enhancement: add cargo-deny to CI for dependency license and security policy enforcement
#1164 aperta il 10 apr 2026
Metriche repository
- Star
- (48.085 star)
- Metriche merge PR
- (Merge medio 11g 1h) (45 PR mergiate in 30 g)
Descrizione
Problem
RTK's SECURITY.md documents a dependency security policy (downloads >10K, verified maintainers, no typosquatting) but enforcement is manual. There is no automated policy enforcement in CI.
Current state
- `cargo audit` checks for known CVEs (good)
- Manual review checklist in SECURITY.md for new dependencies
- No automated license compliance checking
- No banned dependency list enforcement
- No minimum downloads/maintenance requirements enforced
Relevant code
`SECURITY.md` lines 121-136 define the dependency criteria but they are documented, not enforced:
- Downloads: >10,000 on crates.io
- Maintainer: Verified GitHub profile
- License: MIT or Apache-2.0 compatible
- Activity: Recent commits (within 6 months)
- No typosquatting
Proposed solution
Add cargo-deny to CI with a `deny.toml` configuration:
```toml
deny.toml
[licenses] allow = ["MIT", "Apache-2.0", "Unicode-3.0", "BSD-3-Clause", "ISC"]
[bans] skip = [] # List allowed exceptions multiple-versions = "warn"
[advisories] ignore = [] # List advisories to ignore with justification
[sources] unknown-registry = "deny" unknown-git = "deny" ```
Benefits
- Automated license compliance: Blocks PRs that introduce non-compliant dependencies
- Banned dependency enforcement: Can block known problematic crates
- Duplicate dependency detection: Warns on multiple versions of the same crate
- Complements cargo audit: Adds policy enforcement on top of CVE scanning
Implementation
- Add `cargo-deny` to CI workflow (`.github/workflows/security-check.yml`)
- Create `deny.toml` with RTK's policy
- Run as part of the PR security check alongside `cargo audit` and `cargo clippy`
Acceptance criteria
- cargo-deny runs in CI on every PR
- deny.toml reflects RTK's documented dependency policy
- PRs introducing non-compliant dependencies are blocked
- Configuration is documented in CONTRIBUTING.md or SECURITY.md