• This repository has been archived on 09/Apr/2024
  • Stars
    star
    2,176
  • Rank 21,195 (Top 0.5 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 3 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A static analysis tool for securing Go code

GoKart - Go Security Static Analysis

CI Release

GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe, which reduces the number of false positives compared to other Go security scanners. For instance, a SQL query that is concatenated with a variable might traditionally be flagged as SQL injection; however, GoKart can figure out if the variable is actually a constant or constant equivalent, in which case there is no vulnerability.

GoKart also helps to power Chariot, Praetorian's security platform that helps you find, manage, and fix vulnerabilities in your source code and cloud environments. Chariot makes it simple to run automated, continuous GoKart scans on your source code. If you want to try GoKart, you can set up a free Chariot account in minutes by clicking here.

Why We Built GoKart

Static analysis is a powerful technique for finding vulnerabilities in source code. However, the approach has suffered from being noisy - that is, many static analysis tools find quite a few "vulnerabilities" that are not actually real. This has led to developer friction as users get tired of the tools "crying wolf" one time too many.

The motivation for GoKart was to address this: could we create a scanner with significantly lower false positive rates than existing tools? Based on our experimentation the answer is yes. By leveraging source-to-sink tracing and SSA, GoKart is capable of tracking variable taint between variable assignments, significantly improving the accuracy of findings. Our focus is on usability: pragmatically, that means we have optimized our approaches to reduce false alarms.

For more information, please read our blog post.

Install

You can install GoKart locally by using any one of the options listed below.

Install with go install

$ go install github.com/praetorian-inc/gokart@latest

Install a release binary

  1. Download the binary for your OS from the releases page.

  2. (OPTIONAL) Download the checksums.txt file to verify the integrity of the archive

# Check the checksum of the downloaded archive
$ shasum -a 256 gokart_${VERSION}_${ARCH}.tar.gz
b05c4d7895be260aa16336f29249c50b84897dab90e1221c9e96af9233751f22  gokart_${VERSION}_${ARCH}.tar.gz

$ cat gokart_${VERSION}_${ARCH}_checksums.txt | grep gokart_${VERSION}_${ARCH}.tar.gz
b05c4d7895be260aa16336f29249c50b84897dab90e1221c9e96af9233751f22  gokart_${VERSION}_${ARCH}.tar.gz
  1. Extract the downloaded archive
$ tar -xvf gokart_${VERSION}_${ARCH}.tar.gz
  1. Move the gokart binary into your path:
$ mv ./gokart /usr/local/bin/

Clone and build yourself

# clone the GoKart repo
$ git clone https://github.com/praetorian-inc/gokart.git

# navigate into the repo directory and build
$ cd gokart
$ go build

# Move the gokart binary into your path
$ mv ./gokart /usr/local/bin

Docker Support

Build the docker image

docker build -t gokart .

Running the container with a local scan (the local scan directory needs to be mounted to the container image)

docker run -v /path/to/scan-dir:/scan-dir gokart scan /scan-dir

Running the container with a remote scan (when specifying a private key for auth, that will also need to be mounted to the container)

docker run gokart scan -r https://github.com/praetorian-inc/gokart

# specifying a private key for private repository ssh authentication
docker run -v /path/to/key-dir/:/key-dir gokart scan -r [email protected]:praetorian-inc/gokart.git -k /key-dir/ssh_key

Usage

Run GoKart on a Go module in the current directory

# running without a directory specified defaults to '.'
gokart scan <flags>

Scan a Go module in a different directory

gokart scan <directory> <flags> 

Get Help

gokart help

Getting Started - Scanning an Example App

You can follow the steps below to run GoKart on Go Test Bench, an intentionally vulnerable Go application from the Contrast Security team.

# Clone sample vulnerable application
git clone https://github.com/Contrast-Security-OSS/go-test-bench.git
gokart scan go-test-bench/

Output should show some identified vulnerabilities, each with a Vulnerable Function and Source of User Input identified.

To test some additional GoKart features, you can scan with the CLI flags suggested below.

# Use verbose flag to show full traces of these vulnerabilities
gokart scan go-test-bench/ -v

# Use globalsTainted flag to ignore whitelisted Sources
# may increase false positive results
gokart scan go-test-bench/ -v -g

# Use debug flag to display internal analysis information
# which is useful for development and debugging
gokart scan go-test-bench/ -d

# Output results in sarif format
gokart scan go-test-bench/ -s

# Output results to file
gokart scan go-test-bench/ -o gokart-go-test-bench.txt

# Output scarif results to file
gokart scan go-test-bench/ -o gokart-go-test-bench.txt -s

# Scan remote public repository 
# Repository will be cloned locally, scanned and deleted afterwards
gokart scan -r https://github.com/ShiftLeftSecurity/shiftleft-go-demo -v

# Specify the remote branch to scan
gokart scan -r https://github.com/ShiftLeftSecurity/shiftleft-go-demo -b actions_fix

# Scan remote private repository via ssh
gokart scan -r [email protected]:Contrast-Security-OSS/go-test-bench.git 

# Scan remote private repository and optionally specify a key for ssh authentication 
gokart scan -r [email protected]:Contrast-Security-OSS/go-test-bench.git -k /home/gokart/.ssh/github_rsa_key

