1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: Security Audit
on:
schedule:
# Run security audit weekly on Sundays
- cron: '0 6 * * 0'
push:
branches:
pull_request:
branches:
jobs:
audit:
name: Security Audit
runs-on: macos-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
- name: Install audit tools
run: |
cargo install cargo-audit
cargo install cargo-deny --locked
shell: bash
- name: Run cargo audit
run: cargo audit
- name: Run cargo deny check
run: |
# Ensure cargo-deny is in PATH
export PATH="$HOME/.cargo/bin:$PATH"
cargo deny check --config config/deny.toml
shell: bash
- name: Check for known vulnerabilities
run: |
cargo audit --json > audit-report.json
echo "Security audit completed"
shell: bash
- name: Upload audit results
uses: actions/upload-artifact@v4
with:
name: security-audit
path: audit-report.json
# dependency-review:
# name: Dependency Review
# runs-on: macos-latest
# if: github.event_name == 'pull_request'
# steps:
# - name: Checkout code
# uses: actions/checkout@v4
# - name: Dependency Review
# uses: actions/dependency-review-action@v3
# with:
# fail-on-severity: moderate
# Alternative dependency checking using cargo-audit and cargo-deny
enhanced-dependency-check:
name: Enhanced Dependency Security Check
runs-on: macos-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install system dependencies (macOS)
run: |
# Ensure Xcode Command Line Tools are properly installed
sudo xcode-select --install 2>/dev/null || echo "Command Line Tools already installed"
# Install required tools via Homebrew
brew install pkg-config
brew install openblas
shell: bash
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
- name: Install security tools
run: |
cargo install cargo-audit --locked
cargo install cargo-deny --locked
cargo install cargo-outdated --locked
shell: bash
- name: Run comprehensive dependency audit
run: |
echo "=== Running cargo audit ==="
cargo audit --json > pr-audit-report.json
cargo audit
echo "=== Running cargo deny ==="
cargo deny check --config config/deny.toml || echo "Cargo deny check completed with warnings"
echo "=== Checking for outdated dependencies ==="
cargo outdated || echo "Some dependencies are outdated - this is acceptable"
echo "=== Running lightweight build check ==="
# Test basic compilation without MPI/metal/objc issues
cargo check --no-default-features --verbose
shell: bash
- name: Upload PR audit results
uses: actions/upload-artifact@v4
with:
name: pr-security-audit
path: pr-audit-report.json
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
build-essential \
libopenblas-dev \
liblapack-dev \
libblas-dev \
pkg-config \
shell: bash
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: 'rust'
- name: Build for CodeQL
run: cargo build --no-default-features
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3