Skip to content

Add security policy and CI workflows #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jadamcrain merged 6 commits into from
Oct 17, 2025
Merged

Add security policy and CI workflows #169

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
75a94be
add security.md
jadamcrain Oct 17, 2025
8fe80b5
detailed policy
jadamcrain Oct 17, 2025
49d5328
add dependabot configuration
jadamcrain Oct 17, 2025
21f41c4
security audit workflow
jadamcrain Oct 17, 2025
3e72e63
update versions
jadamcrain Oct 17, 2025
3c62e9c
update allow-list
jadamcrain Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions .github/workflows/security-audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Security Audit

on:
schedule:
# Run daily at 2 AM UTC
- cron: '0 2 * * *'
# Allow manual trigger for testing
workflow_dispatch:
# Run on PRs to test before merging
pull_request:
paths:
- '**/Cargo.toml'
- '**/Cargo.lock'
- '.github/workflows/security-audit.yml'
- '.cargo/audit.toml'

jobs:
audit:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Install cargo-binstall
uses: cargo-bins/cargo-binstall@main

- name: Install cargo-audit binary (fast)
run: cargo binstall cargo-audit@0.20.0 --no-confirm

- name: Run security audit
id: audit
run: |
if cargo audit --json > audit.json 2>&1; then
echo "audit_failed=false" >> $GITHUB_OUTPUT
else
echo "audit_failed=true" >> $GITHUB_OUTPUT
fi

# Always show the human-readable output
cargo audit || true

# Create a job summary that's visible in the Actions tab
- name: Create job summary
if: steps.audit.outputs.audit_failed == 'true'
run: |
echo "## 🚨 Security Vulnerabilities Detected" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "The security audit has detected vulnerabilities in the dependencies." >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Required Actions:" >> $GITHUB_STEP_SUMMARY
echo "1. Review the audit output above for details" >> $GITHUB_STEP_SUMMARY
echo "2. Run \`cargo audit\` locally to see the full report" >> $GITHUB_STEP_SUMMARY
echo "3. Update affected dependencies using \`cargo update\`" >> $GITHUB_STEP_SUMMARY
echo "4. Review if these vulnerabilities affect your production deployments" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Workflow run:** [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" >> $GITHUB_STEP_SUMMARY

# Fail the workflow if vulnerabilities were found
- name: Check audit results
if: steps.audit.outputs.audit_failed == 'true'
run: |
echo "::error::Security vulnerabilities detected in dependencies"
exit 1
Loading