1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
name: Security
on:
pull_request:
branches:
push:
branches:
# Default to least-privilege; per-job overrides where elevation is required.
permissions:
contents: read
jobs:
cargo-audit:
name: cargo-audit
runs-on: ubuntu-24.04
permissions:
contents: read
issues: write # rustsec/audit-check posts findings as issues
checks: write # and as a check run
steps:
- uses: actions/checkout@v4
- uses: rustsec/audit-check@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
cargo-deny:
name: cargo-deny
runs-on: ubuntu-24.04
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2
with:
# NOTE: action's default `command: check` is implicit; passing `check` here
# again would duplicate the positional argument. Pass only flags.
arguments: --all-features
command-arguments: --hide-inclusion-graph
secret-scan:
name: secret-scan
runs-on: ubuntu-24.04
permissions:
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
# gitleaks-action v2 requires a paid license for organizations.
# trufflehog OSS is free, well-maintained, and integrates the same way.
# Pinned to a versioned tag (NOT @main) so a malicious commit to the
# action repo cannot land in our CI without an explicit version bump.
- uses: trufflesecurity/trufflehog@v3.92.1
with:
path: ./
base: ${{ github.event.pull_request.base.sha || github.event.before }}
head: ${{ github.event.pull_request.head.sha || github.sha }}
extra_args: --results=verified,unknown