Description
The CI pipeline (pr-validation.yml) does not run cargo audit to scan dependencies for known security vulnerabilities. Given that ApexStore has 40+ dependencies (including actix-web, tokio, serde, lz4_flex, etc.), unpatched CVEs could go unnoticed.
Proposed fix
Add a cargo-audit step to pr-validation.yml:
audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: rustsec/audit-check@v2.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}Note: rustsec/audit-check requires checks: write permission on the workflow.
Severity
Medium — no known vulnerabilities currently, but no guard against future ones.
Labels
Description
The CI pipeline (
pr-validation.yml) does not runcargo auditto scan dependencies for known security vulnerabilities. Given that ApexStore has 40+ dependencies (includingactix-web,tokio,serde,lz4_flex, etc.), unpatched CVEs could go unnoticed.Proposed fix
Add a
cargo-auditstep topr-validation.yml:Note:
rustsec/audit-checkrequireschecks: writepermission on the workflow.Severity
Medium — no known vulnerabilities currently, but no guard against future ones.
Labels