# Use remote scan and output flags together for seamless security reviews
gokart scan -r https://github.com/ShiftLeftSecurity/shiftleft-go-demo -o gokart-shiftleft-go-demo.txt -v 

# Use remote scan, output and sarif flags for frictionless integration into CI/CD
gokart scan -r https://github.com/ShiftLeftSecurity/shiftleft-go-demo -o gokart-shiftleft-go-demo.txt -s

To test out the extensibility of GoKart, you can modify the configuration file that GoKart uses to introduce a new vulnerable sink into analysis. There is a Test Sink analyzer defined in the included default config file at util/analyzers.yml. Modify util/analyzers.yml to remove the comments on the Test Sink analyzer and then direct GoKart to use the modified config file with the -i flag.

# Scan using modified analyzers.yml file and output full traces
gokart scan go-test-bench/ -v -i <path-to-gokart>/util/analyzers.yml

Output should now contain additional vulnerabilities, including new "Test Sink reachable by user input" vulnerabilities.

Run GoKart Tests

You can run the included tests with the following command, invoked from the GoKart root directory.

go test -v ./...

More Repositories

1

noseyparker

Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
Rust
1,657
star
2

Hob0Rules

Password cracking rules for Hashcat based on statistics and industry patterns
1,441
star
3

pentestly

Python and Powershell internal penetration testing framework
Python
717
star
4

purple-team-attack-automation

Praetorian's public release of our Metasploit automation of MITRE ATT&CKâ„¢ TTPs
Ruby
713
star
5

PortBender

TCP Port Redirection Utility
C
668
star
6

DVRF

The Damn Vulnerable Router Firmware Project
HTML
668
star
7

fingerprintx

Standalone utility for service discovery on open ports!
Go
561
star
8

gato

GitHub Actions Pipeline Enumeration and Attack Tool
Python
539
star
9

trudy

A transparent proxy that can modify and drop traffic for arbitrary TCP connections.
Go
275
star
10

pyshell

PyShell makes interacting with web-based command injection less painful, emulating the feel of an interactive shell as much as possible.
Python
253
star
11

mitm-vm

An easy-to-deploy virtual machine that can provide flexible man-in-the-middle capabilities.
Shell
195
star
12

gladius

Automated Responder/secretsdump.py cracking
Python
181
star
13

snowcat

a tool to audit the istio service mesh
Go
173
star
14

vulcan

a tool to make it easy and fast to test various forms of injection
C++
172
star
15

ADFSRelay

Proof of Concept Utilities Developed to Research NTLM Relaying Attacks Targeting ADFS
Go
171
star
16

goffloader

A Go implementation of Cobalt Strike style BOF/COFF loaders.
Go
151
star
17

trident

automated password spraying tool
Go
145
star
18

NTLMRecon

A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
Go
79
star
19

epictreasure

radare, angr, pwndbg, binjitsu, ect in a box ready for pwning
Shell
75
star
20

INTRACTABLEGIRAFFE

A Proof of Concept Rootkit Demonstrating Keylogging and Virtual File System (VFS) Capabilities
C
73
star
21

hashcatJS

An implementation of the hashcat rules engine in javascript
JavaScript
47
star
22

proxylogon-exploit

Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.
Python
45
star
23

slack-c2bot

Slack C2bot that executes commands and returns the output.
Go
44
star
24

ruby_hashcat

Command line wrapper, Library, and Rest API for oclHashcat.
Ruby
40
star
25

dert

DNS Enumeration and Reconnaissance Tool
Ruby
37
star
26

Matryoshka

Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.
C
37
star
27

Okta_Watering_Hole

Next Generation Phishing Tool For Internal / Red Teams
Python
35
star
28

ctf-writeups

Collection of Praetorian solutions to CTF challenges
OpenEdge ABL
25
star
29

chariot-ui

Chariot Offensive Security Platform
TypeScript
21
star
30

konstellation

Konstellation is a configuration-driven CLI tool to enumerate cloud resources and store the data into Neo4j.
Cypher
19
star
31

bsidesaustin

Python
14
star
32

chariot-launch-nuclei-templates

12
star
33

burp-wcf-gzip

Burp extension for decoding WCF-gzipped requests.
Python
12
star
34

gcloud-lockdown

Scripts to demonstrate VPC Service Controls between tenant and shared projects
Shell
12
star
35

highlight

Text file to BMP image with box drawing and blurring from the command line
C
9
star
36

log4j-detector

Log4j detector and reporting server for scalable detection of vulnerable running processes.
Go
7
star
37

sonicwall-nsv-decrypter

C
6
star
38

aws-labs

Shell
5
star
39

tpm_bound_sa_key

Go
5
star
40

rpi-setup

set up rpi for zbwardrive
Python
5
star
41

zeroqlik-detect

A Nuclei template to detect ZeroQlik (CVE-2023-41265 and CVE-2023-41266)
4
star
42

product-frontend-interview

JavaScript
3
star
43

product-backend-interview

Java
1
star
44

praetorian-cli

CLI and SDK for interacting with the Praetorian Chariot platform
Python
1
star