Add cargo-audit to CI (#3378) #3823
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Oct 26, 2025
MartinquaXD
reviewed
Oct 27, 2025
Contributor
MartinquaXD
left a comment
MartinquaXD
left a comment
There was a problem hiding this comment.
Nice documentation of the known vulnerabilities. 👍
jmg-duarte
reviewed
Oct 28, 2025
Grinsven
commented
Oct 28, 2025
Contributor
Author
Grinsven
left a comment
Grinsven
left a comment
There was a problem hiding this comment.
How do we know when it no longer applies? Does cargo-audit also provide tools for that?
cargo-audit doesn't have this. You'd need to manually check audit.toml when upgrading dependencies from #3338 and remove the
matching RUSTSEC entries.
cargo-deny has automatic detection built in. It warns when an ignored advisory no longer applies to your dependency versions.
Can switch the CI job if you want that instead.
MartinquaXD
approved these changes
Oct 30, 2025
jmg-duarte
approved these changes
Oct 30, 2025
Contributor
|
@Grinsven could you please rebase this PR onto the latest |
squadgazzz
approved these changes
Oct 31, 2025
.cargo/audit.toml
Outdated
| # Only NEW vulnerabilities will cause CI to fail | ||
|
|
||
| [advisories] | ||
| # Known vulnerabilities that are tracked in issue #3338 |
Contributor
There was a problem hiding this comment.
Could you add a link to the issue?
Grinsven
force-pushed
the
add-cargo-audit-ci
branch
from
78dc80e to
cde3654
Compare
Grinsven
added a commit
to Grinsven/services
that referenced
this pull request
Oct 31, 2025
- Exclude 14 known vulnerabilities tracked in cowprotocol#3338 - Only new vulnerabilities will fail CI
Grinsven
force-pushed
the
add-cargo-audit-ci
branch
from
cde3654 to
1f2d4b9
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Integrates cargo-audit into the CI pipeline to scan for dependency vulnerabilities on every pull request. The rustsec/audit-check action runs cargo audit and fails CI if new vulnerabilities are detected.
Known vulnerabilities requiring non-trivial upgrades are excluded in .cargo/audit.toml. This includes 14 advisories tracked in #3338 covering sqlx (breaking changes to 0.8.x), unmaintained crates (atty, derivative, adler, instant, paste, proc-macro-error), and transitive dependencies with no available patches. Only NEW vulnerabilities will cause CI failures.
Changes:
Fixes #3378