audit-check
ActionSecurity vulnerabilities audit
This GitHub Action is using cargo-audit to perform an audit for crates with security vulnerabilities.
We can utilize the GitHub Actions ability to execute workflow only if the specific files were changed and execute this Action to check the changed dependencies:
name: Security audit
on:
push:
paths:
- '**/Cargo.toml'
- '**/Cargo.lock'
jobs:
security_audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: rustsec/audit-check@v1.4.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
It is recommended to add the paths:
section into the workflow file,
as it would effectively speed up the CI pipeline, since the audit process
will not be performed if no dependencies were changed.
In case of any security advisories found, status check created by this Action will be marked as "failed".\ Note that informational advisories are not affecting the check status.
These are the typically used permissions:
name: 'rust-audit-check'
github-token:
action-input:
input: token
is-default: false
permissions:
issues: write
issues-reason: to create issues
checks: write
checks-reason: to create check
The action does not raise issues when it is not triggered from a "cron" scheduled workflow.
When running the action as scheduled it will crate issues but e.g. in PR / push fails the action.
Due to token permissions, this Action WILL NOT be able to create Checks for Pull Requests from the forked repositories, see actions-rs/clippy-check#2 for details.\ As a fallback this Action will output all found advisories to the stdout.\ It is expected that this behavior will be fixed later by GitHub.
Another option is to use schedule
event
and execute this Action periodically against the HEAD
of repository default branch.
name: Security audit
on:
schedule:
- cron: '0 0 * * *'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: rustsec/audit-check@v1.4.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
With this example Action will be executed periodically at midnight of each day and check if there any new advisories appear for crate dependencies.\ For each new advisory (including informal) an issue will be created:
Name | Required | Description | Type | Default |
---|---|---|---|---|
token |
✓ | GitHub token, usually a ${{ secrets.GITHUB_TOKEN }} |
string | |
ignore |
Comma-separated list of advisory ids to ignore | string | ||
working-directory |
The directory of the Cargo.toml / Cargo.lock files to scan. | string | . |