Skip to content
Security audit

Security audit #3212

Sign in to view logs

Security audit

Security audit #3212

Workflow file for this run

.github/workflows/audit-check.yml at 1496067
name: Security audit
on:
schedule:
- cron: "0 0 * * *"
pull_request:
branches: [ main ]
jobs:
audit:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
checks: write
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
ignore: RUSTSEC-2023-0071,RUSTSEC-2025-0111
# RUSTSEC-2023-0071 = Marvin Attack: potential key recovery through timing sidechannels => not used exploitably
# RUSTSEC-2025-0111 = tokio-tar parses PAX extended headers incorrectly, allows file smuggling => only used in testcontainer-rs, so not explitably
codeql:
name: CodeQL (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
# only required for workflows in private repositories
actions: read
contents: read
strategy:
fail-fast: false
matrix:
include:
- language: actions
- language: javascript-typescript
- language: rust
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Initialize CodeQL
uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
with:
languages: ${{ matrix.language }}
build-mode: none
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
with:
category: "/language:${{matrix.language}}"