ci(security): add cargo-audit CVE scanning to CI pipeline#26
Merged
Conversation
Sets up a minimal Rust integration test framework using httpmock (mock HTTP server) and assert_cmd (CLI subprocess runner). Adds 7 smoke tests covering 4 commands: - health: happy-path + connection-refused failure path - namespace list: empty response + non-empty JSON output - namespace policy get: verifies rate_limit_enabled field returned (SEC-5) - namespace policy set: enables and disables rate limiting (SEC-5 regression guard) No running Dakera server is required — each test is fully self-contained. Co-Authored-By: Paperclip <noreply@paperclip.ing>
rustfmt collapses single-arg .args() chains onto one line. No logic changes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a Security Audit job that runs cargo-audit on every PR and push to main. Catches RUSTSEC vulnerabilities automatically — fixes the detection gap identified in DAK-1517 (v9.x security gap). - Job runs on arm64 runner (consistent with all cli CI jobs) - SSH deploy key configured for private dep access - Fails on any vulnerability advisory (default cargo audit behaviour) - Does NOT fail on warnings (unmaintained/yanked) to avoid noise - Swatinem cache used for binary caching across runs Co-Authored-By: Paperclip <noreply@paperclip.ing>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes DAK-1517 (companion to dakera-ai/dakera#126). Adds automated CVE scanning to the dakera-cli CI pipeline via
cargo-audit.Gap fixed: QA security audit (2026-04-06) found 14 HIGH vulns via manual Dependabot query — all already fixed but only discovered manually. This PR adds the automated detection layer so future vulnerabilities are caught on every PR.
Changes:
Security Auditjob in.github/workflows/ci.ymlcargo-auditon every PR and push to mainneeds:dependencies) — runs in parallel with other checkscargo-auditbinary (fast after first run)