Skip to content

Security Audit

Security Audit #577

name: Security Audit
on:
pull_request:
branches:
- main
paths:
- "**/Cargo.toml"
- "**/Cargo.lock"
- ".github/workflows/security-audit.yml"
- "cloud_connectors/resources/azure_function/**"
schedule:
- cron: "0 0 * * *" # once a day at midnight UTC
# NB: that cron trigger on GH actions runs only on the default branch
jobs:
security_audit_rust:
runs-on: ubuntu-latest
steps:
- name: Checkout repository and submodules
uses: actions/checkout@v3
with:
submodules: recursive
- name: Install Rust toolchain
uses: ./.github/actions/install-rust-toolchain
# Ignored advisories:
# - https://rustsec.org/advisories/RUSTSEC-2024-0320 : yaml-rust is unmaintained
# - This is a dependency of the config crate, which does not have a version without yaml-rust.
# See https://github.com/mehcode/config-rs/issues/473 and https://github.com/eclipse-ibeji/ibeji-example-applications/issues/61
- name: Cargo audit
uses: actions-rs/cargo@v1
with:
command: audit
args: --deny warnings --ignore RUSTSEC-2024-0320
security_audit_csharp:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: [ 'csharp' ]
steps:
- name: Checkout repository and submodules
uses: actions/checkout@v3
with:
submodules: recursive
- name: Install .NET 6.0.x
uses: actions/setup-dotnet@v3
with:
dotnet-version: '6.0.x'
- name: Cache NuGet dependencies
uses: actions/cache@v3
with:
path: ~/.nuget/packages
# Look to see if there is a cache hit for the corresponding requirements file
key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
restore-keys: |
${{ runner.os }}-nuget
- name: Check .NET version
run: dotnet --info
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Build MQTT Connector's Azure Function
run: |
dotnet build cloud_connectors/resources/azure_function/src/function.csproj
dotnet build cloud_connectors/resources/azure_function/tests/MQTTConnectorAzureFunction.Tests.csproj
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2