Background
The Soroban smart contracts have Cargo dependencies that could contain known CVEs. Adding cargo audit to CI automatically fails the build if a vulnerability is detected in any transitive dependency, keeping the contracts secure without manual tracking.
What to build
Add a CI job that runs cargo audit against the contracts workspace on every PR targeting main.
Key files
.github/workflows/ci.yml — add a new job herecontracts/Cargo.lock — must be committed for cargo audit to work
Suggested execution
git checkout -b ci/cargo-audit
- Add a
security-audit job to .github/workflows/ci.yml that installs cargo-audit and runs it from contracts/
- Ensure
contracts/Cargo.lock is committed (check .gitignore)
- If existing advisories are acceptable, add them to
audit.toml with a justification comment
Example commit message:
ci: add cargo-audit security scan for Soroban contract dependencies
Acceptance criteria
Drips Wave · Complexity: Trivial · 100 points
Comment below to request assignment. PR must include Closes #[this issue].
Background
The Soroban smart contracts have Cargo dependencies that could contain known CVEs. Adding
cargo auditto CI automatically fails the build if a vulnerability is detected in any transitive dependency, keeping the contracts secure without manual tracking.What to build
Add a CI job that runs
cargo auditagainst the contracts workspace on every PR targetingmain.Key files
.github/workflows/ci.yml— add a new job herecontracts/Cargo.lock— must be committed forcargo auditto workSuggested execution
security-auditjob to.github/workflows/ci.ymlthat installscargo-auditand runs it fromcontracts/contracts/Cargo.lockis committed (check.gitignore)audit.tomlwith a justification commentExample commit message:
ci: add cargo-audit security scan for Soroban contract dependenciesAcceptance criteria
audit.toml