RustSec: cargo audit
Audit Cargo.lock files for crates with security vulnerabilities reported to the
RustSec Advisory Database.
Requirements
cargo audit requires Rust 1.52 or later.
Installation
cargo audit is a Cargo subcommand and can be installed with cargo install:
$ cargo install cargo-audit
Once installed, run cargo audit at the toplevel of any Cargo project.
Alpine Linux
# apk add cargo-audit
Arch Linux
# pacman -S cargo-audit
MacOS
$ brew install cargo-audit
OpenBSD
# pkg_add cargo-audit
Screenshot
cargo audit fix subcommand
This tool supports an experimental feature to automatically update Cargo.toml
to fix vulnerable dependency requirements.
To enable it, install cargo audit with the fix feature enabled:
$ cargo install cargo-audit --features=fix
Once installed, run cargo audit fix to automatically fix vulnerable
dependency requirements:
This will modify Cargo.toml in place. To perform a dry run instead, which
shows a preview of what dependencies would be upgraded, run
cargo audit fix --dry-run.
Using cargo audit on Travis CI
To automatically run cargo audit on every build in Travis CI, you can add the following to your .travis.yml:
language: rust
cache: cargo # cache cargo-audit once installed
before_script:
- cargo install --force cargo-audit
- cargo generate-lockfile
script:
- cargo audit
Using cargo audit on GitHub Action
Please use audit-check action directly.
Reporting Vulnerabilities
Report vulnerabilities by opening pull requests against the RustSec Advisory Database GitHub repo:
License
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or https://opensource.org/licenses/MIT)
at your option.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you shall be dual licensed as above, without any additional terms or conditions.