rustsec · tarcieri · Jul 8, 2024 · Apr 20, 2024 · Apr 20, 2024 · Apr 20, 2024
diff --git a/README.md b/README.md
@@ -26,7 +26,7 @@ jobs:
   security_audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: rustsec/[email protected]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -86,7 +86,7 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: rustsec/[email protected]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -104,5 +104,6 @@ For each new advisory (including informal) an issue will be created:
 | ------------| -------- | ---------------------------------------------------------------------------| ------ | --------|
 | `token`     | ✓        | [GitHub token], usually a `${{ secrets.GITHUB_TOKEN }}`                    | string |         |
 | `ignore`    |          | Comma-separated list of advisory ids to ignore                             | string |         |
+| `working-directory`|   | The directory of the Cargo.toml / Cargo.lock files to scan.                | string | `.`     |
 
 [GitHub token]: https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token
diff --git a/action.yml b/action.yml
@@ -11,6 +11,10 @@ inputs:
   ignore:
     description: Comma-separated list of advisory ids to ignore
     required: false
+  working-directory:
+    description: The directory of the Cargo.toml / Cargo.lock files to scan.
+    required: false
+    default: .
 
 runs:
   using: 'node20'

diff --git a/dist/index.js b/dist/index.js
diff --git a/src/input.ts b/src/input.ts
@@ -8,11 +8,13 @@ import { input } from '@clechasseur/rs-actions-core';
 export interface Input {
     token: string;
     ignore: string[];
+    workingDirectory: string;
 }
 
 export function get(): Input {
     return {
         token: input.getInput('token', { required: true }),
         ignore: input.getInputList('ignore', { required: false }),
+        workingDirectory: input.getInput('working-directory', { required: false }) ?? '.',
     };
 }
diff --git a/src/main.ts b/src/main.ts
@@ -12,6 +12,7 @@ import * as reporter from './reporter';
 
 async function getData(
     ignore: string[] | undefined,
+    workingDirectory: string,
 ): Promise<interfaces.Report> {
     const cargo = await Cargo.get();
     await cargo.findOrInstall('cargo-audit');
@@ -24,6 +25,7 @@ async function getData(
             commandArray.push('--ignore', item);
         }
         commandArray.push('--json');
+        commandArray.push('--file', `${workingDirectory}/Cargo.lock`);
         await cargo.call(commandArray, {
             ignoreReturnCode: true,
             listeners: {
@@ -44,9 +46,17 @@ async function getData(
     return JSON.parse(stdout);
 }
 
+function removeTrailingSlash(str) {
+    if (str[str.length - 1] === '/') {
+        return str.substr(0, str.length - 1);
+    }
+    return str;
+}
+
 export async function run(actionInput: input.Input): Promise<void> {
     const ignore = actionInput.ignore;
-    const report = await getData(ignore);
+    const workingDirectory = removeTrailingSlash(actionInput.workingDirectory);
+    const report = await getData(ignore, workingDirectory);
     let shouldReport = false;
     if (!report.vulnerabilities.found) {
         core.info('No vulnerabilities were found');