ci: add cargo-deny supply-chain gate for Rust dependencies#149
Merged
Conversation
CI ran fmt/clippy/test plus a secret scan, but nothing checked the dependency tree for known vulnerabilities. Add a cargo-deny job (advisories + bans + sources) so a RUSTSEC advisory, a yanked crate, a wildcard version requirement, or a dependency from an unexpected registry fails CI. deny.toml is scoped to the security checks; license compliance is left for a follow-up so the gate stays focused. The action is commit-pinned. Verified locally with cargo-deny 0.19.8: advisories ok, bans ok, sources ok.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a Rust dependency supply-chain audit to CI using cargo-deny, focused on advisories, wildcard bans, and dependency source restrictions.
Changes:
- Adds a root
deny.tomlconfiguringadvisories,bans, andsourceschecks. - Adds a new
cargo-denyCI job that runscargo deny check advisories bans sources. - Pins the
cargo-deny-actionby commit SHA.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
deny.toml |
Defines the cargo-deny policy for vulnerability/yank checks, wildcard bans, duplicate warnings, and trusted dependency sources. |
.github/workflows/ci.yml |
Adds the dependency audit job to the existing CI workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a dependency-vulnerability gate to CI — the one supply-chain hole in the current setup. CI runs
fmt/clippy/test+check-secrets.py, but nothing audits the dependency tree (261 crates, recently grown).What
A new
cargo-denyjob in.github/workflows/ci.ymlrunscargo deny check advisories bans sourceson every PR/push:*) version requirements; surface duplicate transitive versions as warnings (non-fatal).Config lives in
deny.tomlat the repo root.Scope
Intentionally security-only. License compliance is left for a follow-up so this gate stays focused and does not fail on license classification; enabling it later is a one-line change (
[licenses]allow-list +check licenses).Notes
cargo-deny-actionis commit-pinned (bb137d7…= v2.0.20) — a supply-chain gate should not itself depend on a mutable action tag.Cargo.lock:advisories ok, bans ok, sources ok. Two duplicate-version warnings (thiserror,wit-bindgen) are surfaced but non-fatal.Opened against the contribution freeze as a focused hardening change, in the same vein as #144 / #145 / #148.