Run cargo audit by default

crate-ci / azure-pipelines

Easy continuous integration for Rust projects with Azure Pipelines

MIT License

88 stars 24 forks source link

Run cargo audit by default #57

Open djc opened 5 years ago

djc commented 5 years ago

Would be great to turn CI red on vulnerable dependencies.

epage commented 5 years ago

Thoughts on CI vs a bot? Dependabot can automatically create PRs for security vulnerabilities which is more proactive than the CI which is in response to a PR, master commit, tag, and/or a schedule.

Ouch, looks like they don't offer pre-built binaries and seem to be against it. The slowdown caused by that seems bad from a defaults perspective.

djc commented 5 years ago

It's too bad that Azure doesn't have caching yet.

I basically agree with the author that we should get cargo-audit into cargo proper.

epage commented 5 years ago

At least caching is in Preview