name: Security Audit
on:
push:
branches: [master, main]
pull_request:
branches: [master, main]
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
env:
CARGO_TERM_COLOR: always
jobs:
security-audit:
name: Security Audit
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v6
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Cache Rust dependencies
uses: Swatinem/rust-cache@v2
with:
shared-key: "security-audit"
- name: Install cargo-audit
uses: taiki-e/install-action@v2
with:
tool: cargo-audit
- name: Run cargo audit
run: cargo audit --json | tee audit-results.json
- name: Check for vulnerabilities
run: |
# Allow warnings (unmaintained crates), but fail on vulnerabilities
if cargo audit; then
echo "✅ No critical vulnerabilities found"
else
echo "❌ Vulnerabilities detected - see output above"
exit 1
fi
- name: Upload audit results
if: always()
uses: actions/upload-artifact@v7
with:
name: security-audit-results
path: audit-results.json
cargo-deny:
name: Cargo Deny
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v6
- name: Run cargo deny
uses: EmbarkStudios/cargo-deny-action@v2
with:
log-level: warn
command: check
arguments: --all-features
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v6
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
config-file: './.github/dependency-review-config.yml'