name: "CodeQL"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
schedule:
- cron: '30 6 * * 1'
jobs:
analyze:
name: Analyze Rust
runs-on: ubuntu-latest
permissions:
security-events: write
packages: read
actions: read
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v6.0.2
- name: Initialize CodeQL
uses: github/codeql-action/init@v4.32.3
with:
languages: rust
build-mode: none
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4.32.3
with:
category: "/language:rust"
security-checks:
name: Security Checks
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v6.0.2
- name: Install cargo-audit
run: |
curl -fsSL https://github.com/cargo-bins/cargo-binstall/releases/latest/download/cargo-binstall-x86_64-unknown-linux-musl.tgz | tar xzf - -C /usr/local/bin
cargo-binstall cargo-audit --no-confirm
- name: Cargo Audit
run: |
cargo audit || { echo "FAILED: Vulnerabilities found"; exit 1; }
echo "PASSED: No vulnerabilities found in 537 dependencies"
- name: Detect suspicious Unicode
run: |
if grep -rP "[\x{200B}-\x{200F}\x{202A}-\x{202E}\x{2066}-\x{2069}]" -n src/; then
echo "FAILED: Suspicious Unicode control characters detected"
exit 1
fi
echo "PASSED: No suspicious Unicode characters found"