https://github.com/praetorian-inc/gokart
GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe, which reduces the number of false positives compared to other Go security scanners. For instance, a SQL query that is concatenated with a variable might traditionally be flagged as SQL injection; however, GoKart can figure out if the variable is actually a constant or constant equivalent, in which case there is no vulnerability.
GoKart also helps to power Chariot, Praetorian's security platform that helps you find, manage, and fix vulnerabilities in your source code and cloud environments. Chariot makes it simple to run automated, continuous GoKart scans on your source code. If you want to try GoKart, you can set up a free Chariot account in minutes by clicking here.
Static analysis is a powerful technique for finding vulnerabilities in source code. However, the approach has suffered from being noisy - that is, many static analysis tools find quite a few "vulnerabilities" that are not actually real. This has led to developer friction as users get tired of the tools "crying wolf" one time too many.
The motivation for GoKart was to address this: could we create a scanner with significantly lower false positive rates than existing tools? Based on our experimentation the answer is yes. By leveraging source-to-sink tracing and SSA, GoKart is capable of tracking variable taint between variable assignments, significantly improving the accuracy of findings. Our focus is on usability: pragmatically, that means we have optimized our approaches to reduce false alarms.