Add cargo-audit action and update existing CI job to include Soteria (#19)
This commit is contained in:
parent
18edcd602e
commit
007dc64d3d
|
@ -0,0 +1,35 @@
|
|||
# All of the options which can be passed via CLI arguments can also be
|
||||
# permanently specified in this file.
|
||||
|
||||
# RUSTSEC-2020-0071 and RUSTSEC-2020-0159 are low severity vulnerable upstream Solana crates. Ignored for now.
|
||||
|
||||
[advisories]
|
||||
ignore = ["RUSTSEC-2020-0071","RUSTSEC-2020-0159"] # advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...]
|
||||
informational_warnings = ["unmaintained"] # warn for categories of informational advisories
|
||||
severity_threshold = "medium" # CVSS severity ("none", "low", "medium", "high", "critical")
|
||||
|
||||
# Advisory Database Configuration
|
||||
[database]
|
||||
path = "~/.cargo/advisory-db" # Path where advisory git repo will be cloned
|
||||
url = "https://github.com/RustSec/advisory-db.git" # URL to git repo
|
||||
fetch = true # Perform a `git fetch` before auditing (default: true)
|
||||
stale = false # Allow stale advisory DB (i.e. no commits for 90 days, default: false)
|
||||
|
||||
# Output Configuration
|
||||
[output]
|
||||
deny = [] # exit on error if unmaintained dependencies are found
|
||||
format = "terminal" # "terminal" (human readable report) or "json"
|
||||
quiet = false # Only print information on error
|
||||
show_tree = false # Show inverse dependency trees along with advisories (default: true)
|
||||
|
||||
# Target Configuration
|
||||
[target]
|
||||
# arch = "x86_64" # Ignore advisories for CPU architectures other than this one
|
||||
# os = "linux" # Ignore advisories for operating systems other than this one
|
||||
|
||||
[packages]
|
||||
source = "all" # "all", "public" or "local"
|
||||
|
||||
[yanked]
|
||||
enabled = false # Warn for yanked crates in Cargo.lock (default: true)
|
||||
update_index = true # Auto-update the crates.io index (default: true)
|
|
@ -0,0 +1,46 @@
|
|||
# CI job for scanning Cargo dependencies for vulnerabilities and report/fail job based on criticality.
|
||||
# Critically vulnerable dependencies with fix available will mark the run as failed (X)
|
||||
name: Rust Cargo Audit
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: master
|
||||
pull_request:
|
||||
branches: master
|
||||
|
||||
# Allowing manual runs with ability to choose branch
|
||||
workflow_dispatch:
|
||||
|
||||
# Optimisation option by targeting direct paths to only scan when there are changes to dependencies in the push/PR
|
||||
# push:
|
||||
# paths:
|
||||
# - 'Cargo.toml'
|
||||
# - 'Cargo.lock'
|
||||
# pull_request:
|
||||
# paths:
|
||||
# - 'Cargo.toml'
|
||||
# - 'Cargo.lock'
|
||||
|
||||
# Example of running scheduled scans at 6AM UTC every Monday to regularly check for vulnerable dependencies
|
||||
# schedule:
|
||||
# - cron: '0 6 * * 1'
|
||||
|
||||
# Run the job
|
||||
jobs:
|
||||
Cargo-audit:
|
||||
name: Cargo Vulnerability Scanner
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Check out GitHub repo
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
# Install cargo audit
|
||||
- name: Install Cargo Audit
|
||||
uses: actions-rs/install@v0.1
|
||||
with:
|
||||
crate: cargo-audit
|
||||
version: latest
|
||||
|
||||
# Run cargo audit using args from .cargo/audit.toml (ignores, etc.)
|
||||
- name: Run Cargo Audit
|
||||
run: cargo audit -c always
|
|
@ -1,5 +1,4 @@
|
|||
name: CI
|
||||
|
||||
name: Lint, test & scan
|
||||
on:
|
||||
push:
|
||||
branches: [master, v*.*]
|
||||
|
@ -17,6 +16,7 @@ defaults:
|
|||
|
||||
jobs:
|
||||
lint:
|
||||
name: Install and run linters
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
@ -38,6 +38,7 @@ jobs:
|
|||
run: cargo clippy -- --deny=warnings --allow=clippy::style --allow=clippy::complexity
|
||||
|
||||
tests:
|
||||
name: Install and run tests
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
@ -52,7 +53,7 @@ jobs:
|
|||
toolchain: ${{ env.RUST_TOOLCHAIN }}
|
||||
- name: Cache dependencies
|
||||
uses: Swatinem/rust-cache@v1
|
||||
|
||||
|
||||
# Install Solana
|
||||
- name: Cache Solana binaries
|
||||
uses: actions/cache@v2
|
||||
|
@ -68,5 +69,31 @@ jobs:
|
|||
echo "Generating keypair..."
|
||||
solana-keygen new -o "$HOME/.config/solana/id.json" --no-passphrase --silent
|
||||
|
||||
- name: Run tests
|
||||
- name: Run bpf tests
|
||||
run: cargo test-bpf
|
||||
|
||||
# Create a cache for Soteria
|
||||
- name: Cache Soteria
|
||||
id: cache-soteria
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: ~/.cache/soteria
|
||||
key: ${{ runner.os }}-soteria
|
||||
|
||||
# Install Soteria
|
||||
- name: Install Soteria
|
||||
run: |
|
||||
echo "Downloading Soteria..."
|
||||
sh -c "$(curl -k https://supercompiler.xyz/install)"
|
||||
export PATH=$PWD/soteria-linux-develop/bin/:$PATH
|
||||
echo "$PWD/soteria-linux-develop/bin" >> $GITHUB_PATH
|
||||
echo "Updating Rust..."
|
||||
rustup update
|
||||
echo "Soteria ready!"
|
||||
|
||||
# Run Soteria tests against Cargo.toml for this repo (root folder)
|
||||
- name: Run Soteria
|
||||
run: |
|
||||
echo "Running Soteria..."
|
||||
soteria -analyzeAll .
|
||||
echo "Soteria finished!"
|
Loading…
Reference in New Issue