Skip to content

ci: add RustSec security audit and cargo-deny checks#4272

Merged
Hmbown merged 1 commit into
Hmbown:mainfrom
bistack:feat/rust-sec-audit
Jul 10, 2026
Merged

ci: add RustSec security audit and cargo-deny checks#4272
Hmbown merged 1 commit into
Hmbown:mainfrom
bistack:feat/rust-sec-audit

Conversation

@bistack

@bistack bistack commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Add security audit infrastructure using RustSec advisory database to CI:

  • security-audit.yml: runs cargo-audit to scan Cargo.lock for known vulnerabilities (non-blocking)
  • cargo-deny.yml: checks advisories, dependency bans, licenses, and sources
  • audit.toml: cargo-audit configuration
  • deny.toml: cargo-deny configuration (allowed licenses, sources)
  • README.md: add Security audit and cargo-deny status badges

Changes

  • New CI workflow: security-audit.yml using actions-rust-lang/audit@v1
  • New CI workflow: cargo-deny.yml using EmbarkStudios/cargo-deny-action@v2
  • Both workflows run on PR, push to main/master, and weekly schedule
  • Security audit is non-blocking (continue-on-error: true)

Testing

  • cargo fmt check passed
  • cargo audit run locally (found 2 existing vulnerabilities, non-blocking)
  • YAML structure validated

@bistack bistack requested a review from Hmbown as a code owner July 9, 2026 04:16
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Thanks @bistack for taking the time to contribute.

This repository is observing a maintainer-managed PR intake gate in dry-run mode, so this pull request is staying open. This note helps maintainers prepare the allowlist before any enforcement is considered.

Please read CONTRIBUTING.md for the expected contribution shape. A maintainer can grant recurring PR access by commenting /lgtm on a pull request.

@bistack bistack force-pushed the feat/rust-sec-audit branch 2 times, most recently from 05b72a8 to 5ad6882 Compare July 9, 2026 07:17
@Hmbown

Hmbown commented Jul 9, 2026

Copy link
Copy Markdown
Owner

v0.8.68 harvest triage (lane-perf)

Scouted against main @ 931a1df27.

Decision: do not land as-is for 0.8.68.

  • CI is not CI-only red: cargo-audit / cargo-deny (advisories) fail on real lockfile advisories:
    • crossbeam-epoch 0.9.18 → upgrade ≥0.9.20 (RUSTSEC-2026-0204)
    • lopdf 0.38.0 → upgrade ≥0.42.0 (RUSTSEC-2026-0187, severity 7.5)
    • ttf-parser unmaintained warning (RUSTSEC-2026-0192)
  • Adding blocking advisory gates without coordinated dependency upgrades will keep main red.
  • Workflow/config shape (security-audit.yml with continue-on-error, deny.toml) is useful, but should ship with a green advisory baseline (or explicit temporary ignores + follow-up dep PR).

Suggested next step: separate PR that upgrades/ignores the known advisories first, then land the CI workflows. Credit remains with @bistack.

Hmbown commented Jul 9, 2026

Copy link
Copy Markdown
Owner

hmm my grok got a bit out of alignment…. I want to get this in the next version, I think this is very smart. thank you!!

@bistack bistack force-pushed the feat/rust-sec-audit branch from 5ad6882 to ec5cb02 Compare July 10, 2026 03:06
@bistack bistack changed the title feat: add RustSec security audit and cargo-deny CI checks ci: add RustSec security audit and cargo-deny checks Jul 10, 2026
Hmbown added a commit to bistack/CodeWhale that referenced this pull request Jul 10, 2026
Harvested from PR Hmbown#4272 by @bistack. The starlark dependency tree currently requires derivative and fxhash; keep cargo-deny's advisory lane informative while cargo-audit remains clean.

Co-authored-by: Sun Zhenyuan <zhenyuan.sun@163.com>
Hmbown added a commit to bistack/CodeWhale that referenced this pull request Jul 10, 2026
Harvested from PR Hmbown#4272 by @bistack. The starlark dependency tree currently requires derivative and fxhash; keep cargo-deny's advisory lane informative while cargo-audit remains clean.

Co-authored-by: Sun Zhenyuan <9128763+bistack@users.noreply.github.com>
@Hmbown Hmbown force-pushed the feat/rust-sec-audit branch from b9d5b64 to 464b481 Compare July 10, 2026 03:15
Add security audit infrastructure using RustSec advisory database:

- .github/workflows/security-audit.yml: runs cargo-audit to scan
  Cargo.lock for known vulnerabilities
- .github/workflows/cargo-deny.yml: checks advisories, dependency
  bans, licenses, and sources
- audit.toml: cargo-audit configuration
- deny.toml: cargo-deny configuration with allowed licenses
- README.md: add Security audit and cargo-deny status badges
@bistack bistack force-pushed the feat/rust-sec-audit branch from 464b481 to ac214fd Compare July 10, 2026 03:26
@bistack

bistack commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

@Hmbown Thanks! Happy to make any adjustments if needed.

@Hmbown Hmbown merged commit 7e18d5a into Hmbown:main Jul 10, 2026
17 checks passed
@bistack bistack deleted the feat/rust-sec-audit branch July 10, 2026 03:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants