mirror of
https://github.com/getnora-io/nora.git
synced 2026-04-12 13:50:31 +00:00
devitway
6ad710ff32
- ci.yml: add security job (gitleaks, cargo-audit, cargo-deny, trivy fs) - release.yml: restructure into build-binary + build-docker matrix + release - build binary once on self-hosted, reuse across all Docker builds - trivy image scan per matrix variant, results to GitHub Security tab - SBOM generation in SPDX and CycloneDX formats attached to release - deny.toml: cargo-deny policy (allowed licenses, banned openssl, crates.io only) - Dockerfile: remove Rust build stage, use pre-built binary - Dockerfile.astra, Dockerfile.redos: FROM scratch for Russian certified OS support
42 lines
956 B
TOML
42 lines
956 B
TOML
# cargo-deny configuration
|
|
# https://embarkstudios.github.io/cargo-deny/
|
|
|
|
[advisories]
|
|
# Vulnerability database (RustSec)
|
|
db-urls = ["https://github.com/rustsec/advisory-db"]
|
|
ignore = []
|
|
|
|
[licenses]
|
|
# Allowed open-source licenses
|
|
allow = [
|
|
"MIT",
|
|
"Apache-2.0",
|
|
"Apache-2.0 WITH LLVM-exception",
|
|
"BSD-2-Clause",
|
|
"BSD-3-Clause",
|
|
"ISC",
|
|
"Unicode-DFS-2016",
|
|
"Unicode-3.0",
|
|
"CC0-1.0",
|
|
"OpenSSL",
|
|
"Zlib",
|
|
"MPL-2.0", # Mozilla Public License — ok for binary linking
|
|
]
|
|
copyleft = "warn" # GPL etc — warn, don't block
|
|
unlicensed = "deny"
|
|
|
|
[bans]
|
|
multiple-versions = "warn"
|
|
deny = [
|
|
# Prefer rustls over openssl for static builds and supply chain cleanliness
|
|
{ name = "openssl-sys" },
|
|
{ name = "openssl" },
|
|
]
|
|
skip = []
|
|
|
|
[sources]
|
|
unknown-registry = "warn"
|
|
unknown-git = "warn"
|
|
# Allow only the official crates.io index
|
|
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|