Add CI workflow for dependency vulnerability scanning

## Summary

The project currently has no CI check for known vulnerabilities (CVEs) in dependencies. `cargo-deny` is already installed in CI for license checking, but `cargo deny check advisories` is not run.

## Proposal

1. **Add `cargo deny check advisories` to the existing `check_license_and_formatting` workflow** — catches vulnerabilities on every PR.
2. **Add a scheduled `audit.yml` workflow** (e.g. weekly cron) — catches newly disclosed CVEs against existing dependencies on `main`.
3. **Add an `[advisories]` section to `deny.toml`** to configure severity thresholds.

## Context

- `cargo-deny@0.14.22` is already pinned in CI for license checks
- `Cargo.lock` is now committed (after #478), so `cargo deny check advisories` / `cargo audit` will work correctly
- A recent audit found 1 vulnerability (RUSTSEC-2026-0066 in `astral-tokio-tar`) and 1 unmaintained crate warning (`rustls-pemfile`), both resolved by upgrading `testcontainers` to 0.27.2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add CI workflow for dependency vulnerability scanning #480

Summary

Proposal

Context

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Add CI workflow for dependency vulnerability scanning #480

Description

Summary

Proposal

Context

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions