Fix failing and skipped security checks

[atul-fusionpact]

📋 Description

This PR addresses multiple failing and skipped security checks within the repository's CI/CD pipeline. It modernizes the cargo-deny configuration, resolves identified dependency vulnerabilities, enables previously skipped container vulnerability and reproducible build scans, and refines secret scanning exclusions to reduce false positives.

Related Issue(s): Closes #

🔧 Type of Change

Please select the type of change this PR introduces:

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📚 Documentation update
• ⚡ Performance improvement
• 🔧 Code refactoring (no functional changes)
• 🧪 Test improvements
• 🔒 Security enhancement
• 🏗️ Build system / CI/CD changes

📚 Library/Component Affected

Please check the libraries or components affected by this PR:

• 🔐 BiSCOL (Bitcoin Smart Contract Orchestration)
• 🌉 CCI-SAT (Cross-Chain Interoperability)
• 🛡️ AICRM-SDK (AI-Driven Compliance & Risk Management)
• ⚡ IMO-EO (Mining Operations & Energy Optimization)
• 📖 Documentation
• 🔧 CI/CD Pipeline
• 🏗️ Build System
• 🧪 Testing Infrastructure
• 🔒 Security
• Other: Dependency management (Cargo.toml/lock)

🧪 Testing

Please describe the testing you've performed:

• Tests pass locally (cargo test --workspace)
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have added integration tests where applicable
• I have tested across different platforms (if applicable)

Test Coverage

# Local cargo deny checks passed for advisories, licenses, bans, and sources.
# Dependency updates resolve known RUSTSEC vulnerabilities.
# CI workflow logic for security scans has been updated to ensure execution.

📝 Checklist

Please ensure your PR meets these requirements:

Code Quality

• My code follows the project's style guidelines
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have removed any debugging code or console logs
• My changes generate no new warnings (cargo clippy --workspace)
• Code is properly formatted (cargo fmt --all)

Documentation

• I have made corresponding changes to the documentation
• I have updated the API documentation (doc comments)
• I have updated the README if necessary
• I have added examples demonstrating new features

Testing & Security

• I have added appropriate error handling
• I have considered security implications of my changes
• I have tested edge cases and error conditions
• No sensitive information (API keys, passwords) is included

Dependencies

• Any new dependencies are justified and approved
• Dependencies are pinned to specific versions
• I have checked for security vulnerabilities in dependencies
• Any dependent changes have been merged and published

🔗 Related Issues

Link any related issues, discussions, or previous PRs:

• Resolves #
• Related to #
• Builds on #
• Fixes #

📸 Screenshots/Demonstrations

If applicable, add screenshots, GIFs, or command output demonstrating the changes:

# Local `cargo deny check advisories/licenses/bans/sources` output:
# All checks passed.

🚀 Performance Impact

If applicable, describe any performance implications:

• No performance impact
• Performance improvement (include benchmarks)
• Potential performance regression (explain why it's acceptable)
• Performance impact unknown (requires review)

Benchmarks (if applicable)

# Include benchmark results
cargo bench

💭 Additional Context

This PR addresses the following security-related issues:

• cargo-deny Configuration: The deny.toml has been updated to the latest schema, resolving parsing errors and ensuring proper enforcement of license policies and crate bans (e.g., openssl/openssl-sys).
• Dependency Vulnerabilities: Key dependencies like prometheus, slab, and config have been upgraded to resolve known RUSTSEC advisories (e.g., RUSTSEC-2024-0437, RUSTSEC-2025-0047, RUSTSEC-2024-0320 by dropping yaml-rust).
• CI Workflow Enhancements:
  • The security.yml workflow now ensures that Container Vulnerability Scan and Reproducible Build Verification jobs run on pull_request events and pushes to the develop branch, in addition to main.
  • The Dependency Security Audit job has been made more robust by attempting cargo-audit first and falling back to cargo deny check advisories if cargo-audit cannot be installed due to toolchain issues.
• Secret Scanning: Exclusions have been added for documentation and example directories (docs/**, examples/**, README.md) to reduce false positives, while maintaining core repository scanning.

Breaking Changes

If this PR introduces breaking changes, please describe:

• What breaks
• Migration path for users
• Deprecation timeline (if applicable)

Future Work

List any follow-up tasks or known limitations:

• Future improvement 1
• Future improvement 2

🧑‍💻 Reviewer Notes

Areas of focus for reviewers:

• Please pay special attention to the updated deny.toml to ensure the new schema and policies align with project requirements.
• Review the security.yml workflow changes, particularly the if conditions for the container scan and reproducible build jobs, and the fallback logic for the dependency audit.
• Verify that the dependency upgrades in Cargo.toml and Cargo.lock are appropriate and do not introduce regressions.

Testing instructions:

1. Check out this PR.
2. Run cargo build --workspace.
3. Run cargo deny check --all-features to verify the updated configuration.
4. Run cargo audit (if installable) or cargo deny check advisories to confirm vulnerability resolution.
5. Observe CI checks for this PR to confirm that container vulnerability scan and reproducible build jobs are no longer skipped.

---

📋 Maintainer Checklist (for maintainers)

• Code review completed
• Tests are adequate and passing
• Documentation is up to date
• Security implications reviewed
• Performance impact assessed
• Breaking changes properly communicated
• Version bump required (if applicable)
• Changelog updated (if applicable)

---

Thank you for contributing to the Bitcoin Enterprise Suite! 🚀
_{Your contribution helps advance enterprise Bitcoin adoption}

---

 

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}