Security Audit #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Audit | |
| on: | |
| schedule: | |
| # Run daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| # Allow manual trigger for testing | |
| workflow_dispatch: | |
| # Also run on push to main to catch issues early | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - '**/Cargo.toml' | |
| - '**/Cargo.lock' | |
| - '.github/workflows/security-audit.yml' | |
| # Run on PRs to test before merging | |
| pull_request: | |
| # Uncomment these paths once we verify the workflow runs correctly | |
| # paths: | |
| # - '**/Cargo.toml' | |
| # - '**/Cargo.lock' | |
| # - '.github/workflows/security-audit.yml' | |
| jobs: | |
| audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install cargo-binstall | |
| uses: cargo-bins/cargo-binstall@main | |
| - name: Install cargo-audit binary (fast) | |
| run: cargo binstall [email protected] --no-confirm | |
| - name: Run security audit | |
| id: audit | |
| run: | | |
| if cargo audit --json > audit.json 2>&1; then | |
| echo "audit_failed=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "audit_failed=true" >> $GITHUB_OUTPUT | |
| fi | |
| # Always show the human-readable output | |
| cargo audit || true | |
| # Create a job summary that's visible in the Actions tab | |
| - name: Create job summary | |
| if: steps.audit.outputs.audit_failed == 'true' | |
| run: | | |
| echo "## 🚨 Security Vulnerabilities Detected" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "The security audit has detected vulnerabilities in the dependencies." >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Required Actions:" >> $GITHUB_STEP_SUMMARY | |
| echo "1. Review the audit output above for details" >> $GITHUB_STEP_SUMMARY | |
| echo "2. Run \`cargo audit\` locally to see the full report" >> $GITHUB_STEP_SUMMARY | |
| echo "3. Update affected dependencies using \`cargo update\`" >> $GITHUB_STEP_SUMMARY | |
| echo "4. Review if these vulnerabilities affect your production deployments" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Workflow run:** [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" >> $GITHUB_STEP_SUMMARY | |
| # Fail the workflow if vulnerabilities were found | |
| - name: Check audit results | |
| if: steps.audit.outputs.audit_failed == 'true' | |
| run: | | |
| echo "::error::Security vulnerabilities detected in dependencies" | |
| exit 1 |