Security: Add Automated Dependency Vulnerability Scanning in CI/CD Pipeline

[Smartdevs17]

Context

Supply chain attacks via vulnerable dependencies are an increasing threat. The project uses many npm, Rust, and Solidity packages.

Current Limitation/Problem

There is no automated dependency vulnerability scanning. Vulnerable transitive dependencies can go undetected for months. No policy for vulnerability remediation SLAs.

Expected Outcome

Automated vulnerability scanning for all dependency types (npm, Cargo, Solidity) in CI/CD, with configurable severity thresholds and policy-based blocking.

Acceptance Criteria

• Integrate npm audit, Snyk or Dependabot for npm packages
• Integrate cargo audit for Rust/Soroban dependencies
• Parse vulnerability reports and fail CI on high/critical severity
• Generate vulnerability report as CI artifact
• Weekly scheduled scan (not just on PR)
• Alert Slack/email on new critical vulnerabilities
• Auto-create GitHub issue for vulnerabilities with severity and remediation
• Dependency license compliance check
• Policy configuration: which severities block CI, SLA for remediation
• Dashboard: vulnerability trend over time

Technical Scope

• .github/workflows/dependency-scan.yml - CI workflow
• GitHub Dependabot configuration (auto-PRs for updates)
• Custom script for aggregating scan results from multiple tools
• Slack/notification integration for alerts
• Prisma: VulnerabilityReport, DependencyVulnerability models
• Edge cases: false positives, unmaintained packages, version conflicts

[BigDella]

@BigDella has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

i will love to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @BigDella to this issue.

[drips-wave]

Congratulations, @BigDella! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @BigDella: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @BigDella as part of the Stellar Wave Program's 6th Wave 🥳

😎 @BigDella: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.