Audit Check

This action audits your Rust dependencies for security vulnerabilities using cargo-audit. It reports vulnerabilities as status checks and can automatically create issues for scheduled runs.

Usage

- uses: rustsec/audit-check@v2
  with:
    # Personal access token (PAT) used to create checks and issues.
    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
    # Default: ${{ github.token }}
    token: ''

    # Comma-separated list of advisory IDs to ignore
    ignore: ''

    # The directory containing Cargo.toml and Cargo.lock files
    # Default: .
    working-directory: ''

Scenarios

• Audit on pull request
• Audit when dependencies change
• Scheduled daily audit
• Ignore specific advisories
• Audit a workspace subdirectory

Audit on pull request

The simplest configuration runs on every pull request and push:

name: Security audit
on: [push, pull_request]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: rustsec/audit-check@v2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

When vulnerabilities are found, the action creates a failed status check with details:

Note

Informational advisories do not cause the check to fail.

Audit when dependencies change

Optimize your CI by only running audits when Cargo.toml or Cargo.lock files change:

name: Security audit
on:
  push:
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
  pull_request:
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: rustsec/audit-check@v2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

Scheduled daily audit

Run audits on a schedule to catch newly published advisories:

name: Security audit
on:
  schedule:
    # Run daily at midnight UTC
    - cron: '0 0 * * *'

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: rustsec/audit-check@v2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

For scheduled runs, the action creates GitHub issues for each new advisory:

Note

Issues are only created for scheduled workflows. For push and pull request events, the action fails the check instead.

Ignore specific advisories

Some advisories may not apply to your use case:

steps:
  - uses: actions/checkout@v4
  - uses: dtolnay/rust-toolchain@stable
  - uses: rustsec/audit-check@v2
    with:
      token: ${{ secrets.GITHUB_TOKEN }}
      ignore: RUSTSEC-2020-0001,RUSTSEC-2020-0002

Audit a workspace subdirectory

For monorepos or projects with Cargo files in subdirectories:

steps:
  - uses: actions/checkout@v4
  - uses: dtolnay/rust-toolchain@stable
  - uses: rustsec/audit-check@v2
    with:
      token: ${{ secrets.GITHUB_TOKEN }}
      working-directory: backend/

Inputs

Name	Description	Default
token	Required. GitHub token for creating checks and issues. Use ${{ secrets.GITHUB_TOKEN }} or a personal access token.
ignore	Comma-separated list of advisory IDs to ignore (e.g., RUSTSEC-2020-0001,RUSTSEC-2020-0002)
working-directory	Directory containing Cargo.toml and Cargo.lock files to audit	.

Permissions

The action requires the following permissions:

permissions:
  contents: read   # Required to see the contents of the repository
  checks: write    # Create status checks for PR runs
  issues: write    # Create issues for scheduled runs

License

The scripts and documentation in this project are released under the MIT License.