name: Security Audit
on:
push:
branches: [main, master]
paths:
- "Cargo.toml"
- "Cargo.lock"
- ".github/workflows/security-audit.yml"
pull_request:
branches: [main, master]
paths:
- "Cargo.toml"
- "Cargo.lock"
- ".github/workflows/security-audit.yml"
schedule:
- cron: "17 7 * * 1"
env:
CARGO_TERM_COLOR: always
jobs:
cargo-audit:
name: cargo-audit
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a with:
toolchain: stable
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Run cargo-audit
run: cargo audit --deny warnings
cargo-deny:
name: cargo-deny
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
matrix:
checks:
- advisories
- bans licenses sources
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: EmbarkStudios/cargo-deny-action@e9b17bf604a44f8b1e60a02f5e63242027a3546c with:
command: check ${{ matrix.checks }}
arguments: --all-features
rust-version: stable
codeql:
name: CodeQL
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Initialize CodeQL
uses: github/codeql-action/init@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c with:
languages: rust
queries: security-extended,security-and-quality
- uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a with:
toolchain: stable
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6
- name: Build
run: cargo build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c with:
category: "/language:rust"