Security #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '0 6 * * 1' # Weekly Monday 6 AM UTC | |
| env: | |
| CARGO_TERM_COLOR: always | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # ── Dependency vulnerability audit ───────────────────────────────────────── | |
| audit: | |
| name: Dependency Audit (cargo-audit) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: rustsec/audit-check@v2 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # ── License + ban check ───────────────────────────────────────────────────── | |
| deny: | |
| name: License & Ban Check (cargo-deny) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: EmbarkStudios/cargo-deny-action@v2 | |
| with: | |
| command: check | |
| arguments: --all-features | |
| log-level: warn | |
| # ── Secret scanning ───────────────────────────────────────────────────────── | |
| secrets: | |
| name: Secret Scanning (gitleaks) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # ── Clippy security lints ─────────────────────────────────────────────────── | |
| clippy-security: | |
| name: Clippy Security Lints | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Security-focused clippy | |
| run: cargo clippy --workspace --no-default-features -- -D warnings | |
| # ── Container/filesystem scan with Trivy ─────────────────────────────────── | |
| trivy: | |
| name: Trivy Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write # for SARIF upload | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Trivy (filesystem scan) | |
| uses: aquasecurity/trivy-action@0.30.0 | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: HIGH,CRITICAL | |
| exit-code: 0 # Don't fail — just report | |
| - name: Upload Trivy SARIF | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| category: trivy-filesystem | |
| if: always() | |
| # ── SBOM generation (weekly) ──────────────────────────────────────────────── | |
| sbom-weekly: | |
| name: Weekly SBOM | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install syft | |
| run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Generate SBOM | |
| run: | | |
| syft dir:. \ | |
| --output spdx-json=sbom-weekly.spdx.json \ | |
| --output cyclonedx-json=sbom-weekly.cyclonedx.json | |
| - name: Upload SBOM artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: weekly-sbom | |
| path: | | |
| sbom-weekly.spdx.json | |
| sbom-weekly.cyclonedx.json | |
| retention-days: 90 |