Automate Cargo Audit Security Scanning and Dependency Remediation

## Overview

Introduce a Rust dependency security workflow based on `cargo audit` that runs periodically and
can be triggered manually, document scan results under `docs/security/dependencies`, and remediate
vulnerabilities where feasible.

This task also defines a clear process for unresolved findings: if vulnerabilities cannot be fixed
quickly (e.g. blocked by upstream releases), create follow-up issues with context, impact, and tracking.

## Specification

See detailed specification: [docs/issues/439-cargo-audit-security-automation-and-remediation.md](../docs/issues/439-cargo-audit-security-automation-and-remediation.md)

## Implementation Plan

### Phase 1: CI Workflow Setup

- [ ] Create `.github/workflows/cargo-audit.yml`
- [ ] Configure schedule + manual trigger + permissions following RustSec audit-check docs
- [ ] Validate workflow configuration and alignment with existing workflow style

### Phase 2: Manual Security Reporting

- [ ] Run `cargo audit` manually and capture results
- [ ] Create `docs/security/dependencies/` index and date-stamped scan report
- [ ] Cross-link report from security documentation

### Phase 3: Dependency Remediation

- [ ] Identify direct vs transitive upgrade paths for current findings
- [ ] Apply safe dependency updates/replacements
- [ ] Re-run build, tests, lint, and `cargo audit`

### Phase 4: Follow-up Tracking

- [ ] Create issue(s) for unresolved advisories/blockers
- [ ] Link follow-up issue(s) in main issue and report docs
- [ ] Document mitigation strategy and revisit timeline

## Acceptance Criteria

> **Note for Contributors**: These criteria define what the PR reviewer will check. Use this as your pre-review checklist before submitting the PR to minimize back-and-forth iterations.

**Quality Checks**:

- [ ] Pre-commit checks pass: `./scripts/pre-commit.sh`

**Task-Specific Criteria**:

- [ ] New workflow exists and runs on schedule + manual dispatch
- [ ] Workflow uses RustSec audit action with appropriate permissions and token configuration
- [ ] Manual dependency security report exists in `docs/security/dependencies/` and follows documented format
- [ ] `cargo audit` was re-run and latest results are documented
- [ ] Feasible dependency vulnerabilities are remediated and validated
- [ ] Unresolved vulnerabilities have linked follow-up issue(s) with actionable next steps

## Related

- Spec: docs/issues/439-cargo-audit-security-automation-and-remediation.md
- Related workflow: `.github/workflows/docker-security-scan.yml`
- RustSec audit-check: https://github.com/rustsec/audit-check

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Automate Cargo Audit Security Scanning and Dependency Remediation #439

Overview

Specification

Implementation Plan

Phase 1: CI Workflow Setup

Phase 2: Manual Security Reporting

Phase 3: Dependency Remediation

Phase 4: Follow-up Tracking

Acceptance Criteria

Related

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Automate Cargo Audit Security Scanning and Dependency Remediation #439

Description

Overview

Specification

Implementation Plan

Phase 1: CI Workflow Setup

Phase 2: Manual Security Reporting

Phase 3: Dependency Remediation

Phase 4: Follow-up Tracking

Acceptance Criteria

Related

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions