praetorian-harry@users.noreply.github.com> Co-authored-by: Harry Wallace Co-authored-by: James Co-authored-by: James Austgen <66981570+praetorian-james@users.noreply.github.com> Co-authored-by: John Stawinski Co-authored-by: Michael Weber Co-authored-by: Richard Ford <77762097+dickyford@users.noreply.github.com> Co-authored-by: Steven Cheng Co-authored-by: Tristan Wiesepape Co-authored-by: Tristan Wiesepape Co-authored-by: isp1r0 Co-authored-by: isp1r0 Co-authored-by: jstawinski <64742258+jstawinski@users.noreply.github.com> Co-authored-by: jstawinski Co-authored-by: michael.lindsey Co-authored-by: mjl-praetorian <84747641+mjl-praetorian@users.noreply.github.com> Co-authored-by: praetorian-james <66981570+praetorian-james@users.noreply.github.com> ab61976 Git stats * 1 commit Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .github/workflows Initial commit Aug 18, 2021 analyzers Initial commit Aug 18, 2021 cmd Initial commit Aug 18, 2021 docs Initial commit Aug 18, 2021 run Initial commit Aug 18, 2021 test Initial commit Aug 18, 2021 util Initial commit Aug 18, 2021 .gitignore Initial commit Aug 18, 2021 .goreleaser.yml Initial commit Aug 18, 2021 CODE_OF_CONDUCT.md Initial commit Aug 18, 2021 CONTRIBUTING.md Initial commit Aug 18, 2021 LICENSE Initial commit Aug 18, 2021 README.md Initial commit Aug 18, 2021 SECURITY.md Initial commit Aug 18, 2021 go.mod Initial commit Aug 18, 2021 go.sum Initial commit Aug 18, 2021 main.go Initial commit Aug 18, 2021 View code [ ] GoKart - Go Security Static Analysis Why We Built GoKart Install Install with go install Install a release binary Clone and build yourself Usage Run GoKart on a Go module in the current directory Scan a Go module in a different directory Get Help Getting Started - Scanning an Example App Run GoKart Tests README.md [logo] GoKart - Go Security Static Analysis CI Release GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe, which reduces the number of false positives compared to other Go security scanners. For instance, a SQL query that is concatenated with a variable might traditionally be flagged as SQL injection; however, GoKart can figure out if the variable is actually a constant or constant equivalent, in which case there is no vulnerability. Why We Built GoKart Static analysis is a powerful technique for finding vulnerabilities in source code. However, the approach has suffered from being noisy - that is, many static analysis tools find quite a few "vulnerabilities" that are not actually real. This has led to developer friction as users get tired of the tools "crying wolf" one time too many. The motivation for GoKart was to address this: could we create a scanner with significantly lower false positive rates than existing tools? Based on our experimentation the answer is yes. By leveraging source-to-sink tracing and SSA, GoKart is capable of tracking variable taint between variable assignments, significantly improving the accuracy of findings. Our focus is on usability: pragmatically, that means we have optimized our approaches to reduce false alarms. Install You can install GoKart locally by using any one of the options listed below. Install with go install $ go install github.com/praetorian-inc/gokart@latest Install a release binary 1. Download the binary for your OS from the releases page. 2. (OPTIONAL) Download the checksums.txt file to verify the integrity of the archive # Check the checksum of the downloaded archive $ shasum -a 256 gokart_${VERSION}_${ARCH}.tar.gz b05c4d7895be260aa16336f29249c50b84897dab90e1221c9e96af9233751f22 gokart_${VERSION}_${ARCH}.tar.gz $ cat gokart_${VERSION}_${ARCH}_checksums.txt | grep gokart_${VERSION}_${ARCH}.tar.gz b05c4d7895be260aa16336f29249c50b84897dab90e1221c9e96af9233751f22 gokart_${VERSION}_${ARCH}.tar.gz 3. Extract the downloaded archive $ tar -xvf gokart_${VERSION}_${ARCH}.tar.gz 4. Move the gokart binary into your path: $ mv ./gokart /usr/local/bin/ Clone and build yourself # clone the GoKart repo $ git clone https://github.com/praetorian-inc/gokart.git # navigate into the repo directory and build $ cd gokart $ go build # Move the gokart binary into your path $ mv ./gokart /usr/local/bin Usage Run GoKart on a Go module in the current directory # running without a directory specified defaults to '.' gokart scan Scan a Go module in a different directory gokart scan Get Help gokart help Getting Started - Scanning an Example App You can follow the steps below to run GoKart on Go Test Bench, an intentionally vulnerable Go application from the Contrast Security team. # Clone sample vulnerable application git clone https://github.com/Contrast-Security-OSS/go-test-bench.git gokart scan go-test-bench/ Output should show some identified vulnerabilities, each with a Vulnerable Function and Source of User Input identified. To test some additional GoKart features, you can scan with the CLI flags suggested below. # Use verbose flag to show full traces of these vulnerabilities gokart scan go-test-bench/ -v # Use globalsTainted flag to ignore whitelisted Sources # may increase false positive results gokart scan go-test-bench/ -v -g # Use debug flag to display internal analysis information # which is useful for development and debugging gokart scan go-test-bench/ -d # Output results in sarif format gokart scan go-test-bench/ -s To test out the extensibility of GoKart, you can modify the configuration file that GoKart uses to introduce a new vulnerable sink into analysis. There is a Test Sink analyzer defined in the included default config file at util/analyzers.yml. Modify util/ analyzers.yml to remove the comments on the Test Sink analyzer and then direct GoKart to use the modified config file with the -i flag. # Scan using modified analyzers.yml file and output full traces gokart scan go-test-bench/ -v -i /util/analyzers.yml Output should now contain additional vulnerabilities, including new "Test Sink reachable by user input" vulnerabilities. Run GoKart Tests You can run the included tests with the following command, invoked from the GoKart root directory. go test -v ./... About A static analysis tool for securing Go code Topics golang security static-code-analysis static-analysis security-tools Resources Readme License Apache-2.0 License Releases 1 v0.1.0 Latest Aug 18, 2021 Contributors 11 * @mjl-praetorian * @amlweems * @HCAdam * @garrettgu10 * @isp1r0 * @qwetboy10 * @michaelweber * @praetorian-harry * @jstawinski * @praetorian-james * @dickyford Languages * Go 100.0% * (c) 2021 GitHub, Inc. * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.