From ac8b54d13d8cbbbd9210e66adc1974458ca55eb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9CPeteroche=E2=80=9D?=
 <“petergoddey08l@gmail.com”>
Date: Sun, 22 Feb 2026 11:18:30 +0100
Subject: [PATCH] feat: Integrate `cargo-audit` and `cargo-deny` for automated
 security and license scanning in CI and via new Makefile targets.

---
 .github/workflows/ci.yml | 17 ++++++++++++++++
 Makefile                 | 22 ++++++++++++++++++--
 README.md                | 33 ++++++++++++++++++++++++++++++
 deny.toml                | 44 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 114 insertions(+), 2 deletions(-)
 create mode 100644 deny.toml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0291e69..1af48c7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -149,3 +149,20 @@ jobs:
 
       - name: Build WASM contract
         run: cargo build -p stellaraid-core --target wasm32-unknown-unknown
+
+  security:
+    name: Security Scans
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+
+      - name: cargo-audit scan
+        uses: rustsec/audit-check@v2.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: cargo-deny check
+        uses: embarkstudios/cargo-deny-action@v2
+        with:
+          command: check
diff --git a/Makefile b/Makefile
index 83549ea..1c85588 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: help build test fmt lint clean wasm check-deps install-tools
+.PHONY: help build test fmt lint clean wasm check-deps install-tools audit deny
 
 # Default target
 help:
@@ -13,6 +13,8 @@ help:
 	@echo "  clean        - Clean build artifacts"
 	@echo "  check-deps   - Check if required dependencies are installed"
 	@echo "  install-tools- Install development dependencies"
+	@echo "  audit        - Check for security vulnerabilities in dependencies"
+	@echo "  deny         - Check for license and ban policies"
 	@echo "  help         - Show this help message"
 
 # Build everything
@@ -86,6 +88,10 @@ install-tools:
 	cargo install soroban-cli
 	@echo "Adding wasm32-unknown-unknown target..."
 	rustup target add wasm32-unknown-unknown
+	@echo "Installing cargo-audit..."
+	cargo install cargo-audit --locked
+	@echo "Installing cargo-deny..."
+	cargo install cargo-deny --locked
 	@echo "✅ Development dependencies installed!"
 
 # Quick setup for new contributors
@@ -99,5 +105,17 @@ setup: install-tools build
 	@echo "3. Start developing your feature!"
 
 # Continuous integration target
-ci: fmt lint test
+ci: audit deny fmt lint test
 	@echo "✅ CI checks passed!"
+
+# Run security audit
+audit:
+	@echo "Running cargo-audit..."
+	cargo audit
+	@echo "✅ Security audit passed!"
+
+# Run cargo-deny checks
+deny:
+	@echo "Running cargo-deny..."
+	cargo deny check
+	@echo "✅ cargo-deny checks passed!"
diff --git a/README.md b/README.md
index 12b3823..c147ceb 100644
--- a/README.md
+++ b/README.md
@@ -201,6 +201,39 @@ git push origin feature/add-donation-flow
 ```
 Open a Pull Request from your fork back to the main branch.
 
+## Security Scans
+
+This project uses `cargo-audit` and `cargo-deny` to maintain high security standards and license compliance.
+
+### Local Scans
+
+You can run the security scans locally using the following commands:
+
+- **Check for vulnerabilities**:
+  ```bash
+  make audit
+  ```
+- **Check for license and ban policies**:
+  ```bash
+  make deny
+  ```
+
+### Resolving Failures
+
+#### Vulnerabilities (`cargo audit`)
+If a vulnerability is found, you should:
+1.  **Update dependencies**: Run `cargo update` to see if a newer version of the crate resolves the issue.
+2.  **Ignore (Temporary)**: If a fix is not available and you have audited the vulnerability, you can temporarily ignore it by adding it to `deny.toml` under `[advisories] -> ignore`.
+
+#### License/Ban Policy (`cargo deny`)
+If a license or ban policy violation is found:
+1.  **Check Licenses**: Ensure all dependencies use approved licenses. If a new license needs to be allowed, update the `allow` list in `deny.toml`.
+2.  **Banned Crates**: If a crate is banned, you must find an alternative or justify its use and add it to the `skip` list in `deny.toml`.
+
+### Automated CI
+
+Security scans are automatically run on every push and pull request. CI will fail if any known vulnerabilities or policy violations are detected.
+
 # 📜 License
 MIT License — free to use, modify, and distribute.
 
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000..fa02d21
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,44 @@
+# cargo-deny configuration
+
+[advisories]
+version = 2
+vulnerability = "deny"
+unmaintained = "warn"
+unsound = "warn"
+notice = "warn"
+ignore = []
+
+[bans]
+version = 2
+deny = []
+skip = []
+skip-tree = []
+
+[licenses]
+version = 2
+unlicensed = "deny"
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "CC0-1.0",
+    "Zlib",
+    "OpenSSL",
+]
+deny = [
+    "GPL-1.0",
+    "GPL-2.0",
+    "GPL-3.0",
+    "AGPL-3.0",
+]
+copyleft = "warn"
+confidence-threshold = 0.8
+
+[sources]
+version = 2
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []