From 9f108ab78430214c8e6f836145944709ac38dfeb Mon Sep 17 00:00:00 2001 From: silas <95582913+silas-x@users.noreply.github.com> Date: Tue, 18 Oct 2022 19:36:59 +0100 Subject: [PATCH] add deps scanning for cargo --- .../workflows/ci-dependency-scan-cargo.yml | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/ci-dependency-scan-cargo.yml diff --git a/.github/workflows/ci-dependency-scan-cargo.yml b/.github/workflows/ci-dependency-scan-cargo.yml new file mode 100644 index 000000000..ef63a7e22 --- /dev/null +++ b/.github/workflows/ci-dependency-scan-cargo.yml @@ -0,0 +1,53 @@ +name: Dependency Security Scan - Cargo + +on: + pull_request: + branches: ['main', 'dev'] + paths: ['cli/**', + 'client/**', + 'programs/**', + 'keeper/**', + 'lib/**', + 'liquidator/**', + 'anchor/cli/**', + 'Cargo.lock'] + push: + paths: ['cli/**', + 'client/**', + 'programs/**', + 'keeper/**', + 'lib/**', + 'liquidator/**', + 'anchor/cli/**', + 'Cargo.lock'] + +jobs: + trivy: + name: Dependency Scan + runs-on: ubuntu-latest + if: (github.actor != 'dependabot[bot]') + steps: + - name: Checkout code + uses: actions/checkout@v3 + + # Report all vulnerabilities in CI output + - name: Report on all vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: 'Cargo.lock' + ignore-unfixed: true + hide-progress: true + format: 'table' + + # Fail the job on critical vulnerabiliies with fix available + - name: Fail on critical vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: 'Cargo.lock' + ignore-unfixed: true + hide-progress: true + format: 'table' + severity: 'CRITICAL' + exit-code: '1'