Add support for cargo-audit deny options

README.md

@@ -39,7 +39,8 @@ will not be performed if no dependencies were changed.
 
 In case of any security advisories found, [status check](https://help.github.com/en/articles/about-status-checks)
 created by this Action will be marked as "failed".\
-Note that informational advisories are not affecting the check status.
+By default, informational advisories (notices, unmaintained, unsound, yanked) do not affect the check status,
+but you can configure this behavior using the `deny` input parameter (see [Deny Options](#deny-options) below).
 
 ![Check screenshot](.github/check_screenshot.png)
 
@@ -98,12 +99,42 @@ For each new advisory (including informal) an issue will be created:
 
 ![Issue screenshot](.github/issue_screenshot.png)
 
+## Deny Options
+
+You can configure the action to fail on specific types of advisories using the `deny` input. This aligns with cargo audit's `--deny` flag behavior:
+
+```yaml
+- uses: rustsec/[email protected]
+  with:
+    token: ${{ secrets.GITHUB_TOKEN }}
+    deny: warnings  # Fail on any warnings (unmaintained, unsound, yanked, notices)
+```
+
+### Available Deny Options
+
+- **`warnings`**: Fail on any warnings (includes unmaintained, unsound, yanked, and informational notices)
+- **`unmaintained`**: Fail only on unmaintained package warnings
+- **`unsound`**: Fail only on unsound package warnings  
+- **`yanked`**: Fail only on yanked package warnings
+
+You can combine multiple deny options:
+
+```yaml
+- uses: rustsec/[email protected]
+  with:
+    token: ${{ secrets.GITHUB_TOKEN }}
+    deny: unmaintained,yanked  # Fail on unmaintained OR yanked packages
+```
+
+By default, the action only fails on critical security vulnerabilities. Using deny options allows you to also fail on other types of issues that cargo audit can detect.
+
 ## Inputs
 
 | Name        | Required | Description                                                                | Type   | Default |
 | ------------| -------- | ---------------------------------------------------------------------------| ------ | --------|
 | `token`     | ✓        | [GitHub token], usually a `${{ secrets.GITHUB_TOKEN }}`                    | string |         |
 | `ignore`    |          | Comma-separated list of advisory ids to ignore                             | string |         |
 | `working-directory`|   | The directory of the Cargo.toml / Cargo.lock files to scan.                | string | `.`     |
+| `deny`      |          | Comma-separated list of deny options: `warnings` (any), `unmaintained`, `unsound`, `yanked` | string |         |
 
 [GitHub token]: https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token

action.yml

@@ -15,6 +15,9 @@ inputs:
     description: The directory of the Cargo.toml / Cargo.lock files to scan.
     required: false
     default: .
+  deny:
+    description: 'Comma-separated list of deny options: warnings (any), unmaintained, unsound, yanked'
+    required: false
 
 runs:
   using: 'node20'

src/input.ts

@@ -9,12 +9,14 @@ export interface Input {
     token: string;
     ignore: string[];
     workingDirectory: string;
+    deny: string[];
 }
 
 export function get(): Input {
     return {
         token: input.getInput('token', { required: true }),
         ignore: input.getInputList('ignore', { required: false }),
         workingDirectory: input.getInput('working-directory', { required: false }) ?? '.',
+        deny: input.getInputList('deny', { required: false }),
     };
 }

src/main.ts

@@ -12,6 +12,7 @@ import * as reporter from './reporter';
 
 async function getData(
     ignore: string[] | undefined,
+    deny: string[] | undefined,
     workingDirectory: string,
 ): Promise<interfaces.Report> {
     const cargo = await Cargo.get();
@@ -24,6 +25,9 @@ async function getData(
         for (const item of ignore ?? []) {
             commandArray.push('--ignore', item);
         }
+        for (const item of deny ?? []) {
+            commandArray.push('--deny', item);
+        }
         commandArray.push('--json');
         commandArray.push('--file', `${workingDirectory}/Cargo.lock`);
         await cargo.call(commandArray, {
@@ -55,8 +59,9 @@ function removeTrailingSlash(str) {
 
 export async function run(actionInput: input.Input): Promise<void> {
     const ignore = actionInput.ignore;
+    const deny = actionInput.deny;
     const workingDirectory = removeTrailingSlash(actionInput.workingDirectory);
-    const report = await getData(ignore, workingDirectory);
+    const report = await getData(ignore, deny, workingDirectory);
     let shouldReport = false;
     if (!report.vulnerabilities.found) {
         core.info('No vulnerabilities were found');
@@ -99,7 +104,7 @@ export async function run(actionInput: input.Input): Promise<void> {
         core.debug(
             `Action was triggered on a ${github.context.eventName} event, creating a Check report`,
         );
-        await reporter.reportCheck(actionInput.token, advisories, warnings);
+        await reporter.reportCheck(actionInput.token, advisories, warnings, deny);
     }
 }
 

