azure-pipelines
azure-pipelines copied to clipboard
Run cargo audit by default
Would be great to turn CI red on vulnerable dependencies.
Thoughts on CI vs a bot? Dependabot can automatically create PRs for security vulnerabilities which is more proactive than the CI which is in response to a PR, master commit, tag, and/or a schedule.
Ouch, looks like they don't offer pre-built binaries and seem to be against it. The slowdown caused by that seems bad from a defaults perspective.
It's too bad that Azure doesn't have caching yet.
I basically agree with the author that we should get cargo-audit into cargo proper.
At least caching is in Preview