Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 8 additions & 30 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,44 +5,22 @@ on:
# Run weekly on Sundays at 2:00 AM UTC
- cron: '0 2 * * 0'
workflow_dispatch: # Allow manual trigger
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]

jobs:
audit:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt, clippy

- name: Install cargo-audit
run: cargo install cargo-audit

- name: Run security audit
run: |
# Ignore known unmaintained crates that are transitive dependencies
# These are also ignored in deny.toml for cargo-deny
cargo audit \
--ignore RUSTSEC-2025-0058 \
--ignore RUSTSEC-2025-0057 \
--ignore RUSTSEC-2024-0436

- name: Check for outdated dependencies
run: |
# Install cargo-outdated with locked dependencies to avoid version conflicts
cargo install cargo-outdated --locked || echo "cargo-outdated installation failed, skipping outdated check"
if command -v cargo-outdated >/dev/null 2>&1; then
cargo outdated --root-deps-only || echo "cargo-outdated failed, but this is non-critical"
fi

- name: Install and run cargo deny
# cargo-deny's advisories check covers vulnerabilities, unsound, yanked, and
# unmaintained advisories. Policy (allowed licenses, ignored advisories,
# unmaintained = "workspace") lives in deny.toml so it is reviewable in one
# place instead of being scattered across inline --ignore flags.
- name: Install and run cargo-deny
run: |
cargo install cargo-deny --version "0.19.7"
cargo install cargo-deny --version "0.19.7" --locked
cargo deny check
14 changes: 7 additions & 7 deletions deny.toml
Original file line number Diff line number Diff line change
Expand Up @@ -59,13 +59,13 @@ db-path = "~/.cargo/advisory-db"
# The url(s) of the advisory databases to use
db-urls = ["https://github.com/rustsec/advisory-db"]

# Handle known unmaintained crates that are still widely used
ignore = [
# Bio crate dependencies that are unmaintained but still functional
"RUSTSEC-2025-0058", # custom_derive - widely used in bio ecosystem
"RUSTSEC-2025-0057", # fxhash - used by bio, has replacement but not critical
"RUSTSEC-2024-0436", # paste - used by nalgebra/simba and minimap2-sys, archived but stable
]
# Only flag "unmaintained" advisories for crates we depend on directly, not for
# deep transitive build-time dependencies (e.g. proc-macro-error2, paste,
# fxhash, custom_derive pulled in via getset -> bio). Those are unmaintained
# upstream with no safe upgrade and are not a security risk for a CLI, and they
# were causing a new red build every week as fresh advisories were published.
# Actual vulnerabilities (and unsound advisories) still fail the check.
unmaintained = "workspace"

[sources]
# Lint level for what to happen when a crate from a git repository is encountered
Expand Down
Loading