Skip to content

rust-security

Four MR-time security scanners for Rust workspaces:

  • cargo-deny — license + advisory + bans check (RustSec / CVSS). Pinned to ^0.18 for CVSS 4.0 parsing (RustSec began shipping CVSS 4.0 advisories in late 2025; 0.16.x trips on them with unsupported CVSS version: 4.0).
  • cargo-audit — secondary advisory check on a different cadence. Pinned to ^0.22 for the same CVSS 4.0 reason. allow_failure: true, so an upstream advisory landing mid-day doesn't immediately block merges — review and either patch or pin in deny.toml.
  • trivy — filesystem scan, catching transitive vulns the Rust-specific scanners don't model.
  • gitleaks — secret-pattern scan, scoped to the MR's own commits.

cargo-deny and cargo-audit run on dev-tools, which bakes both (versions pinned there, not here). trivy and gitleaks run from their own pinned upstream images.

Always-on — no change-detection input. See Explanation: security, always-on.

Jobs

Job What it runs
cargo-deny cargo deny check
cargo-audit cargo audit (allow_failure)
trivy trivy fs --exit-code 1 --severity $[[ inputs.trivy_severity ]] --no-progress .
gitleaks gitleaks detect, with optional --config $[[ inputs.gitleaks_config ]], scoped to the MR diff base

Inputs

Input Type Default Description
stage string security GitLab CI stage.
if string '$CI_PIPELINE_SOURCE == "merge_request_event"' Gating rules:if: for every job.
rust_image string dev-tools:v0.1.2 Image used to run cargo-deny / cargo-audit.
cargo_deny_version string "^0.18" DEPRECATED / ignored on the default image (baked, pinned there).
cargo_audit_version string "^0.22" DEPRECATED / ignored on the default image.
trivy_image string "aquasec/trivy:0.69.0" Trivy image.
trivy_severity string "HIGH,CRITICAL" Severities trivy fails on.
gitleaks_image string "zricethezav/gitleaks:v8.30.1" Gitleaks image.
gitleaks_config string "" Optional --config <path> for a project-local allowlist.
extra_before_script string "" Prepended to the cargo-deny/cargo-audit jobs' before_script (apt installs the trivy/gitleaks images don't need).

Usage

include:
  - component: gitlab.com/phpboyscout/cicd/[email protected]

See also