https://github.com/actions-rust-lang/audit
Audit Rust Dependencies using the RustSec Advisory DB
https://github.com/actions-rust-lang/audit
cargo-audit ci github-actions hacktoberfest rust rust-lang rustsec security
Last synced: 23 days ago
JSON representation
Audit Rust Dependencies using the RustSec Advisory DB
- Host: GitHub
- URL: https://github.com/actions-rust-lang/audit
- Owner: actions-rust-lang
- License: mit
- Created: 2022-08-09T21:00:48.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-03-31T17:09:59.000Z (about 1 month ago)
- Last Synced: 2025-03-31T18:26:03.518Z (about 1 month ago)
- Topics: cargo-audit, ci, github-actions, hacktoberfest, rust, rust-lang, rustsec, security
- Language: Python
- Homepage:
- Size: 295 KB
- Stars: 9
- Watchers: 1
- Forks: 6
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Audit: audit.py
Awesome Lists containing this project
README
# Audit Rust dependencies using the RustSec Advisory DB
Audit your Rust dependencies using [cargo audit] and the [RustSec Advisory DB]. The action creates a summary with all vulnerabilities. It can create issues for each of the found vulnerabilities.
Execution Summary:
## Example workflow
```yaml
name: "Audit Dependencies"
on:
push:
paths:
# Run if workflow changes
- '.github/workflows/audit.yml'
# Run on changed dependencies
- '**/Cargo.toml'
- '**/Cargo.lock'
# Run if the configuration file changes
- '**/audit.toml'
# Rerun periodically to pick up new advisories
schedule:
- cron: '0 0 * * *'
# Run manually
workflow_dispatch:
jobs:
audit:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@v4
- uses: actions-rust-lang/audit@v1
name: Audit Rust Dependencies
with:
# Comma separated list of issues to ignore
ignore: RUSTSEC-2020-0036
```
## Inputs
All inputs are optional.
Consider adding an [`audit.toml` configuration file] to your repository for further configurations.
cargo audit supports multiple warning types, such as unsound code or yanked crates.
Configuration is only possible via the `informational_warnings` parameter in the configuration file ([#318](https://github.com/rustsec/rustsec/issues/318)).
Setting `denyWarnings` to true will also enable these warnings, but each warning is upgraded to an error.
| Name | Description | Default |
| ------------------ | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
| `TOKEN` | The GitHub access token to allow us to retrieve, create and update issues (automatically set). | `github.token` |
| `denyWarnings` | Any warnings generated will be treated as an error and fail the action. | false |
| `file` | The path to the Cargo.lock file to inspect file. | |
| `ignore` | A comma separated list of Rustsec IDs to ignore. | |
| `createIssues` | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
| `workingDirectory` | Run `cargo audit` from the given working directory | |
## Dependencies
The action works best on the GitHub-hosted runners, but can work on self-hosted ones too, provided the necessary dependencies are available.
PRs to add support for more environments are welcome.
* bash
* Python 3.9+
* requests
* Rust stable
* cargo
* use node actions
## License
The scripts and documentation in this project are released under the [MIT License].
[MIT License]: LICENSE
[cargo audit]: https://github.com/RustSec/rustsec/tree/main/cargo-audit
[RustSec Advisory DB]: https://rustsec.org/advisories/
[`audit.toml` configuration file]: https://github.com/rustsec/rustsec/blob/main/cargo-audit/audit.toml.example