fix(ci): switch from cargo-audit to cargo-deny for advisory scanning#7032
Merged
codefromthecrypt merged 2 commits intomainfrom Feb 9, 2026
Merged
fix(ci): switch from cargo-audit to cargo-deny for advisory scanning#7032codefromthecrypt merged 2 commits intomainfrom
codefromthecrypt merged 2 commits intomainfrom
Conversation
3 tasks
codefromthecrypt
force-pushed
the
switch-cargo-deny
branch
from
b5e86ae to
bbdcf16
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Switches the repository’s advisory/vulnerability scanning in CI from cargo-audit to cargo-deny, aligning scanning with the actual resolved dependency graph to reduce lockfile-only false positives.
Changes:
- Add a minimal
deny.tomlconfiguringcargo-denyadvisory behavior (deny yanked; ignore unmaintained/unsound). - Update the existing audit workflow to run
EmbarkStudios/cargo-deny-actionwithcheck advisoriesand adjust triggers accordingly.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
deny.toml |
Adds cargo-deny advisories configuration to emulate prior cargo-audit behavior. |
.github/workflows/cargo-audit.yml |
Replaces the cargo-audit GitHub Action with cargo-deny advisory checks and updates config trigger path. |
cargo-deny uses the actual dependency graph, eliminating false positives like RUSTSEC-2023-0071 (rsa via unused sqlx-mysql). Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
force-pushed
the
switch-cargo-deny
branch
from
bbdcf16 to
b981e64
Compare
Collaborator
Author
|
@michaelneale figure you might care about this.. main difference here is it is more precise about deps actually used. it makes it more clear that things that are unmaintained are not audited, though I think we could revisit that. It might be a fool's errand to try to make goose solely depend on maintained things as it applies transitively |
katzdave
approved these changes
Feb 9, 2026
tlongwell-block
added a commit
that referenced
this pull request
Feb 9, 2026
* origin/main: Docs: require auth optional for custom providers (#7098) fix: improve text-muted contrast for better readability (#7095) Always sync bundled extensions (#7057) feat: Add tom (Top Of Mind) platform extension (#7073) chore(docs): update GOOSE_SESSION_ID -> AGENT_SESSION_ID (#6669) fix(ci): switch from cargo-audit to cargo-deny for advisory scanning (#7032) chore(deps): bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in /evals/open-model-gym/suite (#7085) chore(deps): bump @modelcontextprotocol/sdk from 1.25.3 to 1.26.0 in /evals/open-model-gym/mcp-harness (#7086) fix: switch to windows msvc (#7080) fix: allow unlisted models for CLI providers (#7090) Use goose port (#7089) chore: strip posthog for sessions/models/daily only (#7079) tidy: clean up old benchmark and add gym (#7081) fix: use command.process_group(0) for CLI providers, not just MCP (#7083) added build notify (#6891)
michaelneale
added a commit
that referenced
this pull request
Feb 10, 2026
* main: (125 commits) chore: add a new scenario (#7107) fix: Goose Desktop missing Calendar and Reminders entitlements (#7100) Fix 'Edit In Place' and 'Fork Session' features (#6970) Fix: Only send command content to command injection classifier (excluding part of tool call dict) (#7082) Docs: require auth optional for custom providers (#7098) fix: improve text-muted contrast for better readability (#7095) Always sync bundled extensions (#7057) feat: Add tom (Top Of Mind) platform extension (#7073) chore(docs): update GOOSE_SESSION_ID -> AGENT_SESSION_ID (#6669) fix(ci): switch from cargo-audit to cargo-deny for advisory scanning (#7032) chore(deps): bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in /evals/open-model-gym/suite (#7085) chore(deps): bump @modelcontextprotocol/sdk from 1.25.3 to 1.26.0 in /evals/open-model-gym/mcp-harness (#7086) fix: switch to windows msvc (#7080) fix: allow unlisted models for CLI providers (#7090) Use goose port (#7089) chore: strip posthog for sessions/models/daily only (#7079) tidy: clean up old benchmark and add gym (#7081) fix: use command.process_group(0) for CLI providers, not just MCP (#7083) added build notify (#6891) test(mcp): add image tool test and consolidate MCP test fixtures (#7019) ...
lifeizhou-ap
added a commit
that referenced
this pull request
Feb 11, 2026
* main: (85 commits) Fix 'Edit In Place' and 'Fork Session' features (#6970) Fix: Only send command content to command injection classifier (excluding part of tool call dict) (#7082) Docs: require auth optional for custom providers (#7098) fix: improve text-muted contrast for better readability (#7095) Always sync bundled extensions (#7057) feat: Add tom (Top Of Mind) platform extension (#7073) chore(docs): update GOOSE_SESSION_ID -> AGENT_SESSION_ID (#6669) fix(ci): switch from cargo-audit to cargo-deny for advisory scanning (#7032) chore(deps): bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in /evals/open-model-gym/suite (#7085) chore(deps): bump @modelcontextprotocol/sdk from 1.25.3 to 1.26.0 in /evals/open-model-gym/mcp-harness (#7086) fix: switch to windows msvc (#7080) fix: allow unlisted models for CLI providers (#7090) Use goose port (#7089) chore: strip posthog for sessions/models/daily only (#7079) tidy: clean up old benchmark and add gym (#7081) fix: use command.process_group(0) for CLI providers, not just MCP (#7083) added build notify (#6891) test(mcp): add image tool test and consolidate MCP test fixtures (#7019) fix: remove Option from model listing return types, propagate errors (#7074) fix: lazy provider creation for goose acp (#7026) (#7066) ...
Tyler-Hardin
pushed a commit
to Tyler-Hardin/goose
that referenced
this pull request
Feb 11, 2026
…lock#7032) Signed-off-by: Adrian Cole <adrian@tetrate.io>
Tyler-Hardin
pushed a commit
to Tyler-Hardin/goose
that referenced
this pull request
Feb 11, 2026
…lock#7032) Signed-off-by: Adrian Cole <adrian@tetrate.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Switch CI from
cargo-audittocargo-denyfor advisory scanning.cargo-denyuses the actual dependency graph instead of scanning the lockfile, which eliminates false positives like the rsa advisory from unused sqlx-mysql.Type of Change
AI Assistance
Testing
Related Issues
Follows up on #7031