ci: implement security auditing checks

`cargo-audit` and the RustSec Advisory DB see: https://rustsec.org/
input-output-hk · Oct 7, 2024 · 5fabf7f · 5fabf7f
1 parent bf430fe
commit 5fabf7f
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 16 deletions.
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -0,0 +1,11 @@
+[advisories]
+ignore = []
+severity_threshold = "low"
+
+[output]
+format = "json"
+quiet = false
+
+[yanked]
+enabled = true
+
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,25 @@
+name: "Audit Dependencies"
+on:
+  push:
+    paths:
+      # Run if workflow changes
+      - '.github/workflows/audit.yml'
+      # Run on changed dependencies
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+      # Run if the configuration file changes
+      - '.cargo/audit.toml'
+  # Rerun periodicly to pick up new advisories
+  schedule:
+    - cron: '0 0 * * *'
+  # Run manually
+  workflow_dispatch:
+
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: rustsec/audit-check@v2.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/nix/shell.nix b/nix/shell.nix
@@ -29,6 +29,7 @@
         gnumake
         gawk
         cargo-edit
+        cargo-audit
       ]
       ++ (
         if isDarwin