name: Security Audit
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 9 * * 1'
workflow_dispatch:
env:
CARGO_TERM_COLOR: always
jobs:
audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache Cargo registry
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ubuntu-audit-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
ubuntu-audit-cargo-
- name: Install cargo-audit
run: cargo install cargo-audit
- name: Run security audit
run: cargo audit --color always
- name: Run dependency scan
run: cargo audit --db all --color always
supply-chain:
name: Supply Chain Security
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache Cargo registry
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ubuntu-supply-chain-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
ubuntu-supply-chain-cargo-
- name: Install cargo-deny
run: cargo install cargo-deny
- name: Check licenses and dependencies
run: cargo deny check
vulnerability-scan:
name: Vulnerability Scan
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'rust' ]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache Cargo registry
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ubuntu-codeql-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
ubuntu-codeql-cargo-
- name: Build for CodeQL
run: cargo build --workspace --all-targets
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
security-summary:
name: Security Summary
runs-on: ubuntu-latest
needs: [audit, supply-chain, vulnerability-scan, codeql]
if: always()
steps:
- name: Security check summary
run: |
echo "## Security Audit Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY
echo "|-------|---------|" >> $GITHUB_STEP_SUMMARY
echo "| Cargo Audit | ${{ needs.audit.result == 'success' && '✅ Passed' || '❌ Failed' }} |" >> $GITHUB_STEP_SUMMARY
echo "| Supply Chain | ${{ needs.supply-chain.result == 'success' && '✅ Passed' || '❌ Failed' }} |" >> $GITHUB_STEP_SUMMARY
echo "| Vulnerability Scan | ${{ needs.vulnerability-scan.result == 'success' && '✅ Passed' || '❌ Failed' }} |" >> $GITHUB_STEP_SUMMARY
echo "| CodeQL Analysis | ${{ needs.codeql.result == 'success' && '✅ Passed' || '❌ Failed' }} |" >> $GITHUB_STEP_SUMMARY
if [[ "${{ needs.audit.result }}" == "success" && \
"${{ needs.supply-chain.result }}" == "success" && \
"${{ needs.vulnerability-scan.result }}" == "success" && \
"${{ needs.codeql.result }}" == "success" ]]; then
echo "" >> $GITHUB_STEP_SUMMARY
echo "🛡️ All security checks passed successfully!" >> $GITHUB_STEP_SUMMARY
exit 0
else
echo "" >> $GITHUB_STEP_SUMMARY
echo "⚠️ Some security checks failed. Please review the results above." >> $GITHUB_STEP_SUMMARY
exit 1
fi