name: Security Audit
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 1'
jobs:
security-audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
- name: Install cargo-audit
run: cargo install cargo-audit
- name: Run cargo audit
run: cargo audit
continue-on-error: true
- name: Check for vulnerable dependencies (ignoring maintenance warnings)
run: cargo audit --deny warnings --ignore RUSTSEC-2024-0384
dependency-check:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
continue-on-error: true steps:
- uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v3
continue-on-error: true
with:
fail-on-severity: moderate
clippy-security:
name: Clippy Security Lints
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
components: clippy
override: true
- name: Run Clippy with security warnings
run: |
cargo clippy --all-features -- \
-W clippy::unwrap_used \
-W clippy::expect_used \
-W clippy::panic \
-W clippy::todo \
-W clippy::unimplemented \
-D warnings
continue-on-error: true