Add cargo-deny for supply chain security #8
Description
Integrate cargo-deny for comprehensive dependency and license checking.
Objectives
- Add cargo-deny to CI pipeline
- Configure license policy
- Set up security advisory checking
- Prevent dependency issues before merge
cargo-deny Features
- License checking - Ensure all dependencies use approved licenses
- Advisories - Check for known security vulnerabilities
- Bans - Prevent specific crates from being used
- Sources - Verify dependency sources
Configuration
Create deny.toml with:
Licenses
- Allow: MIT, Apache-2.0, BSD-3-Clause
- Deny: GPL (copyleft)
- Confidence threshold for detection
Advisories
- Enable vulnerability database
- Severity threshold: moderate or higher
- Ignore specific advisories if needed
Bans
- No banned crates currently
- Multiple versions check
Sources
- Allow crates.io
- Allow git sources from trusted orgs
CI Integration
Add to .github/workflows/ci.yml:
- New job: security-checks
- Run cargo-deny check
- Fail on policy violations
- Cache cargo-deny installation
Implementation
- Install cargo-deny locally
- Create deny.toml configuration
- Add CI job
- Test with current dependencies
- Document in README
- REUSE compliant headers
Benefits
- Prevent supply chain attacks
- Ensure license compliance
- Catch vulnerabilities early
- Professional security posture
- Industry standard practice
- Required for enterprise adoption