From fc901eb239e336431d3ebad842d00379324872de Mon Sep 17 00:00:00 2001
From: Timothy DeHerrera <tim.deherrera@iohk.io>
Date: Mon, 30 Sep 2024 10:47:44 -0600
Subject: [PATCH] ci: implement security auditing checks

`cargo-audit` and the RustSec Advisory DB

see: https://rustsec.org/
---
 .cargo/audit.toml           | 11 +++++++++++
 .github/workflows/audit.yml | 25 +++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 .cargo/audit.toml
 create mode 100644 .github/workflows/audit.yml

diff --git a/.cargo/audit.toml b/.cargo/audit.toml
new file mode 100644
index 00000000..9696d8e0
--- /dev/null
+++ b/.cargo/audit.toml
@@ -0,0 +1,11 @@
+[advisories]
+ignore = []
+severity_threshold = "low"
+
+[output]
+format = "json"
+quiet = false
+
+[yanked]
+enabled = true
+
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
new file mode 100644
index 00000000..13d710e0
--- /dev/null
+++ b/.github/workflows/audit.yml
@@ -0,0 +1,25 @@
+name: "Audit Dependencies"
+on:
+  push:
+    paths:
+      # Run if workflow changes
+      - '.github/workflows/audit.yml'
+      # Run on changed dependencies
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+      # Run if the configuration file changes
+      - '.cargo/audit.toml'
+  # Rerun periodicly to pick up new advisories
+  schedule:
+    - cron: '0 0 * * *'
+  # Run manually
+  workflow_dispatch:
+
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: rustsec/audit-check@v2.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}