Implement code auditing in CI pipelines for all repositories

[j-chmielewski]

Introduce automated code auditing into our CI pipelines to help catch known software vulnerabilities early in the development cycle.

• Add cargo audit step for Rust dependencies.
• Add pnpm audit step for Node/JS/TS dependencies.
• Ensure both commands run as part of the CI checks
• Fail the pipeline if vulnerabilities of certain severity are detected (to be defined).
• Allow overrides or ignore lists (e.g., via audit.toml) if necessary to handle known issues.

Future Considerations:

• Explore deeper static analysis tools
• Add dependency update policies or alerts (e.g., via Dependabot).

Keep the initial implementation lightweight and non-disruptive.

[Rusty-Weasel]

push it, we need secure solutions

[Rusty-Weasel]

still open? push it

[j-chmielewski]

This was done a while ago, the issue was forgotten in a limbo state. Core, Proxy and Client use cargo-deny and pnpm audit Gateway uses cargo-deny only since it doesn't have a frontend.

[Rusty-Weasel]

Sorry but i need to reopen it, perhaps i oversee something, then tell me what, but why you use this:

https://github.com/DefGuard/defguard/blob/2926791a91383890c3b4ee32b7866b4e0c12aed7/.github/workflows/e2e.yml#L70

https://github.com/DefGuard/defguard/blob/2926791a91383890c3b4ee32b7866b4e0c12aed7/.github/workflows/lint-e2e.yml#L31

https://github.com/DefGuard/defguard/blob/2926791a91383890c3b4ee32b7866b4e0c12aed7/.github/workflows/lint-web.yml#L31

https://github.com/DefGuard/defguard/blob/2926791a91383890c3b4ee32b7866b4e0c12aed7/e2e/Dockerfile#L6

then you got:

with the result, that a cve stay inside, and that is bad, i just checked a fresh git pull, and let it run through osv-scaner:

https://osv.dev/vulnerability/GHSA-fjxv-7rqg-78g4

Plz check it an fix it, as i do not like such cve's in such a solution like defguard (vpn, secure,etc), thanks