ci: add RustSec security audit and cargo-deny checks#4272
Conversation
|
Thanks @bistack for taking the time to contribute. This repository is observing a maintainer-managed PR intake gate in dry-run mode, so this pull request is staying open. This note helps maintainers prepare the allowlist before any enforcement is considered. Please read |
05b72a8 to
5ad6882
Compare
v0.8.68 harvest triage (lane-perf)Scouted against Decision: do not land as-is for 0.8.68.
Suggested next step: separate PR that upgrades/ignores the known advisories first, then land the CI workflows. Credit remains with @bistack. |
|
hmm my grok got a bit out of alignment…. I want to get this in the next version, I think this is very smart. thank you!! |
5ad6882 to
ec5cb02
Compare
Harvested from PR Hmbown#4272 by @bistack. The starlark dependency tree currently requires derivative and fxhash; keep cargo-deny's advisory lane informative while cargo-audit remains clean. Co-authored-by: Sun Zhenyuan <zhenyuan.sun@163.com>
Harvested from PR Hmbown#4272 by @bistack. The starlark dependency tree currently requires derivative and fxhash; keep cargo-deny's advisory lane informative while cargo-audit remains clean. Co-authored-by: Sun Zhenyuan <9128763+bistack@users.noreply.github.com>
b9d5b64 to
464b481
Compare
Add security audit infrastructure using RustSec advisory database: - .github/workflows/security-audit.yml: runs cargo-audit to scan Cargo.lock for known vulnerabilities - .github/workflows/cargo-deny.yml: checks advisories, dependency bans, licenses, and sources - audit.toml: cargo-audit configuration - deny.toml: cargo-deny configuration with allowed licenses - README.md: add Security audit and cargo-deny status badges
464b481 to
ac214fd
Compare
|
@Hmbown Thanks! Happy to make any adjustments if needed. |
Summary
Add security audit infrastructure using RustSec advisory database to CI:
cargo-auditto scanCargo.lockfor known vulnerabilities (non-blocking)Changes
security-audit.ymlusingactions-rust-lang/audit@v1cargo-deny.ymlusingEmbarkStudios/cargo-deny-action@v2continue-on-error: true)Testing