diff --git a/.github/workflows/audit_rust.yml b/.github/workflows/audit_rust.yml new file mode 100644 index 0000000..eca88f5 --- /dev/null +++ b/.github/workflows/audit_rust.yml @@ -0,0 +1,18 @@ +name: Rust crate audit + +on: + push: + branches: ["**"] + paths: + - "**/Cargo.toml" + - "**/Cargo.lock" + schedule: + - cron: "43 1 * * *" + workflow_dispatch: + +jobs: + security_audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: EmbarkStudios/cargo-deny-action@v1 diff --git a/deny.toml b/deny.toml new file mode 100644 index 0000000..adf8004 --- /dev/null +++ b/deny.toml @@ -0,0 +1,46 @@ +[advisories] +ignore = [] +yanked = "warn" + +[licenses] +allow = [ + "MIT", + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "BSD-3-Clause", + "MPL-2.0", + "ISC", + "BSD-2-Clause", + "Unicode-DFS-2016", + "Zlib", + "CC0-1.0", + "0BSD", + "Unlicense", + "OpenSSL", +] +confidence-threshold = 0.8 +exceptions = [] + +[[licenses.clarify]] +crate = "ring" +expression = "MIT AND ISC AND OpenSSL" +license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }] + +[licenses.private] +ignore = true + +[bans] +multiple-versions = "allow" +wildcards = "allow" +highlight = "all" +workspace-default-features = "allow" +external-default-features = "allow" + +deny = [] + +[sources] +unknown-registry = "deny" +unknown-git = "deny" +allow-registry = ["https://github.com/rust-lang/crates.io-index"] +allow-git = [] +