rust-security¶
Four MR-time security scanners for Rust workspaces:
cargo-deny— license + advisory + bans check (RustSec / CVSS). Pinned to^0.18for CVSS 4.0 parsing (RustSec began shipping CVSS 4.0 advisories in late 2025;0.16.xtrips on them withunsupported CVSS version: 4.0).cargo-audit— secondary advisory check on a different cadence. Pinned to^0.22for the same CVSS 4.0 reason.allow_failure: true, so an upstream advisory landing mid-day doesn't immediately block merges — review and either patch or pin indeny.toml.trivy— filesystem scan, catching transitive vulns the Rust-specific scanners don't model.gitleaks— secret-pattern scan, scoped to the MR's own commits.
cargo-deny and cargo-audit run on
dev-tools, which bakes
both (versions pinned there, not here). trivy and gitleaks run from
their own pinned upstream images.
Always-on — no change-detection input. See Explanation: security, always-on.
Jobs¶
| Job | What it runs |
|---|---|
cargo-deny |
cargo deny check |
cargo-audit |
cargo audit (allow_failure) |
trivy |
trivy fs --exit-code 1 --severity $[[ inputs.trivy_severity ]] --no-progress . |
gitleaks |
gitleaks detect, with optional --config $[[ inputs.gitleaks_config ]], scoped to the MR diff base |
Inputs¶
| Input | Type | Default | Description |
|---|---|---|---|
stage |
string | security |
GitLab CI stage. |
if |
string | '$CI_PIPELINE_SOURCE == "merge_request_event"' |
Gating rules:if: for every job. |
rust_image |
string | dev-tools:v0.1.2 |
Image used to run cargo-deny / cargo-audit. |
cargo_deny_version |
string | "^0.18" |
DEPRECATED / ignored on the default image (baked, pinned there). |
cargo_audit_version |
string | "^0.22" |
DEPRECATED / ignored on the default image. |
trivy_image |
string | "aquasec/trivy:0.69.0" |
Trivy image. |
trivy_severity |
string | "HIGH,CRITICAL" |
Severities trivy fails on. |
gitleaks_image |
string | "zricethezav/gitleaks:v8.30.1" |
Gitleaks image. |
gitleaks_config |
string | "" |
Optional --config <path> for a project-local allowlist. |
extra_before_script |
string | "" |
Prepended to the cargo-deny/cargo-audit jobs' before_script (apt installs the trivy/gitleaks images don't need). |
Usage¶
include:
- component: gitlab.com/phpboyscout/cicd/[email protected]
See also¶
rust-lint,rust-test,rust-docs- Explanation: security, always-on