Skip to content

ci: add cargo-deny supply-chain gate for Rust dependencies #149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BunsDev merged 1 commit into from
Jun 1, 2026
Merged

ci: add cargo-deny supply-chain gate for Rust dependencies #149

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,14 @@ jobs:
with:
python-version: '3.x'
- run: python scripts/check-secrets.py

cargo-deny:
name: Dependency audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
# Commit-pinned (v2.0.20): a supply-chain gate must not itself depend on a
# mutable action tag. Config lives in deny.toml at the repo root.
- uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20
with:
command: check advisories bans sources
31 changes: 31 additions & 0 deletions deny.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# cargo-deny configuration — supply-chain gate for the Rust dependency tree.
# Enforced in CI (.github/workflows/ci.yml). Docs: https://embarkstudios.github.io/cargo-deny/
#
# Scope is intentionally the security-relevant checks:
# * advisories — known vulnerabilities / RUSTSEC advisories, yanked crates
# * bans — wildcard version requirements (and duplicate-version noise)
# * sources — dependencies must come from the official crates.io registry
#
# License compliance is deliberately left out for now so this gate stays focused
# on security and does not fail on license classification; it can be enabled as
# a follow-up by adding a `[licenses]` allow-list and `check licenses` in CI.

[advisories]
# RUSTSEC advisory database. cargo-deny errors on vulnerabilities by default.
# Refuse yanked crates — a yanked dependency is a supply-chain smell.
yanked = "deny"
# Only add advisory IDs here with a written justification, never silently.
ignore = []

[bans]
# Duplicate transitive versions are common and noisy — surface but don't fail.
multiple-versions = "warn"
# Our own crates must pin real version requirements, never "*".
wildcards = "deny"

[sources]
# Only the official crates.io registry is trusted. Reject unknown registries
# and any git sources (there are none today).
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]