Merge #440: Implement cargo audit security automation for #439

1a5dc56 ci: [#439] add cargo security audit workflow (Jose Celano)
805be28 docs: [#439] add cargo audit security reports (Jose Celano)
28b7018 build: [#439] update vulnerable dependency versions (Jose Celano)

Pull request description:

  ## Summary

  Implements issue #439 by adding automated Cargo dependency security auditing, documenting the initial scan, and remediating the reported vulnerable dependency versions.

  ## Changes

  - Add a scheduled and manually runnable Cargo security audit workflow
  - Add dependency security report documentation under docs/security/dependencies
  - Update vulnerable dependency versions to clear current cargo-audit findings
  - Add the Cargo Security Audit badge to the main README

  ## Commit Structure

  - build: [#439] update vulnerable dependency versions
  - docs: [#439] add cargo audit security reports
  - ci: [#439] add cargo security audit workflow

  ## Validation

  - ./scripts/pre-commit.sh
  - cargo audit

  Closes #439

ACKs for top commit:
  josecelano:
    ACK 1a5dc56

Tree-SHA512: b279facc688aa68d59415b56cc5fab69bdc3f54cf546924d7a95e0c0e2620d234f7815fbbee0b5593dc99012bf3b7387312d9bcece4986394399d59b6de3c197

Author: josecelano

.github/workflows/cargo-security-audit.yml

@@ -0,0 +1,44 @@
+name: Cargo Security Audit
+
+on:
+  push:
+    branches: [main, develop]
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      - ".github/workflows/cargo-security-audit.yml"
+
+  pull_request:
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      - ".github/workflows/cargo-security-audit.yml"
+
+  # Scheduled scans are important because new RustSec advisories can appear
+  # even when the codebase and lockfile do not change.
+  schedule:
+    - cron: "0 6 * * *" # Daily at 6 AM UTC
+
+  workflow_dispatch:
+
+jobs:
+  cargo-audit:
+    name: Audit Rust Dependencies
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    # cspell:ignore rustsec
+    # rustsec/audit-check can create issues and checks on scheduled runs.
+    permissions:
+      contents: read
+      checks: write
+      issues: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Run cargo audit via RustSec action
+        uses: rustsec/audit-check@v2.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

Cargo.toml

@@ -60,7 +60,7 @@ serde = { version = "1.0", features = [ "derive" ] }
 serde_json = "1.0"
 tempfile = "3.0"
 tera = "1.0"
-testcontainers = { version = "0.26", features = [ "blocking" ] }
+testcontainers = { version = "0.27", features = [ "blocking" ] }
 thiserror = "2.0"
 torrust-dependency-installer = { path = "packages/dependency-installer" }
 torrust-deployer-types = { path = "packages/deployer-types" }

README.md

@@ -1,4 +1,4 @@
-[![Linting](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/linting.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/linting.yml) [![Testing](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/testing.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/testing.yml) [![Test Dependency Installer](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-dependency-installer.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-dependency-installer.yml) [![E2E Infrastructure Tests](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-infrastructure.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-infrastructure.yml) [![E2E Deployment Tests](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-deployment.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-deployment.yml) [![SDK Examples](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-sdk-examples.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-sdk-examples.yml) [![Test LXD Container Provisioning](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-lxd-provision.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-lxd-provision.yml) [![Coverage](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/coverage.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/coverage.yml) [![Container](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/container.yaml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/container.yaml) [![Backup Container](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/backup-container.yaml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/backup-container.yaml) [![Docker Security Scan](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/docker-security-scan.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/docker-security-scan.yml) [![Code Statistics](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/code-statistics.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/code-statistics.yml)
+[![Linting](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/linting.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/linting.yml) [![Testing](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/testing.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/testing.yml) [![Test Dependency Installer](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-dependency-installer.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-dependency-installer.yml) [![E2E Infrastructure Tests](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-infrastructure.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-infrastructure.yml) [![E2E Deployment Tests](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-deployment.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-deployment.yml) [![SDK Examples](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-sdk-examples.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-sdk-examples.yml) [![Test LXD Container Provisioning](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-lxd-provision.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-lxd-provision.yml) [![Coverage](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/coverage.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/coverage.yml) [![Container](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/container.yaml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/container.yaml) [![Backup Container](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/backup-container.yaml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/backup-container.yaml) [![Docker Security Scan](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/docker-security-scan.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/docker-security-scan.yml) [![Cargo Security Audit](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/cargo-security-audit.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/cargo-security-audit.yml) [![Code Statistics](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/code-statistics.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/code-statistics.yml)
 
