feat: Integrate cargo-audit and cargo-deny for automated security…

.github/workflows/ci.yml

@@ -149,3 +149,20 @@ jobs:
 
       - name: Build WASM contract
         run: cargo build -p stellaraid-core --target wasm32-unknown-unknown
+
+  security:
+    name: Security Scans
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+
+      - name: cargo-audit scan
+        uses: rustsec/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: cargo-deny check
+        uses: embarkstudios/cargo-deny-action@v2
+        with:
+          command: check

Makefile

@@ -1,4 +1,4 @@
-.PHONY: help build test fmt lint clean wasm check-deps install-tools
+.PHONY: help build test fmt lint clean wasm check-deps install-tools audit deny
 
 # Default target
 help:
@@ -13,6 +13,8 @@ help:
 	@echo "  clean        - Clean build artifacts"
 	@echo "  check-deps   - Check if required dependencies are installed"
 	@echo "  install-tools- Install development dependencies"
+	@echo "  audit        - Check for security vulnerabilities in dependencies"
+	@echo "  deny         - Check for license and ban policies"
 	@echo "  help         - Show this help message"
 
 # Build everything
@@ -86,6 +88,10 @@ install-tools:
 	cargo install soroban-cli
 	@echo "Adding wasm32-unknown-unknown target..."
 	rustup target add wasm32-unknown-unknown
+	@echo "Installing cargo-audit..."
+	cargo install cargo-audit --locked
+	@echo "Installing cargo-deny..."
+	cargo install cargo-deny --locked
 	@echo "✅ Development dependencies installed!"
 
 # Quick setup for new contributors
@@ -99,5 +105,17 @@ setup: install-tools build
 	@echo "3. Start developing your feature!"
 
 # Continuous integration target
-ci: fmt lint test
+ci: audit deny fmt lint test
 	@echo "✅ CI checks passed!"
+
+# Run security audit
+audit:
+	@echo "Running cargo-audit..."
+	cargo audit
+	@echo "✅ Security audit passed!"
+
+# Run cargo-deny checks
+deny:
+	@echo "Running cargo-deny..."
+	cargo deny check
+	@echo "✅ cargo-deny checks passed!"

README.md

@@ -201,6 +201,39 @@ git push origin feature/add-donation-flow
 ```
 Open a Pull Request from your fork back to the main branch.
 
+## Security Scans
+
+This project uses `cargo-audit` and `cargo-deny` to maintain high security standards and license compliance.
+
+### Local Scans
+
+You can run the security scans locally using the following commands:
+
+- **Check for vulnerabilities**:
+  ```bash
+  make audit
+  ```
+- **Check for license and ban policies**:
+  ```bash
+  make deny
+  ```
+
+### Resolving Failures
+
+#### Vulnerabilities (`cargo audit`)
+If a vulnerability is found, you should:
+1.  **Update dependencies**: Run `cargo update` to see if a newer version of the crate resolves the issue.
+2.  **Ignore (Temporary)**: If a fix is not available and you have audited the vulnerability, you can temporarily ignore it by adding it to `deny.toml` under `[advisories] -> ignore`.
+
+#### License/Ban Policy (`cargo deny`)
+If a license or ban policy violation is found:
+1.  **Check Licenses**: Ensure all dependencies use approved licenses. If a new license needs to be allowed, update the `allow` list in `deny.toml`.
+2.  **Banned Crates**: If a crate is banned, you must find an alternative or justify its use and add it to the `skip` list in `deny.toml`.
+
+### Automated CI
+
+Security scans are automatically run on every push and pull request. CI will fail if any known vulnerabilities or policy violations are detected.
+
 # 📜 License
 MIT License — free to use, modify, and distribute.
 

deny.toml

@@ -0,0 +1,44 @@
+# cargo-deny configuration
+
+[advisories]
+version = 2
+vulnerability = "deny"
+unmaintained = "warn"
+unsound = "warn"
+notice = "warn"
+ignore = []
+
+[bans]
+version = 2
+deny = []
+skip = []
+skip-tree = []
+
+[licenses]
+version = 2
+unlicensed = "deny"
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "CC0-1.0",
+    "Zlib",
+    "OpenSSL",
+]
+deny = [
+    "GPL-1.0",
+    "GPL-2.0",
+    "GPL-3.0",
+    "AGPL-3.0",
+]
+copyleft = "warn"
+confidence-threshold = 0.8
+
+[sources]
+version = 2
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []