capsec audit GitHub Action

Static capability audit for Rust crates. Detects ambient authority (filesystem, network, environment, process, FFI) calls in your code.

Usage

name: Capability Audit
on: [pull_request]

permissions:
  contents: read
  security-events: write   # Required for SARIF upload
  pull-requests: write     # Required for PR review comments

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: capsec/audit-action@v1
        with:
          fail-on: high

Inputs

Input	Default	Description
`version`	`latest`	cargo-capsec version to install
`fail-on`	`high`	Risk threshold: `low`, `medium`, `high`, `critical`
`baseline`	`.capsec-baseline.json`	Path to baseline file (empty to disable)
`diff`	`auto`	Only fail on new findings. `auto` enables on PRs.
`format`	`sarif`	Output format: `text`, `json`, `sarif`
`upload-sarif`	`true`	Upload SARIF to GitHub Code Scanning
`comment-on-pr`	`true`	Post inline PR review comments via reviewdog
`working-directory`	`.`	Path to Cargo workspace root
`token`	`${{ github.token }}`	GitHub token
`install-from`	`crates-io`	Install method: `crates-io` or `git`
`git-repo`	`https://github.com/auths-dev/capsec`	Git URL when `install-from` is `git`

Outputs

Output	Description
`sarif-file`	Path to generated SARIF file
`finding-count`	Number of findings
`exit-code`	`0` = pass, `1` = findings exceed threshold, `2` = runtime error

Examples

Minimal (fail on high-risk findings)

- uses: capsec/audit-action@v1

With baseline diffing (only fail on new findings)

- uses: capsec/audit-action@v1
  with:
    fail-on: high
    baseline: .capsec-baseline.json
    diff: 'true'

Pin a specific version

- uses: capsec/audit-action@v1
  with:
    version: '0.1.0'

Monorepo with custom working directory

- uses: capsec/audit-action@v1
  with:
    working-directory: ./rust-workspace

SARIF only (no PR comments)

- uses: capsec/audit-action@v1
  with:
    comment-on-pr: 'false'

How it works

Installs cargo-capsec from crates.io
Runs cargo capsec audit --format sarif --fail-on <threshold>
Uploads SARIF to GitHub Code Scanning (appears in Security tab)
Posts inline review comments on PR diffs via reviewdog
Fails the check if new findings exceed the threshold

Permissions

Permission	Required for
`security-events: write`	SARIF upload to Code Scanning
`pull-requests: write`	Inline PR review comments
`contents: read`	Reading source code

License

Apache 2.0

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
scripts/releases		scripts/releases
LICENSE		LICENSE
README.md		README.md
action.yml		action.yml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

capsec audit GitHub Action

Usage

Inputs

Outputs

Examples

Minimal (fail on high-risk findings)

With baseline diffing (only fail on new findings)

Pin a specific version

Monorepo with custom working directory

SARIF only (no PR comments)

How it works

Permissions

License

About

Uh oh!

Releases 2

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

capsec audit GitHub Action

Usage

Inputs

Outputs

Examples

Minimal (fail on high-risk findings)

With baseline diffing (only fail on new findings)

Pin a specific version

Monorepo with custom working directory

SARIF only (no PR comments)

How it works

Permissions

License

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases 2

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages