Skip to content

ci: add cargo audit workflow#867

Closed
pau-hedgehog wants to merge 2 commits into
mainfrom
pau/cargo_audit
Closed

ci: add cargo audit workflow#867
pau-hedgehog wants to merge 2 commits into
mainfrom
pau/cargo_audit

Conversation

@pau-hedgehog

Copy link
Copy Markdown
Contributor

No description provided.

Signed-off-by: Pau Capdevila <pau@githedgehog.com>
@pau-hedgehog pau-hedgehog self-assigned this Sep 24, 2025
@pau-hedgehog pau-hedgehog requested a review from a team as a code owner September 24, 2025 18:01
@pau-hedgehog pau-hedgehog requested review from daniel-noland and removed request for a team September 24, 2025 18:01
@pau-hedgehog

Copy link
Copy Markdown
Contributor Author

I'm not sure you have this covered somewhere else. So far it could show 2 unmaintained crates: https://github.com/githedgehog/dataplane/actions/runs/17985301616/job/51161859356?pr=867

@pau-hedgehog pau-hedgehog added the ci Continuous Integration label Sep 24, 2025
Comment thread .github/workflows/cargo-audit.yaml Outdated
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
run: cargo install cargo-audit

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an image we can use with cargo audit installed instead of installing and building it each time?

@pau-hedgehog pau-hedgehog Sep 25, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an image we can use with cargo audit installed instead of installing and building it each time?

Found an image but it's very old: https://github.com/simonhyll/cargo-audit/pkgs/container/cargo-audit

I guess we could build our own runner image but instead I propose to use another Action which is officially maintained and uses caching, which skips the redundant scan:

Additionally, we may consider running dependabot for rust. I can raise a separate PR for it

uses actions-rust-lang/audit, which
has caching

Signed-off-by: Pau Capdevila <pau@githedgehog.com>
@qmonnet

qmonnet commented Sep 25, 2025

Copy link
Copy Markdown
Member

Thanks @pau-hedgehog, I think we're already covered for this repo.

We've got cargo deny set up in CI, and my understanding is that it checks advisories like cargo audit does (plus some other things). The two advisories that you found as warnings are known and explicitly ignored in deny.toml. Is there anything more that you're trying to get via cargo audit?

We also have Dependabot setup for the repo, along with our own workflow to bump dependencies with cargo update and cargo upgrade. Happy to walk you through if you want the details.

@pau-hedgehog

Copy link
Copy Markdown
Contributor Author

Thanks @pau-hedgehog, I think we're already covered for this repo.

Ok, then I'm closing this. Sorry for wasting your time

We've got cargo deny set up in CI, and my understanding is that it checks advisories like cargo audit does (plus some other things). The two advisories that you found as warnings are known and explicitly ignored in deny.toml. Is there anything more that you're trying to get via cargo audit?

After updating the govulncheck in our Go repos I was doing my first incursion in the Rust world to see if there was something equivalent. Next time I'll spend some more time researching and/or asking. Thanks

@qmonnet

qmonnet commented Sep 25, 2025

Copy link
Copy Markdown
Member

No problem at all, thanks for looking into this!

@pau-hedgehog pau-hedgehog deleted the pau/cargo_audit branch June 15, 2026 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci Continuous Integration

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants