diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bd97205..adf876e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,3 +35,14 @@ jobs: with: python-version: '3.x' - run: python scripts/check-secrets.py + + cargo-deny: + name: Dependency audit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + # Commit-pinned (v2.0.20): a supply-chain gate must not itself depend on a + # mutable action tag. Config lives in deny.toml at the repo root. + - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20 + with: + command: check advisories bans sources diff --git a/deny.toml b/deny.toml new file mode 100644 index 0000000..e2b9db6 --- /dev/null +++ b/deny.toml @@ -0,0 +1,31 @@ +# cargo-deny configuration — supply-chain gate for the Rust dependency tree. +# Enforced in CI (.github/workflows/ci.yml). Docs: https://embarkstudios.github.io/cargo-deny/ +# +# Scope is intentionally the security-relevant checks: +# * advisories — known vulnerabilities / RUSTSEC advisories, yanked crates +# * bans — wildcard version requirements (and duplicate-version noise) +# * sources — dependencies must come from the official crates.io registry +# +# License compliance is deliberately left out for now so this gate stays focused +# on security and does not fail on license classification; it can be enabled as +# a follow-up by adding a `[licenses]` allow-list and `check licenses` in CI. + +[advisories] +# RUSTSEC advisory database. cargo-deny errors on vulnerabilities by default. +# Refuse yanked crates — a yanked dependency is a supply-chain smell. +yanked = "deny" +# Only add advisory IDs here with a written justification, never silently. +ignore = [] + +[bans] +# Duplicate transitive versions are common and noisy — surface but don't fail. +multiple-versions = "warn" +# Our own crates must pin real version requirements, never "*". +wildcards = "deny" + +[sources] +# Only the official crates.io registry is trusted. Reject unknown registries +# and any git sources (there are none today). +unknown-registry = "deny" +unknown-git = "deny" +allow-registry = ["https://github.com/rust-lang/crates.io-index"]