Skip to content

Security

Security #882

Workflow file for this run

name: Security
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
RUSTDOCFLAGS: '--deny warnings'
MINIMUM_SUPPORTED_RUST_VERSION: 1.85.0
RUST_CHANNEL: stable
on:
schedule:
- cron: "0 10 * * MON" # every monday, at 10AM
pull_request:
branches:
- main
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
dependencies:
runs-on: ubuntu-latest
if: ${{ github.actor != 'dependabot[bot]' }}
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32
- run: |
rustup update --no-self-update ${RUST_CHANNEL}
rustup component add --toolchain ${RUST_CHANNEL} cargo
rustup default ${RUST_CHANNEL}
env:
RUST_CHANNEL: ${{ env.RUST_CHANNEL }}
- name: Install cargo-edit
run: cargo install --locked cargo-edit
- name: Check for outdated dependencies
run: cargo upgrade --dry-run --locked
audit:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32
- run: |
rustup update --no-self-update ${RUST_CHANNEL}
rustup component add --toolchain ${RUST_CHANNEL} cargo
rustup default ${RUST_CHANNEL}
env:
RUST_CHANNEL: ${{ env.RUST_CHANNEL }}
- name: Install cargo-outdated
run: cargo install --locked cargo-audit
- name: Cargo audit
run: cargo audit
docker:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
- name: Scan image
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
with:
context: .
push: false
tags: maif/yozefu:latest
load: true
- name: Scan docker image
uses: anchore/scan-action@522bcc5cc7e62e4ce7cbe30f22372b991b432751
id: scan
with:
image: "maif/yozefu:latest"
fail-build: false
- name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@f94817b9f0deeb3871261446912ae8f854d1b675
with:
sarif_file: ${{ steps.scan.outputs.sarif }}