Skip to content

Run cargo audit and npm audit in CI with Hard Failure on Critical Vulnerabilities #278

Description

@vjuliaife

Description:
TariffShield processes real financial transactions and stores sensitive importer data, yet no automated vulnerability scanning runs against its dependency trees. Adding cargo audit and npm audit to CI with a hard failure on critical-severity findings ensures that known exploitable vulnerabilities in crate or npm dependencies are caught before they ship, without requiring manual developer intervention.

Acceptance Criteria:

  • Create .github/workflows/audit.yml that triggers on pull_request and on a daily schedule: cron: '0 6 * * *' so new CVEs disclosed overnight are caught the next morning
  • The cargo-audit step installs cargo-audit via cargo install cargo-audit --locked (cached across runs), runs cargo audit, and fails the job on any advisory with a critical or high CVSS severity
  • The npm-audit step runs npm audit --audit-level=critical from the workspace root, which fails on critical vulnerabilities only (high-severity findings generate a warning comment instead)
  • Both audit steps upload their JSON output as artifacts (cargo-audit-report.json, npm-audit-report.json) for inspection without rerunning CI
  • When the scheduled audit run fails, it opens a GitHub Issue automatically via actions/github-script titled "Security: dependency vulnerability found — " with the CVE IDs and affected packages listed
  • A cargo deny configuration (deny.toml) is added alongside cargo audit to enforce license allow-listing (MIT, Apache-2.0, ISC only) and block duplicate crate versions
  • Document the vulnerability response process in docs/security.md: how to assess, how to pin or patch, and the SLA for critical fixes (24 hours)

Relevant Files:

  • .github/workflows/audit.yml — new audit workflow
  • deny.toml — cargo-deny configuration for license and duplicate checks
  • Cargo.toml — Rust workspace (crates under audit)
  • package.json — npm workspace root (packages under audit)
  • docs/security.md — security policy and vulnerability response process

Metadata

Metadata

Assignees

Labels

Stellar WaveIssues in the Stellar wave programciAuto-created by repotool publish-folderdxDeveloper experience / docs / naming

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions