Skip to content

Add cargo audit to CI #1180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add cargo audit to CI #1180

wants to merge 1 commit into from

Conversation

@alltheseas
Copy link
Contributor

@alltheseas alltheseas commented Oct 28, 2025
edited
Loading

Cargo Audit Purpose

Feature Description
Purpose Audits Rust dependencies for security issues
Checks Vulnerabilities, yanked crates, unmaintained crates
Database Uses RustSec Advisory Database
Usage cargo audit
Install cargo install cargo-audit
Common in CI pipelines and security-conscious Rust projects

Summary

  • add a cargo-audit job to .github/workflows/rust.yml alongside the existing
    lint/test matrix
  • install cargo-audit via taiki-e/install-action and run cargo audit --deny
    warnings so advisories fail the pipeline

Testing

  • cargo audit findings Oct 27 2025 run below. Otherwise github CI run will execute the new job
  • slab 0.4.10 — RUSTSEC-2025-0047 — Out-of-bounds access in get_disjoint_mut —
    upgrade to ≥0.4.11
    • tracing-subscriber 0.3.19 — RUSTSEC-2025-0055 — Logging user input can
      inject ANSI escape sequences — upgrade to ≥0.3.20
  • findings addressed in standalone PR here

@alltheseas alltheseas mentioned this pull request Oct 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alltheseas