name: Security on: push: branches: [main] pull_request: schedule: # Run security audit weekly - cron: '0 0 * * 1' workflow_dispatch: env: CARGO_TERM_COLOR: always jobs: audit: name: Security Audit runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Setup Rust toolchain uses: dtolnay/rust-toolchain@stable - name: Install cargo-audit run: cargo install cargo-audit - name: Run cargo audit run: cargo audit --manifest-path examples/scipix/Cargo.toml --json > audit-results.json - name: Check for vulnerabilities run: | if [ $(jq '.vulnerabilities.count' audit-results.json) -gt 0 ]; then echo "::error::Security vulnerabilities found!" jq '.vulnerabilities.list' audit-results.json exit 1 fi - name: Upload audit results if: always() uses: actions/upload-artifact@v4 with: name: security-audit path: audit-results.json dependency-review: name: Dependency Review runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - name: Checkout repository uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 with: fail-on-severity: moderate deny-licenses: GPL-3.0, AGPL-3.0 cargo-deny: name: Cargo Deny runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Cargo Deny uses: EmbarkStudios/cargo-deny-action@v1 with: manifest-path: examples/scipix/Cargo.toml command: check arguments: --all-features codeql: name: CodeQL Analysis runs-on: ubuntu-latest permissions: security-events: write actions: read contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: rust - name: Build run: cargo build --manifest-path examples/scipix/Cargo.toml --all-features - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 secrets-scan: name: Secrets Scanning runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 0 - name: TruffleHog Scan uses: trufflesecurity/trufflehog@main with: path: ./examples/scipix base: ${{ github.event.repository.default_branch }} head: HEAD extra_args: --debug --only-verified license-check: name: License Compliance runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Setup Rust toolchain uses: dtolnay/rust-toolchain@stable - name: Install cargo-license run: cargo install cargo-license - name: Check licenses run: | cd examples/scipix cargo license --json > licenses.json # Check for incompatible licenses if jq '.[] | select(.license | contains("GPL"))' licenses.json | grep -q .; then echo "::error::GPL licensed dependencies found!" exit 1 fi - name: Upload license report uses: actions/upload-artifact@v4 with: name: license-report path: examples/scipix/licenses.json supply-chain: name: Supply Chain Security runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: OSSF Scorecard uses: ossf/scorecard-action@v2 with: results_file: scorecard-results.sarif results_format: sarif publish_results: true - name: Upload SARIF results uses: github/codeql-action/upload-sarif@v3 with: sarif_file: scorecard-results.sarif