Skip to content

Security audit

Security audit #510

name: Security audit
on:
schedule:
- cron: '0 0 * * *'
jobs:
security_audit:
runs-on: ubuntu-latest
steps:
- uses: Swatinem/rust-cache@v1
with:
sharedKey: jira_cli-check-security-audit
cache-on-failure: true
- uses: actions/checkout@v1
- uses: actions-rs/audit-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install stable toolchain
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
- name: Install nightly toolchain
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: nightly
override: false
- name: Update Rustup (temporary workaround)
run: |
rm /home/runner/.cargo/bin/cargo-fmt
rm /home/runner/.cargo/bin/rustfmt
rustup self update
rustup update --no-self-update
curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
cargo binstall -y --force cargo-quickinstall
- name: Deny check
run: |
cargo binstall -y --force cargo-deny
cargo deny --format json check bans licenses sources advisories > $HOME/deny.json || exit 0
- name: Audit check
run: |
cargo binstall -y --force cargo-audit
cargo audit --json > $HOME/audit.json || exit 0
- name: Check a local package and all of its dependencies for errors
uses: actions-rs/cargo@v1
with:
command: check
args: --all
- name: Lint check
uses: actions-rs/cargo@v1
with:
command: fmt
args: --all --check
- name: Outdated check
run: |
cargo binstall -y --force cargo-outdated
cargo outdated --depth 1 --format json > $HOME/outdated.json
- name: Udeps check
run: |
cargo binstall -y --force cargo-udeps
cargo +nightly udeps --quiet --workspace --all-features --all-targets --output json > $HOME/udeps.json || exit 0
- name: Clippy check
run: |
rustup component add clippy
cargo clippy --all-features --all-targets --message-format=json -- -Dclippy::all -Dclippy::nursery -Dclippy::pedantic > $HOME/clippy.json || exit 0
- name: Sonar converter
run: |
cargo binstall -y --force cargo-sonar
cargo sonar --issues audit,clippy,deny,outdated,udeps --audit-path $HOME/audit.json --clippy-path $HOME/clippy.json --deny-path $HOME/deny.json --outdated-path $HOME/outdated.json --udeps-path $HOME/udeps.json --issues-path $HOME/sonar.json
- name: Setup sonarqube
uses: warchant/setup-sonar-scanner@v3
- name: Run sonarqube
run: sonar-scanner -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }} -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} -Dsonar.sources=$GITHUB_WORKSPACE -Dsonar.host.url=${{ secrets.SONAR_URL }} -Dsonar.login=${{ secrets.SONAR_TOKEN }} -Dsonar.externalIssuesReportPaths=$HOME/sonar.json
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}