jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/audit.toml
jedarden 052aca5db9 ci(pdftract-5gs4p): add cargo-audit configuration with allow-list 
Add audit.toml for cargo-audit quality gate configuration.

Per Phase 0.4 Quality Targets, the cargo-audit gate enforces:
- Warnings denied (--deny warnings)
- >= medium severity advisories block PR merge
- Unmaintained advisories ignored (informational only)

The audit.toml file provides an allow-list format for intentionally
ignored advisories, each requiring a justification note.

Co-Authored-By: Claude Code <noreply@anthropic.com>
2026-05-23 11:11:25 -04:00

31 lines
1.1 KiB
TOML
Raw Blame History

# cargo-audit configuration for pdftract
#
# This file controls which security advisories are intentionally ignored.
# Each ignored advisory MUST include a note explaining why it is acceptable.
#
# See: https://github.com/rustsec/advisory-db
#
# Severity gating policy (from Phase 0.4 Quality Targets):
# - Warnings are denied (non-zero exit code on any warning)
# - >= medium severity advisories block PR merge
# - Unmaintained advisories are ignored via --ignore unmaintained flag
#
# Format for ignored advisories:
# [advisories]
# "RUSTSEC-YYYY-NNNN" = "Justification for why this advisory is acceptable"
[advisories]
# Example format (uncomment to use):
# "RUSTSEC-2020-0000" = "Affected crate is used in a non-security-critical path and we have a mitigation plan tracked in issue #XYZ"
[output]
# Use terse output for CI logs (full report still in artifacts)
verbose = false
[database]
# Use the official RustSec advisory database
path = "~/.cargo/advisory-db"
# Note: The --ignore unmaintained flag is passed in the CI workflow,
# not configured here. This is because unmaintained warnings are
# informational and should not block PRs for deprecated dependencies.
Reference in a new issue View git blame Copy permalink