capsec audit
ActionsStatic capability audit for Rust crates — detect ambient authority (filesystem, network, env, process, FFI) in your code
v1.0.2
LatestBy auths-dev
Tags
(2)Static capability audit for Rust crates. Detects ambient authority (filesystem, network, environment, process, FFI) calls in your code.
name: Capability Audit
on: [pull_request]
permissions:
contents: read
security-events: write # Required for SARIF upload
pull-requests: write # Required for PR review comments
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: capsec/audit-action@v1
with:
fail-on: high| Input | Default | Description |
|---|---|---|
version |
latest |
cargo-capsec version to install |
fail-on |
high |
Risk threshold: low, medium, high, critical |
baseline |
.capsec-baseline.json |
Path to baseline file (empty to disable) |
diff |
auto |
Only fail on new findings. auto enables on PRs. |
format |
sarif |
Output format: text, json, sarif |
upload-sarif |
true |
Upload SARIF to GitHub Code Scanning |
comment-on-pr |
true |
Post inline PR review comments via reviewdog |
working-directory |
. |
Path to Cargo workspace root |
token |
${{ github.token }} |
GitHub token |
install-from |
crates-io |
Install method: crates-io or git |
git-repo |
https://github.com/auths-dev/capsec |
Git URL when install-from is git |
| Output | Description |
|---|---|
sarif-file |
Path to generated SARIF file |
finding-count |
Number of findings |
exit-code |
0 = pass, 1 = findings exceed threshold, 2 = runtime error |
- uses: capsec/audit-action@v1- uses: capsec/audit-action@v1
with:
fail-on: high
baseline: .capsec-baseline.json
diff: 'true'- uses: capsec/audit-action@v1
with:
version: '0.1.0'- uses: capsec/audit-action@v1
with:
working-directory: ./rust-workspace- uses: capsec/audit-action@v1
with:
comment-on-pr: 'false'- Installs
cargo-capsecfrom crates.io - Runs
cargo capsec audit --format sarif --fail-on <threshold> - Uploads SARIF to GitHub Code Scanning (appears in Security tab)
- Posts inline review comments on PR diffs via reviewdog
- Fails the check if new findings exceed the threshold
| Permission | Required for |
|---|---|
security-events: write |
SARIF upload to Code Scanning |
pull-requests: write |
Inline PR review comments |
contents: read |
Reading source code |
Apache 2.0
capsec audit is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
About
v1.0.2
LatestBy auths-dev
Tags
(2)capsec audit is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.