Skip to content

Add cargo audit security gate in CI #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
LucaCappelletti94 merged 1 commit into from
Jun 11, 2026
+52 −0
Merged

Add cargo audit security gate in CI #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .cargo/audit.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Configuration for cargo audit (https://github.com/rustsec/rustsec).
#
# Every ignored advisory below comes from optional tooling or the historical
# parser versions the benchmark deliberately compiles, never from the core
# library or anything in the published site. A new advisory anywhere else still
# fails the build. Unmaintained-crate warnings (yaml-rust via syntect, bincode,
# proc-macro-error) are left visible on purpose, they are informational and do
# not fail the run.
[advisories]
ignore = [
# fast-float 0.2.0: segfault (no upstream fix) and soundness issues. Pulled
# only by the historical databend-common-ast 0.0.3 that the time-machine
# crate compiles to benchmark old releases. Current databend uses the
# maintained fast-float2 fork, so this never reaches the core benchmark.
"RUSTSEC-2025-0003",
"RUSTSEC-2024-0379",
# rustls-webpki 0.101.7: three certificate-validation advisories, fixed only
# in a rustls line that tiberius 0.12.3 does not yet allow. Pulled only by
# tiberius (the SQL Server client) in the oracle crate, which runs locally
# in Docker to refresh the committed validity labels. It is not part of the
# benchmark, the site, or CI, and it talks only to a trusted local container.
"RUSTSEC-2026-0098",
"RUSTSEC-2026-0099",
"RUSTSEC-2026-0104",
]
27 changes: 27 additions & 0 deletions .github/workflows/audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Security audit

on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Weekly, so newly published advisories are caught without a code change.
- cron: "0 6 * * 1"

jobs:
audit:
name: Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: taiki-e/install-action@v2
with:
tool: cargo-audit
# Cargo.lock is gitignored (the benchmark tracks latest deps), so resolve
# a fresh lockfile to audit the versions CI would actually build.
- name: Generate lockfile
run: cargo generate-lockfile
- name: Audit dependencies
run: cargo audit
Loading