src/reporter.ts

@@ -165,6 +165,7 @@ export async function reportCheck(
     token: string,
     vulnerabilities: Array<interfaces.Vulnerability>,
     warnings: Array<interfaces.Warning>,
+    deny: string[] = [],
 ): Promise<void> {
     const client = github.getOctokit(token, {userAgent: USER_AGENT});
     const reporter = new checks.CheckReporter(client.rest, 'Security audit');
@@ -189,13 +190,30 @@ See https://github.com/actions-rs/clippy-check/issues/2 for details.`);
             core.info('Posting audit report here instead.');
 
             core.info(makeReport(vulnerabilities, warnings));
-            if (stats.critical > 0) {
+
+            const shouldFail = stats.critical > 0 || 
+                (deny.includes('warnings') && (stats.unmaintained > 0 || stats.unsound > 0 || stats.notices > 0 || stats.other > 0)) ||
+                (deny.includes('unmaintained') && stats.unmaintained > 0) ||
+                (deny.includes('unsound') && stats.unsound > 0) ||
+                (deny.includes('yanked') && stats.other > 0);
+
+            if (shouldFail) {
+                const reasons: string[] = [];
+                if (stats.critical > 0) reasons.push(`${stats.critical} critical vulnerabilities`);
+                if (deny.includes('warnings') && stats.unmaintained > 0) reasons.push(`${stats.unmaintained} unmaintained packages`);
+                if (deny.includes('warnings') && stats.unsound > 0) reasons.push(`${stats.unsound} unsound packages`);
+                if (deny.includes('warnings') && stats.notices > 0) reasons.push(`${stats.notices} notice(s)`);
+                if (deny.includes('warnings') && stats.other > 0) reasons.push(`${stats.other} yanked/other issues`);
+                if (deny.includes('unmaintained') && stats.unmaintained > 0) reasons.push(`${stats.unmaintained} unmaintained packages`);
+                if (deny.includes('unsound') && stats.unsound > 0) reasons.push(`${stats.unsound} unsound packages`);
+                if (deny.includes('yanked') && stats.other > 0) reasons.push(`${stats.other} yanked packages`);
+
                 throw new Error(
-                    'Critical vulnerabilities were found, marking check as failed',
+                    `Security audit failed due to: ${reasons.join(', ')}`,
                 );
             } else {
                 core.info(
-                    'No critical vulnerabilities were found, not marking check as failed',
+                    'No issues found that would cause failure based on deny configuration',
                 );
                 return;
             }
@@ -211,20 +229,43 @@ See https://github.com/actions-rs/clippy-check/issues/2 for details.`);
             summary: summary,
             text: body,
         };
-        const status = stats.critical > 0 ? 'failure' : 'success';
+
+        const shouldFail = stats.critical > 0 || 
+            (deny.includes('warnings') && (stats.unmaintained > 0 || stats.unsound > 0 || stats.notices > 0 || stats.other > 0)) ||
+            (deny.includes('unmaintained') && stats.unmaintained > 0) ||
+            (deny.includes('unsound') && stats.unsound > 0) ||
+            (deny.includes('yanked') && stats.other > 0);
+
+        const status = shouldFail ? 'failure' : 'success';
         await reporter.finishCheck(status, output);
     } catch (error) {
         await reporter.cancelCheck();
         throw error;
     }
 
-    if (stats.critical > 0) {
+    const shouldFail = stats.critical > 0 || 
+        (deny.includes('warnings') && (stats.unmaintained > 0 || stats.unsound > 0 || stats.notices > 0 || stats.other > 0)) ||
+        (deny.includes('unmaintained') && stats.unmaintained > 0) ||
+        (deny.includes('unsound') && stats.unsound > 0) ||
+        (deny.includes('yanked') && stats.other > 0);
+
+    if (shouldFail) {
+        const reasons: string[] = [];
+        if (stats.critical > 0) reasons.push(`${stats.critical} critical vulnerabilities`);
+        if (deny.includes('warnings') && stats.unmaintained > 0) reasons.push(`${stats.unmaintained} unmaintained packages`);
+        if (deny.includes('warnings') && stats.unsound > 0) reasons.push(`${stats.unsound} unsound packages`);
+        if (deny.includes('warnings') && stats.notices > 0) reasons.push(`${stats.notices} notice(s)`);
+        if (deny.includes('warnings') && stats.other > 0) reasons.push(`${stats.other} yanked/other issues`);
+        if (deny.includes('unmaintained') && stats.unmaintained > 0) reasons.push(`${stats.unmaintained} unmaintained packages`);
+        if (deny.includes('unsound') && stats.unsound > 0) reasons.push(`${stats.unsound} unsound packages`);
+        if (deny.includes('yanked') && stats.other > 0) reasons.push(`${stats.other} yanked packages`);
+
         throw new Error(
-            'Critical vulnerabilities were found, marking check as failed',
+            `Security audit failed due to: ${reasons.join(', ')}`,
         );
     } else {
         core.info(
-            'No critical vulnerabilities were found, not marking check as failed',
+            'No critical issues found that would cause failure based on deny configuration',
         );
         return;
     }