|
12 | 12 | jobs: |
13 | 13 | audit: |
14 | 14 | runs-on: ubuntu-latest |
| 15 | + timeout-minutes: 15 |
15 | 16 | steps: |
16 | | - - uses: actions/checkout@v3 |
| 17 | + - uses: actions/checkout@v4 |
17 | 18 |
|
18 | 19 | - name: Install Rust |
19 | 20 | uses: dtolnay/rust-toolchain@stable |
20 | 21 |
|
21 | 22 | - name: Cache Rust dependencies |
22 | | - uses: actions/cache@v3 |
| 23 | + uses: actions/cache@v4 |
23 | 24 | with: |
24 | 25 | path: | |
25 | 26 | ~/.cargo/registry |
26 | 27 | ~/.cargo/git |
27 | | - key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} |
| 28 | + key: ${{ runner.os }}-${{ runner.arch }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} |
28 | 29 |
|
29 | 30 | - name: Install cargo-audit |
| 31 | + timeout-minutes: 5 |
30 | 32 | run: cargo install cargo-audit |
31 | 33 |
|
32 | 34 | - name: Check for major dependency updates |
| 35 | + timeout-minutes: 3 |
33 | 36 | run: | |
34 | 37 | echo "Checking for major version updates in dependencies..." |
35 | 38 | cargo update --dry-run | grep -E "(solana|spl)" | grep -E "(\+[2-9]\.[0-9]|\+[0-9]{2,}\.)" || echo "No major dependency updates found" |
36 | 39 | |
37 | 40 | - name: Run cargo-audit |
38 | | - run: cargo audit |
| 41 | + timeout-minutes: 5 |
| 42 | + run: | |
| 43 | + echo "Running cargo audit with JSON output for detailed error reporting..." |
| 44 | + cargo audit --json > audit_results.json || true |
| 45 | + |
| 46 | + # Display JSON results for CI logs |
| 47 | + cat audit_results.json |
| 48 | + |
| 49 | + # Check if vulnerabilities were found |
| 50 | + if jq -r '.vulnerabilities.found' audit_results.json | grep -q 'true'; then |
| 51 | + echo "⚠️ Security vulnerabilities detected in dependency tree" |
| 52 | + VULN_COUNT=$(jq -r '.vulnerabilities.count' audit_results.json) |
| 53 | + echo "Total vulnerabilities: $VULN_COUNT" |
| 54 | + |
| 55 | + # List specific vulnerabilities |
| 56 | + echo "Vulnerability details:" |
| 57 | + jq -r '.vulnerabilities.list[].advisory | "- \(.id): \(.package) - \(.title)"' audit_results.json |
| 58 | + |
| 59 | + # Check for known acceptable vulnerabilities from Solana ecosystem |
| 60 | + KNOWN_VULNS="RUSTSEC-2024-0344 RUSTSEC-2022-0093" |
| 61 | + NEW_VULNS="" |
| 62 | + |
| 63 | + for vuln in $(jq -r '.vulnerabilities.list[].advisory.id' audit_results.json); do |
| 64 | + if [[ ! " $KNOWN_VULNS " =~ " $vuln " ]]; then |
| 65 | + NEW_VULNS="$NEW_VULNS $vuln" |
| 66 | + fi |
| 67 | + done |
| 68 | + |
| 69 | + if [[ -n "$NEW_VULNS" ]]; then |
| 70 | + echo "❌ NEW security vulnerabilities found: $NEW_VULNS" |
| 71 | + echo "These are not known acceptable risks and must be addressed." |
| 72 | + exit 1 |
| 73 | + else |
| 74 | + echo "✅ Only known acceptable vulnerabilities found (Solana ecosystem dependencies)" |
| 75 | + echo "See docs/security-audit.md for details on risk assessment" |
| 76 | + echo "Continuing with acceptable risk..." |
| 77 | + fi |
| 78 | + else |
| 79 | + echo "✅ No security vulnerabilities found!" |
| 80 | + fi |
| 81 | + |
| 82 | + - name: Upload audit results |
| 83 | + uses: actions/upload-artifact@v4 |
| 84 | + if: always() |
| 85 | + with: |
| 86 | + name: cargo-audit-results-${{ github.run_number }} |
| 87 | + path: audit_results.json |
| 88 | + retention-days: 30 |
39 | 89 |
|
0 commit comments