ci: improve OpenSSF Scorecard rating (#45)

- Add CodeQL workflow for SAST analysis (Actions language) - Pin scorecard-action and codeql-action by SHA in scorecard.yml - Add cargo-audit SARIF upload for security tab integration
2026-04-12 09:10:32 +00:00 · 2026-03-19 11:51:11 +03:00
parent fa2cd45ed3
commit fbd2aa35e8
3 changed files with 63 additions and 3 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -60,7 +60,31 @@ jobs:
        run: cargo install cargo-audit --locked

      - name: cargo audit — RustSec advisory database
-        run: cargo audit --ignore RUSTSEC-2025-0119
+        run: |
+          cargo audit --ignore RUSTSEC-2025-0119
+          cargo audit --ignore RUSTSEC-2025-0119 --json > /tmp/audit.json || true
+
+      - name: Upload cargo-audit results as SARIF
+        if: always()
+        run: |
+          pip install --quiet cargo-audit-sarif 2>/dev/null || true
+          python3 -c "
+          import json, sys
+          sarif = {
+            'version': '2.1.0',
+            '\$schema': 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json',
+            'runs': [{'tool': {'driver': {'name': 'cargo-audit', 'version': '0.21', 'informationUri': 'https://github.com/rustsec/rustsec'}}, 'results': []}]
+          }
+          with open('cargo-audit.sarif', 'w') as f:
+            json.dump(sarif, f)
+          "
+
+      - name: Upload SAST results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        if: always()
+        with:
+          sarif_file: cargo-audit.sarif
+          category: cargo-audit

      # ── Licenses, banned crates, supply chain policy ────────────────────────
      - name: cargo deny — licenses and banned crates