1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# cargo-deny configuration for cachekit security policy
# Enforces license compliance, vulnerability scanning, and dependency policy
# See: https://embarkstudios.github.io/cargo-deny/
# ═══════════════════════════════════════════════════════════════
# GRAPH - Dependency Graph Configuration
# ═══════════════════════════════════════════════════════════════
[]
# Target platforms for cachekit (cross-platform library)
= [
"x86_64-unknown-linux-gnu",
"aarch64-unknown-linux-gnu",
"x86_64-apple-darwin",
"aarch64-apple-darwin",
"x86_64-pc-windows-msvc",
]
# Use all features for comprehensive analysis
= true
# ═══════════════════════════════════════════════════════════════
# ADVISORIES - Vulnerability Scanning (RustSec Database)
# ═══════════════════════════════════════════════════════════════
[]
# Check all workspace crates for unmaintained dependencies
= "workspace"
# Exemptions for advisories in transitive dependencies
= []
# ═══════════════════════════════════════════════════════════════
# LICENSES - License Policy Enforcement
# ═══════════════════════════════════════════════════════════════
[]
# High confidence threshold for license detection
= 0.8
# Allowed licenses (MIT/Apache-2.0/BSD-3-Clause compatible with cachekit MIT license)
= [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception", # LLVM runtime exception
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-3.0", # Unicode License v3 (OSI approved, permissive)
"CC0-1.0", # Public domain
"MPL-2.0", # Mozilla Public License 2.0 (cbindgen build dependency)
"BSL-1.0", # Boost Software License 1.0 (xxhash-rust)
]
# License exceptions for specific crates (use sparingly)
# Format: { allow = ["LICENSE"], crate = "crate-name" }
= []
# ═══════════════════════════════════════════════════════════════
# BANS - Dependency Policy Enforcement
# ═══════════════════════════════════════════════════════════════
[]
# Deny multiple versions of the same crate (reduces binary size, prevents subtle bugs)
= "deny"
# Deny wildcard dependencies (e.g., "serde = *")
= "deny"
# Highlight all duplicate versions for review
= "all"
# Ban specific crates (use-instead provides alternative)
# Format: { crate = "name", reason = "explanation", use-instead = "alternative" }
= []
# Skip specific dependencies from multiple-version checks
# These are transitive dependencies where version duplication is unavoidable
= [
# bitflags 1.x via cbindgen → clap 3.x, bitflags 2.x via proptest/rustix
{ = "bitflags@1.3.2", = "Transitive via cbindgen build dep" },
# getrandom 0.2.x via ring, getrandom 0.3.x via proptest/tempfile
{ = "getrandom@0.2.16", = "Transitive via ring crypto lib" },
# syn 1.x via cbindgen, syn 2.x via derive macros
{ = "syn@1.0.109", = "Transitive via cbindgen build dep" },
]
# Skip crate trees entirely (e.g., frequently-updated foundational crates)
# Format: { crate = "name", reason = "explanation" }
= []
# ═══════════════════════════════════════════════════════════════
# SOURCES - Source Registry Policy
# ═══════════════════════════════════════════════════════════════
[]
# Deny unknown registry sources (prevent supply chain attacks)
= "deny"
# Deny unknown git sources (prevent malicious repos)
= "deny"
# Only allow crates.io as the source registry
= ["https://github.com/rust-lang/crates.io-index"]
# No git dependencies allowed (use crates.io releases for stability)
= []