From 6a1514f4d255d7d52ada0ff5707b03e5b6013650 Mon Sep 17 00:00:00 2001
From: john <john.a.glynn@gmail.com>
Date: Sat, 18 Nov 2023 08:18:13 -0600
Subject: [PATCH] use the audit action

---
 .github/workflows/cosmwasm-ci.yml | 10 +++++++---
 README.md                         | 23 ++++++++++++++++-------
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/cosmwasm-ci.yml b/.github/workflows/cosmwasm-ci.yml
index 4ed5113..d337eb2 100644
--- a/.github/workflows/cosmwasm-ci.yml
+++ b/.github/workflows/cosmwasm-ci.yml
@@ -70,9 +70,13 @@ jobs:
         name: test-coverage
         path: target/llvm-cov/html
 
-    - name: Scan
-      run: | 
-        cargo audit
+    - name: Audit
+      uses: rustsec/audit-check@v1.4.1
+      with:
+        token: ${{ secrets.ACTION_TOKEN }}
+
+    - name: SBOM
+      run: |
         cargo sbom --output-format cyclone_dx_json_1_4 > target/cdx-sbom.json
 
     - name: Assemble
diff --git a/README.md b/README.md
index 00d9a5c..9ac9ea9 100644
--- a/README.md
+++ b/README.md
@@ -76,9 +76,9 @@ We then perform a `cosmwasm-check` to determine if the binary is a proper smart
 
 ### Test
 
-Run tests and generate coverage reports in both HTML and LCOV formats
+Run tests and generate coverage reports in both `HTML` and `LCOV` formats
 
-The lcov data will eventually be shipped off to SonarQube for reporting.
+The lcov data will eventually be shipped off to `SonarQube` for reporting.
 
 ```yml
     - name: Test
@@ -90,7 +90,7 @@ The lcov data will eventually be shipped off to SonarQube for reporting.
 
 ### Inspect
 
-Run static analysis scans via clippy and assemble findings in a Sonar-friendly format.
+Run static analysis scan via `clippy` and assemble findings in a Sonar-friendly format.
 
 ```yml
     - name: Inspect
@@ -100,19 +100,28 @@ Run static analysis scans via clippy and assemble findings in a Sonar-friendly f
         mv sonar-issues.json target/sonar-issues.json
 ```
 
-### Scan
+### Audit
+
+Perform an `audit` and fail/report any vulnerable crates.
+
+```yml
+    - name: Audit
+      uses: rustsec/audit-check@v1.4.1
+      with:
+        token: ${{ secrets.ACTION_TOKEN }}
+```
+
+### SBOM
 
-Perform an `audit` and fail on any vulnerable crates.
 Generate a Software Bill of Materials `sbom` in `CycloneDX` format
 
 ```yml
     - name: Scan
       run: | 
-        cargo audit
         cargo sbom --output-format cyclone_dx_json_1_4 > target/cdx-sbom.json 
 ```
 
-### Publish
+### Assemble
 
 Comming soon.