 [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/torrust/torrust-tracker-deployer?quickstart=1)
 

docs/security/dependencies/README.md

@@ -0,0 +1,21 @@
+# Dependency Security Reports
+
+This directory tracks Rust dependency security scans for the deployer workspace.
+
+## Current Status
+
+- Last scan: 2026-04-10
+- Tool: `cargo-audit`
+- Status: no known RustSec vulnerabilities in `Cargo.lock`
+- Latest report: [scans/2026-04-10-cargo-audit.md](scans/2026-04-10-cargo-audit.md)
+
+## Scanning Standard
+
+- Run command: `cargo audit`
+- Record date, scanner output summary, and remediation actions.
+- If findings remain and cannot be fixed quickly, open a follow-up GitHub issue and link it in the report.
+
+## Related Automation
+
+- Workflow: `.github/workflows/cargo-security-audit.yml`
+- RustSec action: <https://github.com/rustsec/audit-check>

docs/security/dependencies/scans/2026-04-10-cargo-audit.md

@@ -0,0 +1,72 @@
+<!-- cspell:ignore RUSTSEC webpki pemfile -->
+
+# Cargo Audit Security Scan - 2026-04-10
+
+## Scan Metadata
+
+- Date: 2026-04-10
+- Tool: `cargo-audit`
+- Workspace: `torrust-tracker-deployer`
+- Command: `cargo audit`
+
+## Baseline (Before Remediation)
+
+Initial scan found 4 vulnerabilities and 1 warning:
+
+1. `RUSTSEC-2026-0066` - `astral-tokio-tar 0.5.6`
+1. `RUSTSEC-2026-0007` - `bytes 1.11.0`
+1. `RUSTSEC-2026-0049` - `rustls-webpki 0.103.8`
+1. `RUSTSEC-2026-0009` - `time 0.3.44`
+1. `RUSTSEC-2025-0134` - `rustls-pemfile 2.2.0` (unmaintained warning)
+
+Baseline output excerpt:
+
+```text
+error: 4 vulnerabilities found!
+warning: 1 allowed warning found
+```
+
+## Remediation Actions
+
+Applied updates:
+
+1. Upgraded `testcontainers` in workspace root from `0.26` to `0.27`.
+1. Upgraded `testcontainers` in `packages/dependency-installer` dev-dependencies from `0.25` to `0.27`.
+1. Refreshed lockfile with `cargo update`.
+
+These updates pulled patched transitive dependencies, including:
+
+- `bytes 1.11.1`
+- `time 0.3.47`
+- `rustls-webpki 0.103.10`
+
+## Verification (After Remediation)
+
+Command rerun:
+
+```bash
+cargo audit
+```
+
+Result:
+
+- Exit code: `0`
+- No vulnerabilities reported for current lockfile.
+
+Output excerpt:
+
+```text
+Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
+Loaded 1042 security advisories
+Scanning Cargo.lock for vulnerabilities (380 crate dependencies)
+```
+
+## Follow-up Issues
+
+No follow-up issue was required for this scan because all reported vulnerabilities were resolved through dependency updates.
+
+## Related
+
+- Main task: <https://github.com/torrust/torrust-tracker-deployer/issues/439>
+- Workflow: `.github/workflows/cargo-security-audit.yml`
+- Dependency report index: `docs/security/dependencies/README.md`

packages/dependency-installer/Cargo.toml

@@ -22,7 +22,7 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = [ "env-filter" ] }
 
 [dev-dependencies]
-testcontainers = "0.25"
+testcontainers = "0.27"
 
 [[test]]
 name = "check_command_docker_integration"