1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
name: Security Audit
on:
push:
branches:
pull_request:
branches:
schedule:
# Run security audit daily at 3 AM UTC
- cron: '0 3 * * *'
env:
CARGO_TERM_COLOR: always
jobs:
# security-audit:
# name: Security Audit
# runs-on: ubuntu-latest
#
# steps:
# - name: Checkout code
# uses: actions/checkout@v4
# - name: Install Rust toolchain
# uses: dtolnay/rust-toolchain@stable
# - name: Cache dependencies
# uses: Swatinem/rust-cache@v2
# - name: Install cargo-audit
# run: cargo install cargo-audit
# - name: Run security audit
# run: cargo audit
# - name: Install cargo-deny
# run: cargo install cargo-deny
# - name: Run cargo-deny
# run: cargo deny check
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
# supply-chain-security:
# name: Supply Chain Security
# runs-on: ubuntu-latest
#
# steps:
# - name: Checkout code
# uses: actions/checkout@v4
# - name: Install Rust toolchain
# uses: dtolnay/rust-toolchain@stable
# - name: Cache dependencies
# uses: Swatinem/rust-cache@v2
# - name: Check for known vulnerabilities
# run: |
# cargo install cargo-audit
# cargo audit --db ./advisory-db --json > audit-results.json || true
# - name: Upload audit results
# uses: actions/upload-artifact@v4
# if: always()
# with:
# name: security-audit-results
# path: audit-results.json
# retention-days: 30
# license-check:
# name: License Check
# runs-on: ubuntu-latest
#
# steps:
# - name: Checkout code
# uses: actions/checkout@v4
# - name: Install Rust toolchain
# uses: dtolnay/rust-toolchain@stable
# - name: Cache dependencies
# uses: Swatinem/rust-cache@v2
# - name: Install cargo-license
# run: cargo install cargo-license
# - name: Check licenses
# run: cargo license --json > licenses.json
# - name: Verify license compatibility
# run: |
# # Check that all dependencies use compatible licenses
# cargo license | grep -E "(MIT|Apache|BSD)" || {
# echo "Found incompatible licenses"
# cargo license
# exit 1
# }