Repository files navigation

Security vulnerabilities audit

This GitHub Action is usingcargo-auditto perform an audit for crates with security vulnerabilities.

We can utilize the GitHub Actions ability to execute workflowonly ifthe specific files were changedand execute this Action to check the changed dependencies:

name:Security auditon:push:paths:       -'**/Cargo.toml'      -'**/Cargo.lock'jobs:security_audit:runs-on:ubuntu-lateststeps:      -uses:actions/checkout@v1      -uses:actions-rs/audit-check@v1with:token:${{ secrets.GITHUB_TOKEN }}

It is recommended to add thepaths: section into the workflow file,as it would effectively speed up the CI pipeline, since the audit processwill not be performed if no dependencies were changed.

In case of any security advisories found,status checkcreated by this Action will be marked as "failed".
Note that informational advisories are not affecting the check status.

Due totoken permissions,this ActionWILL NOT be able to create Checks for Pull Requests from the forked repositories,seeactions-rs/clippy-check#2 for details.
As a fallback this Action will output all found advisories to the stdout.
It is expected that this behavior will be fixed later by GitHub.

Another option is to useschedule eventand execute this Action periodically against theHEAD of repository default branch.

name:Security auditon:schedule:    -cron:'0 0 * * *'jobs:audit:runs-on:ubuntu-lateststeps:      -uses:actions/checkout@v1      -uses:actions-rs/audit-check@v1with:token:${{ secrets.GITHUB_TOKEN }}

With this example Action will be executed periodically at midnight of each dayand check if there any new advisories appear for crate dependencies.
For each new advisory (including informal) an issue will be created: