pezkuwichain
b4b60ca49d
- Upgrade bytes 1.11.0 → 1.11.1 (RUSTSEC-2026-0007 integer overflow) - Upgrade time 0.3.46 → 0.3.47 (RUSTSEC-2026-0009 DoS stack exhaustion) - Upgrade git2 0.20.3 → 0.20.4 (RUSTSEC-2026-0008 undefined behavior) - Upgrade keccak 0.1.5 → 0.1.6 (RUSTSEC-2026-0012 unsoundness) - Add ignore rules in deny.toml for unfixable upstream advisories (wasmtime 37.x, rsa, tracing-subscriber 0.2.x, lru) - Remove continue-on-error from security-audit workflow — audit is now enforced and will block CI on new unignored vulnerabilities
92 lines
3.0 KiB
YAML
92 lines
3.0 KiB
YAML
name: Security Audit
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
# Run weekly on Monday at 06:00 UTC
|
|
schedule:
|
|
- cron: "0 6 * * 1"
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
isdraft:
|
|
# Skip draft PRs but always run on schedule/push
|
|
if: github.event_name != 'pull_request' || !github.event.pull_request.draft
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: echo "Not a draft"
|
|
|
|
cargo-deny:
|
|
needs: isdraft
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
strategy:
|
|
matrix:
|
|
checks:
|
|
- advisories
|
|
- licenses
|
|
- sources
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15
|
|
with:
|
|
command: check ${{ matrix.checks }}
|
|
|
|
cargo-audit:
|
|
needs: isdraft
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- name: Install cargo-audit
|
|
run: cargo install cargo-audit --locked
|
|
- name: Run cargo audit
|
|
run: |
|
|
echo "## Cargo Audit Results" >> $GITHUB_STEP_SUMMARY
|
|
# Ignored advisories: upstream transitive deps with no available fix.
|
|
# Review quarterly and remove ignores when patches become available.
|
|
cargo audit \
|
|
--ignore RUSTSEC-2026-0006 \
|
|
--ignore RUSTSEC-2026-0020 \
|
|
--ignore RUSTSEC-2026-0021 \
|
|
--ignore RUSTSEC-2023-0071 \
|
|
--ignore RUSTSEC-2025-0055 \
|
|
--ignore RUSTSEC-2026-0002 \
|
|
2>&1 | tee audit-output.txt
|
|
RESULT=${PIPESTATUS[0]}
|
|
if [ $RESULT -ne 0 ]; then
|
|
echo "### Vulnerabilities found" >> $GITHUB_STEP_SUMMARY
|
|
echo '```' >> $GITHUB_STEP_SUMMARY
|
|
head -500 audit-output.txt >> $GITHUB_STEP_SUMMARY
|
|
if [ "$(wc -l < audit-output.txt)" -gt 500 ]; then
|
|
echo "... (truncated, see full output in job logs)" >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
echo '```' >> $GITHUB_STEP_SUMMARY
|
|
exit $RESULT
|
|
else
|
|
echo "### No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
|
|
confirm-security-audit-passed:
|
|
runs-on: ubuntu-latest
|
|
name: Security audit summary
|
|
needs: [cargo-deny, cargo-audit]
|
|
if: always() && !cancelled()
|
|
steps:
|
|
- run: |
|
|
tee resultfile <<< '${{ toJSON(needs) }}'
|
|
FAILURES=$(cat resultfile | grep '"result": "failure"' | wc -l)
|
|
if [ $FAILURES -gt 0 ]; then
|
|
echo "### Security audit FAILED" >> $GITHUB_STEP_SUMMARY
|
|
echo "Review the cargo-deny and cargo-audit job outputs for details." >> $GITHUB_STEP_SUMMARY
|
|
exit 1
|
|
else
|
|
echo '### All security audits passed' >> $GITHUB_STEP_SUMMARY
|
|
fi
|