name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
CARGO_TERM_COLOR: always
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
- name: Cache Cargo registry
uses: actions/cache@v3
with:
path: ~/.cargo/registry
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
- name: Cache Cargo index
uses: actions/cache@v3
with:
path: ~/.cargo/git
key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
- name: Cache Cargo build
uses: actions/cache@v3
with:
path: target
key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
- name: Build
run: cargo build --verbose
- name: Run tests
run: cargo test --verbose
- name: Test on self
run: |
./target/debug/binhards ./target/debug/binhards
- name: Test on system binaries
run: |
echo "=== Testing /bin/ls ==="
./target/debug/binhards /bin/ls
echo -e "\n=== Testing /bin/cat ==="
./target/debug/binhards /bin/cat
echo -e "\n=== Testing with JSON output ==="
./target/debug/binhards --json /bin/ls
- name: Compile test binaries
run: |
# Create a simple test C program
echo '#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
char buffer[100];
if (argc > 1) {
strcpy(buffer, argv[1]); // Intentionally unsafe for testing
printf("Input: %s\n", buffer);
}
return 0;
}' > test_program.c
# Compile with no security features
gcc -o test_vuln_none test_program.c
# Compile with full hardening
gcc -Wl,-z,relro,-z,now -fstack-protector-strong -fPIE -pie -D_FORTIFY_SOURCE=2 -O2 -o test_vuln_hardened test_program.c
- name: Test on compiled binaries
run: |
echo "=== Testing vulnerable binary ==="
./target/debug/binhards ./test_vuln_none
echo -e "\n=== Testing hardened binary ==="
./target/debug/binhards ./test_vuln_hardened