add deps scanning for cargo

2022-10-18 19:36:59 +01:00 · 2022-10-18 19:36:59 +01:00 · 9f108ab784
parent a5e5851dc1
commit 9f108ab784
1 changed files with 53 additions and 0 deletions
--- a/.github/workflows/ci-dependency-scan-cargo.yml
+++ b/.github/workflows/ci-dependency-scan-cargo.yml
@ -0,0 +1,53 @@
+name: Dependency Security Scan - Cargo
+
+on:
+  pull_request: 
+    branches: ['main', 'dev']
+    paths: ['cli/**',
+            'client/**',
+            'programs/**',
+            'keeper/**',
+            'lib/**',
+            'liquidator/**',
+            'anchor/cli/**',
+            'Cargo.lock']
+  push:
+    paths: ['cli/**',
+            'client/**',
+            'programs/**',
+            'keeper/**',
+            'lib/**',
+            'liquidator/**',
+            'anchor/cli/**',
+            'Cargo.lock']
+
+jobs:
+  trivy:
+    name: Dependency Scan
+    runs-on: ubuntu-latest
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      # Report all vulnerabilities in CI output
+      - name: Report on all vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: 'Cargo.lock'
+          ignore-unfixed: true
+          hide-progress: true
+          format: 'table'
+          
+      # Fail the job on critical vulnerabiliies with fix available
+      - name: Fail on critical vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: 'Cargo.lock'
+          ignore-unfixed: true
+          hide-progress: true
+          format: 'table'
+          severity: 'CRITICAL'
+          exit-code: '1'