Soroban SDK CI Pipeline Lacks Critical Dependency Vulnerability Scanning, Exposing Smart Contracts to Unchecked CVEs

A critical security gap has been identified in the continuous integration (CI) pipeline for the Soroban SDK and related Rust crates. The pipeline currently lacks any automated dependency vulnerability scanning, leaving smart contracts potentially exposed to unpatched Common Vulnerabilities and Exposures (CVEs) that could compromise contract security. This oversight means that malicious or vulnerable code dependencies could be introduced into production builds without detection, creating a direct risk for any application built on this foundation.

The specific requirement is to integrate the `cargo audit` tool into the CI workflow via a new `security-audit` job. This job must be configured to run on every pull request (PR), cache its advisory database for performance, and be set to fail the build if any high-severity vulnerabilities are discovered. A complementary check using `cargo deny` is also proposed to enforce license compliance, specifically to prevent the inclusion of GPL-licensed dependencies in contract code, which could create legal and operational risks.

The absence of these automated guards represents a significant procedural vulnerability in the software supply chain for Soroban-based contracts. Implementing these checks is a foundational step for shifting security left in the development lifecycle, ensuring that vulnerabilities are caught at the earliest possible stage—during code review—rather than being discovered post-deployment. This change pressures the development team to prioritize dependency hygiene as a non-negotiable component of their merge criteria.