audit-check 0.2.0

Github Action to run 'cargo audit' on your Rust project
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120

# audit-check

[![CI](https://github.com/rustyhorde/audit-check/actions/workflows/cargo-matrix.yml/badge.svg?branch=master)](https://github.com/rustyhorde/audit-check/actions/workflows/cargo-matrix.yml)
[![crates.io](https://img.shields.io/crates/v/audit-check)](https://crates.io/crates/audit-check)
[![license](https://img.shields.io/crates/l/audit-check)](LICENSE-MIT)

A GitHub Action that runs [`cargo audit`](https://github.com/rustsec/rustsec/tree/main/cargo-audit) on your Rust project and optionally opens a GitHub issue when RustSec advisories are found.

## Inputs

| Input | Required | Default | Description |
|-------|----------|---------|-------------|
| `token` | yes || GitHub token (`${{ secrets.GITHUB_TOKEN }}`) |
| `deny` | no | `warnings` | Fail on: `warnings` (any), `unmaintained`, `unsound`, `yanked` |
| `level` | no | `INFO` | Log level: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR` |
| `create_issue` | no | `false` | Open a GitHub issue when advisories are found |

## Usage

### GitHub Action (recommended)

Minimal — add to any workflow step:

```yaml
- uses: rustyhorde/audit-check@v1
  with:
    token: ${{ secrets.GITHUB_TOKEN }}
```

Full example with all options:

```yaml
- uses: rustyhorde/audit-check@v1
  with:
    token: ${{ secrets.GITHUB_TOKEN }}
    deny: warnings      # warnings | unmaintained | unsound | yanked
    level: INFO         # TRACE | DEBUG | INFO | WARN | ERROR
    create_issue: false # true | false
```

A complete scheduled audit workflow:

```yaml
name: Security Audit

on:
  push:
    branches: [master]
  schedule:
    - cron: '0 0 * * 0'  # weekly on Sunday

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: rustyhorde/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          create_issue: true
```

### Docker

The image is published to [GitHub Container Registry](https://github.com/rustyhorde/audit-check/pkgs/container/audit-check).
Run it locally against a Rust project:

```sh
docker pull ghcr.io/rustyhorde/audit-check:latest

docker run \
  -e INPUT_TOKEN=<github-token> \
  -e GITHUB_REPOSITORY=owner/repo \
  -v "$(pwd):/volume" \
  -w /volume \
  --rm \
  ghcr.io/rustyhorde/audit-check:latest
```

Optional env vars:

```sh
-e INPUT_DENY=warnings       # warnings | unmaintained | unsound | yanked
-e INPUT_LEVEL=INFO          # TRACE | DEBUG | INFO | WARN | ERROR
-e INPUT_CREATE_ISSUE=false  # true | false
```

### Standalone CLI

Install the binary and run it directly. `cargo audit` must also be installed.

**Install:**

```sh
# Pre-built binary via cargo-binstall (fastest)
cargo binstall audit-check

# Or build from source
cargo install audit-check

# cargo-audit is a required runtime dependency
cargo install cargo-audit
```

**Run:**

```sh
export INPUT_TOKEN=<github-token>
export GITHUB_REPOSITORY=owner/repo  # e.g. rustyhorde/audit-check

# Optional
export INPUT_DENY=warnings
export INPUT_LEVEL=INFO
export INPUT_CREATE_ISSUE=false

audit-check
```

> `INPUT_TOKEN` is always required even when `create_issue` is `false`. A classic PAT with
> `public_repo` scope (or `repo` for private repositories) is sufficient.