Description:
TariffShield processes real financial transactions and stores sensitive importer data, yet no automated vulnerability scanning runs against its dependency trees. Adding cargo audit and npm audit to CI with a hard failure on critical-severity findings ensures that known exploitable vulnerabilities in crate or npm dependencies are caught before they ship, without requiring manual developer intervention.
Acceptance Criteria:
Relevant Files:
.github/workflows/audit.yml — new audit workflow
deny.toml — cargo-deny configuration for license and duplicate checks
Cargo.toml — Rust workspace (crates under audit)
package.json — npm workspace root (packages under audit)
docs/security.md — security policy and vulnerability response process
Description:
TariffShield processes real financial transactions and stores sensitive importer data, yet no automated vulnerability scanning runs against its dependency trees. Adding
cargo auditandnpm auditto CI with a hard failure on critical-severity findings ensures that known exploitable vulnerabilities in crate or npm dependencies are caught before they ship, without requiring manual developer intervention.Acceptance Criteria:
.github/workflows/audit.ymlthat triggers onpull_requestand on a dailyschedule: cron: '0 6 * * *'so new CVEs disclosed overnight are caught the next morningcargo-auditstep installscargo-auditviacargo install cargo-audit --locked(cached across runs), runscargo audit, and fails the job on any advisory with acriticalorhighCVSS severitynpm-auditstep runsnpm audit --audit-level=criticalfrom the workspace root, which fails on critical vulnerabilities only (high-severity findings generate a warning comment instead)cargo-audit-report.json,npm-audit-report.json) for inspection without rerunning CIactions/github-scripttitled "Security: dependency vulnerability found — " with the CVE IDs and affected packages listedcargo denyconfiguration (deny.toml) is added alongsidecargo auditto enforce license allow-listing (MIT, Apache-2.0, ISC only) and block duplicate crate versionsdocs/security.md: how to assess, how to pin or patch, and the SLA for critical fixes (24 hours)Relevant Files:
.github/workflows/audit.yml— new audit workflowdeny.toml— cargo-deny configuration for license and duplicate checksCargo.toml— Rust workspace (crates under audit)package.json— npm workspace root (packages under audit)docs/security.md— security policy and vulnerability response process