rtk-ai/rtk

enhancement: add cargo-deny to CI for dependency license and security policy enforcement

Open

#1,164 建立於 2026年4月10日

在 GitHub 查看
 (1 留言) (0 反應) (0 負責人)Rust (2,914 fork)batch import
area:cieffort-mediumenhancementhelp wantedpriority:low

倉庫指標

Star
 (48,085 star)
PR 合併指標
 (平均合併 11天 1小時) (30 天內合併 45 個 PR)

描述

Problem

RTK's SECURITY.md documents a dependency security policy (downloads >10K, verified maintainers, no typosquatting) but enforcement is manual. There is no automated policy enforcement in CI.

Current state

  • `cargo audit` checks for known CVEs (good)
  • Manual review checklist in SECURITY.md for new dependencies
  • No automated license compliance checking
  • No banned dependency list enforcement
  • No minimum downloads/maintenance requirements enforced

Relevant code

`SECURITY.md` lines 121-136 define the dependency criteria but they are documented, not enforced:

  • Downloads: >10,000 on crates.io
  • Maintainer: Verified GitHub profile
  • License: MIT or Apache-2.0 compatible
  • Activity: Recent commits (within 6 months)
  • No typosquatting

Proposed solution

Add cargo-deny to CI with a `deny.toml` configuration:

```toml

deny.toml

[licenses] allow = ["MIT", "Apache-2.0", "Unicode-3.0", "BSD-3-Clause", "ISC"]

[bans] skip = [] # List allowed exceptions multiple-versions = "warn"

[advisories] ignore = [] # List advisories to ignore with justification

[sources] unknown-registry = "deny" unknown-git = "deny" ```

Benefits

  1. Automated license compliance: Blocks PRs that introduce non-compliant dependencies
  2. Banned dependency enforcement: Can block known problematic crates
  3. Duplicate dependency detection: Warns on multiple versions of the same crate
  4. Complements cargo audit: Adds policy enforcement on top of CVE scanning

Implementation

  1. Add `cargo-deny` to CI workflow (`.github/workflows/security-check.yml`)
  2. Create `deny.toml` with RTK's policy
  3. Run as part of the PR security check alongside `cargo audit` and `cargo clippy`

Acceptance criteria

  • cargo-deny runs in CI on every PR
  • deny.toml reflects RTK's documented dependency policy
  • PRs introducing non-compliant dependencies are blocked
  • Configuration is documented in CONTRIBUTING.md or SECURITY.md

貢獻者指南