Add cargo-audit to Rust CI templateCloses #8

CHANGELOG.md

@@ -5,7 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [0.1.2] - 2026-02-16
+
+### Added
+
+- cargo-audit vulnerability scanning in Rust CI template.
 
 ## [0.1.1] - 2026-02-16
 

STANDARDS.md

@@ -430,7 +430,8 @@ subsections below.
   vulnerabilities. Configuration in `cargo-deny.toml` per repo (see
   §13 for dependency management policy).
 - `cargo deny check` runs in CI after tests.
-- `cargo-audit` for RUSTSEC advisory database checks. [PRE-1.0]
+- `cargo-audit` for RUSTSEC advisory database checks. Runs in CI
+  after `cargo deny check`.
 
 #### Python
 

adrs/0021-defense-in-depth-security.md

@@ -46,7 +46,7 @@ Prevent malicious or vulnerable code from entering the dependency tree.
 - **Rust**: `cargo-deny` (existing) checks licenses, duplicates, and
   known vulnerabilities. [NOW]
 - **Rust**: `cargo-audit` added to CI for advisory database checks.
-  [PRE-1.0]
+  [NOW]
 - **Python**: `pip-audit` added to CI for known vulnerability checks.
   [NOW]
 - **GitHub Actions**: All third-party actions pinned by full commit SHA,

templates/SECURITY.md

@@ -17,7 +17,7 @@ This keeps the report private until a fix is available.
 
 ### Alternative: Email
 
-Send an email to **security@aces-framework.org** with:
+Send an email to **<security@aces-framework.org>** with:
 
 - Description of the vulnerability.
 - Steps to reproduce.

templates/ci-rust.yaml

@@ -33,5 +33,8 @@ jobs:
       - name: Doc
         run: cargo doc --no-deps
 
-      - name: Dependency audit
+      - name: Dependency policy check
         run: cargo deny check
+
+      - name: Vulnerability audit
+        run: cargo install cargo-audit --locked && cargo audit

tools/governance-mcp/src/aces_governance_mcp/server.py

@@ -351,7 +351,7 @@ def get_template(name: str) -> str:
 }
 
 _CI_EXPECTED_STEPS: dict[str, list[str]] = {
-    "rust": ["cargo fmt", "cargo clippy", "cargo test", "cargo doc", "cargo deny"],
+    "rust": ["cargo fmt", "cargo clippy", "cargo test", "cargo doc", "cargo deny", "cargo audit"],
     "python": ["ruff check", "ruff format", "mypy", "pytest", "pip-audit"],
     "governance": ["pre-commit run"],
 }

tools/governance-mcp/tests/conftest.py

@@ -91,6 +91,7 @@ def governance_repo(tmp_path: Path) -> Path:
         "      - run: cargo test\n"
         "      - run: cargo doc --no-deps\n"
         "      - run: cargo deny check\n"
+        "      - run: cargo audit\n"
     )
     (templates / "ci-python.yaml").write_text(
         "name: CI\njobs:\n  check:\n"
@@ -166,6 +167,7 @@ def compliant_rust_repo(tmp_path: Path, governance_repo: Path) -> Path:
         "      - run: cargo test\n"
         "      - run: cargo doc --no-deps\n"
         "      - run: cargo deny check\n"
+        "      - run: cargo audit\n"
     )
 
     return repo