ci(security): add cargo-audit, cargo-deny, and SBOM generation workflows; add deny.toml

dirvine · dirvine · commit d8ef4be3fac4 · 2025-08-31T11:11:35.000+01:00
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,53 @@
+name: Security Checks
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 3 * * 1'
+
+jobs:
+  cargo-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Generate lockfile
+        run: cargo generate-lockfile
+      - name: Audit dependencies (RustSec)
+        uses: rustsec/audit-check@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  cargo-deny:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Run cargo-deny (advisories, bans, licenses)
+        uses: EmbarkStudios/cargo-deny-action@v1
+
+  sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: CycloneDX (Cargo)
+        run: |
+          cargo install cyclonedx-bom --locked
+          cyclonedx-bom -o sbom-cyclonedx-cargo.json
+      - name: SBOM (Syft) for repo
+        uses: anchore/sbom-action@v0
+        with:
+          path: .
+          format: cyclonedx-json
+          output-file: sbom-cyclonedx-syft.json
+      - name: Upload SBOMs
+        uses: actions/upload-artifact@v4
+        with:
+          name: sboms
+          path: |
+            sbom-cyclonedx-cargo.json
+            sbom-cyclonedx-syft.json
+
diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,32 @@
+# cargo-deny configuration (baseline). Adjust as the project evolves.
+
+[advisories]
+severity-threshold = "medium"
+yanked = "warn"
+ignore = []
+
+[licenses]
+unlicensed = "deny"
+allow = [
+    "Apache-2.0",
+    "MIT",
+    "BSD-3-Clause",
+    "BSD-2-Clause",
+    "ISC",
+    "Unicode-3.0",
+]
+copyleft = "warn"
+confidence-threshold = 0.8
+exceptions = []
+
+[bans]
+multiple-versions = "warn"
+wildcards = "allow"
+deny = []
+skip = []
+allow = []
+
+[sources]
+unknown-registry = "warn"
+unknown-git = "warn"
+
