dearsky/wifi-densepose
1
0
Fork 0
Code Issues 20 Pull Requests 5 Actions Packages Projects Releases 1 Wiki Activity
Files
d803bfe2b1fe7f5e219e50ac20d6801a0a58ac75
wifi-densepose/examples/scipix/.github/workflows/security.yml
ruv d803bfe2b1 Squashed 'vendor/ruvector/' content from commit b64c2172 
git-subtree-dir: vendor/ruvector
git-subtree-split: b64c21726f2bb37286d9ee36a7869fef60cc6900
2026-02-28 14:39:40 -05:00

162 lines
4.0 KiB
YAML
Raw Blame History

name: Security
on:
push:
branches: [main]
pull_request:
schedule:
# Run security audit weekly
- cron: '0 0 * * 1'
workflow_dispatch:
env:
CARGO_TERM_COLOR: always
jobs:
audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
run: cargo install cargo-audit
- name: Run cargo audit
run: cargo audit --manifest-path examples/scipix/Cargo.toml --json > audit-results.json
- name: Check for vulnerabilities
run: |
if [ $(jq '.vulnerabilities.count' audit-results.json) -gt 0 ]; then
echo "::error::Security vulnerabilities found!"
jq '.vulnerabilities.list' audit-results.json
exit 1
fi
- name: Upload audit results
if: always()
uses: actions/upload-artifact@v4
with:
name: security-audit
path: audit-results.json
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
deny-licenses: GPL-3.0, AGPL-3.0
cargo-deny:
name: Cargo Deny
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Cargo Deny
uses: EmbarkStudios/cargo-deny-action@v1
with:
manifest-path: examples/scipix/Cargo.toml
command: check
arguments: --all-features
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: rust
- name: Build
run: cargo build --manifest-path examples/scipix/Cargo.toml --all-features
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
secrets-scan:
name: Secrets Scanning
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog Scan
uses: trufflesecurity/trufflehog@main
with:
path: ./examples/scipix
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --debug --only-verified
license-check:
name: License Compliance
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-license
run: cargo install cargo-license
- name: Check licenses
run: |
cd examples/scipix
cargo license --json > licenses.json
# Check for incompatible licenses
if jq '.[] | select(.license | contains("GPL"))' licenses.json | grep -q .; then
echo "::error::GPL licensed dependencies found!"
exit 1
fi
- name: Upload license report
uses: actions/upload-artifact@v4
with:
name: license-report
path: examples/scipix/licenses.json
supply-chain:
name: Supply Chain Security
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: OSSF Scorecard
uses: ossf/scorecard-action@v2
with:
results_file: scorecard-results.sarif
results_format: sarif
publish_results: true
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: scorecard-results.sarif
Reference in New Issue View Git Blame Copy Permalink