name: Security and Dependency Check
on:
push:
branches: [main, develop, "feature/**"]
pull_request:
branches: [main, develop]
schedule:
- cron: "0 6 * * 1"
workflow_dispatch:
jobs:
security-audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
run: cargo install cargo-audit
- name: Run security audit
run: |
echo "🔍 Running security audit..."
cargo audit --deny warnings
continue-on-error: false
dependency-check:
name: Dependency License Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-deny
run: cargo install cargo-deny
- name: Check dependencies
run: |
echo "🔍 Checking dependency licenses and bans..."
cargo deny check --all-features
continue-on-error: false
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
outdated-check:
name: Outdated Dependencies Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-outdated
run: cargo install cargo-outdated
- name: Check for outdated dependencies
run: |
echo "🔍 Checking for outdated dependencies..."
cargo outdated --root-deps-only --exit-code 1
continue-on-error: true
security-report:
name: Generate Security Report
runs-on: ubuntu-latest
needs: [security-audit, dependency-check]
if: always()
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install tools
run: |
cargo install cargo-audit
cargo install cargo-deny
- name: Generate comprehensive report
run: |
echo "📊 Security and Dependency Report"
echo "=================================="
echo ""
echo "## Security Audit Results"
cargo audit 2>&1 || true
echo ""
echo "## License Check Results"
cargo deny check licenses 2>&1 || true
echo ""
echo "## Dependency Tree"
cargo tree --depth 1 2>&1 || true
- name: Upload report
uses: actions/upload-artifact@v4
with:
name: security-report
path: |
Cargo.lock
deny.toml
retention-days: 30
notification:
name: Send Notification
runs-on: ubuntu-latest
needs: [security-audit, dependency-check]
if: failure()
steps:
- name: Create issue on failure
uses: actions/github-script@v7
env:
EVENT_NAME: ${{ github.event_name }}
REF_NAME: ${{ github.ref }}
COMMIT_SHA: ${{ github.sha }}
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
with:
script: |
const title = '⚠️ Security Check Failed';
const body = `
## Security Check Failure
The automated security check has detected issues that need attention.
**Triggered by:** \`${process.env.EVENT_NAME}\`
**Branch:** \`${process.env.REF_NAME}\`
**Commit:** \`${process.env.COMMIT_SHA}\`
### Action Required
Please review the [workflow run](${process.env.RUN_URL}) for details.
### Checklist
- [ ] Review security audit results
- [ ] Update vulnerable dependencies
- [ ] Update deny.toml if needed
- [ ] Document reasoning for any ignored advisories
---
*This issue was automatically created by the security check workflow.*
`;
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: title,
body: body,
labels: ['security', 'automated']
});