implement initial sudocheck CLI

Author: Евгений Балякин

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,18 @@
+---
+name: Bug report
+about: Report incorrect behavior
+labels: bug
+---
+
+## Version
+
+## OS / distro
+
+## Command
+
+## Expected behavior
+
+## Actual behavior
+
+## Reproduction
+

.github/ISSUE_TEMPLATE/false_positive.md

@@ -0,0 +1,14 @@
+---
+name: False positive
+about: Report a finding that should be downgraded or ignored
+labels: false-positive
+---
+
+## Finding
+
+## Why it is expected
+
+## Distro / image
+
+## Suggested severity
+

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,12 @@
+---
+name: Feature request
+about: Suggest a focused improvement
+labels: enhancement
+---
+
+## Use case
+
+## Proposed behavior
+
+## Alternatives considered
+

.github/ISSUE_TEMPLATE/missing_mapping.md

@@ -0,0 +1,14 @@
+---
+name: Missing GTFOBins mapping
+about: Report a binary or technique that should be mapped
+labels: data
+---
+
+## Binary
+
+## Source
+
+## Function type
+
+## Reference
+

.github/workflows/ci.yml

@@ -0,0 +1,17 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.22"
+      - run: go test ./...
+      - run: go vet ./...
+

.github/workflows/codeql.yml

@@ -0,0 +1,23 @@
+name: CodeQL
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: "0 3 * * 1"
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: go
+      - uses: github/codeql-action/analyze@v3
+

.github/workflows/release.yml

@@ -0,0 +1,27 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.22"
+      - uses: sigstore/cosign-installer@v3
+      - uses: goreleaser/goreleaser-action@v6
+        with:
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+

.gitignore

@@ -0,0 +1,6 @@
+sudocheck
+*.sarif
+*.baseline.json
+dist/
+.DS_Store
+

.goreleaser.yml

@@ -0,0 +1,44 @@
+version: 2
+
+builds:
+  - main: .
+    binary: sudocheck
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X main.version={{.Version}}
+
+archives:
+  - format: tar.gz
+    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+
+checksum:
+  name_template: checksums.txt
+
+signs:
+  - cmd: cosign
+    args:
+      - sign-blob
+      - --yes
+      - --output-signature=${signature}
+      - ${artifact}
+    artifacts: checksum
+
+changelog:
+  sort: asc
+
+nfpms:
+  - package_name: sudocheck
+    homepage: https://github.com/evgenybalyakin/sudocheck
+    maintainer: evgenybalyakin
+    description: Linux privilege escalation audit with GTFOBins mapping
+    license: MIT
+    formats:
+      - deb
+      - rpm

CONTRIBUTING.md

@@ -0,0 +1,23 @@
+# Contributing
+
+Contributions are welcome when they keep sudocheck focused: fast privilege escalation auditing with actionable
+remediation.
+
+Good first contributions:
+
+- add a remediation entry in `data/remediations.json`;
+- add an expected SUID path in `data/defaults.json`;
+- add scanner parser fixtures;
+- add a GTFOBins-compatible database entry;
+- improve SARIF or JSON output tests.
+
+Before opening a PR:
+
+```sh
+gofmt -w main.go cmd internal data scripts
+GOCACHE=/tmp/sudocheck-go-build go test ./...
+go vet ./...
+```
+
+Do not add code that executes exploit commands. sudocheck explains risk; it does not exploit systems.
+