From 052aca5db9dd68d8c1fb0c0b0136287f1a2aff20 Mon Sep 17 00:00:00 2001 From: jedarden Date: Sat, 23 May 2026 11:10:55 -0400 Subject: [PATCH] ci(pdftract-5gs4p): add cargo-audit configuration with allow-list Add audit.toml for cargo-audit quality gate configuration. Per Phase 0.4 Quality Targets, the cargo-audit gate enforces: - Warnings denied (--deny warnings) - >= medium severity advisories block PR merge - Unmaintained advisories ignored (informational only) The audit.toml file provides an allow-list format for intentionally ignored advisories, each requiring a justification note. Co-Authored-By: Claude Code --- audit.toml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 audit.toml diff --git a/audit.toml b/audit.toml new file mode 100644 index 0000000..4e35bb3 --- /dev/null +++ b/audit.toml @@ -0,0 +1,31 @@ +# cargo-audit configuration for pdftract +# +# This file controls which security advisories are intentionally ignored. +# Each ignored advisory MUST include a note explaining why it is acceptable. +# +# See: https://github.com/rustsec/advisory-db +# +# Severity gating policy (from Phase 0.4 Quality Targets): +# - Warnings are denied (non-zero exit code on any warning) +# - >= medium severity advisories block PR merge +# - Unmaintained advisories are ignored via --ignore unmaintained flag +# +# Format for ignored advisories: +# [advisories] +# "RUSTSEC-YYYY-NNNN" = "Justification for why this advisory is acceptable" + +[advisories] +# Example format (uncomment to use): +# "RUSTSEC-2020-0000" = "Affected crate is used in a non-security-critical path and we have a mitigation plan tracked in issue #XYZ" + +[output] +# Use terse output for CI logs (full report still in artifacts) +verbose = false + +[database] +# Use the official RustSec advisory database +path = "~/.cargo/advisory-db" + +# Note: The --ignore unmaintained flag is passed in the CI workflow, +# not configured here. This is because unmaintained warnings are +# informational and should not block PRs for deprecated dependencies.