- Pin all GitHub Actions to specific commit SHAs for immutability
- Add cargo-audit job to CI pipeline for vulnerability scanning
- Create SECURITY.md with vulnerability reporting guidelines
- Add Dependabot configuration for automated dependency updates
- Weekly updates for both Cargo and GitHub Actions
- Grouped patch and minor updates for Cargo dependencies
- Update job dependencies to run security checks before integration tests
This improves the project's security posture by:
1. Preventing action hijacking through SHA pinning
2. Catching known vulnerabilities early with cargo-audit
3. Providing clear security reporting channels
4. Automating dependency updates to reduce security debt
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>