ci: implement security auditing checks

`cargo-audit` and the RustSec Advisory DB see: https://rustsec.org/
input-output-hk · Sep 30, 2024 · fc901eb · fc901eb
1 parent bf430fe
commit fc901eb
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -0,0 +1,11 @@
+[advisories]
+ignore = []
+severity_threshold = "low"
+
+[output]
+format = "json"
+quiet = false
+
+[yanked]
+enabled = true
+
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,25 @@
+name: "Audit Dependencies"
+on:
+  push:
+    paths:
+      # Run if workflow changes
+      - '.github/workflows/audit.yml'
+      # Run on changed dependencies
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+      # Run if the configuration file changes
+      - '.cargo/audit.toml'
+  # Rerun periodicly to pick up new advisories
+  schedule:
+    - cron: '0 0 * * *'
+  # Run manually
+  workflow_dispatch:
+
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: rustsec/audit-check@v2.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}