cargo-safe-audit 0.1.0

A safe cargo subcommand that audits Cargo.lock for known vulnerabilities without executing any project code
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

> **Disclaimer:** If you didn't see my profile description. I am a biologist. I have some computer science background, but not coding. I am publishing some cargo crates and other little repos to (hopefully) meaningfully contribute to open-source projects (tactfully, I hope) and rust in general with any extra claude credits I have available. I am trying to ensure that any contributions I make are actually helpful so any criticism or feedback of my approach would be greatly appreciated.

# cargo-safe-audit

A cargo subcommand that audits your `Cargo.lock` for known vulnerabilities **without executing any project code**.

## Why?

Tools like `cargo-audit` may invoke Cargo internals, which can trigger `build.rs` scripts or proc macros from the project being audited. When auditing untrusted codebases, this is a security risk.

`cargo-safe-audit` takes a different approach:
- Reads `Cargo.lock` directly as TOML -- no cargo invocation
- Clones the [RustSec advisory-db](https://github.com/rustsec/advisory-db) independently
- Cross-references package names and versions against known advisories
- Uses `semver` for proper version range matching

**It never shells out to `cargo`, never runs `build.rs`, and never executes any code from the project being audited.**

## Installation

```bash
cargo install cargo-safe-audit
```

## Usage

```bash
# Audit the Cargo.lock in the current directory
cargo safe-audit

# Audit a specific lockfile
cargo safe-audit --lockfile path/to/Cargo.lock

# Use a local copy of the advisory database
cargo safe-audit --db-path /path/to/advisory-db

# Skip fetching/updating the advisory database
cargo safe-audit --no-fetch
```

## Exit Codes

| Code | Meaning |
|------|---------|
| 0 | No vulnerabilities found |
| 1 | Vulnerabilities found |
| 2 | Error (missing lockfile, git failure, etc.) |

## How It Works

1. Parses `Cargo.lock` (TOML format) to extract all package names and versions
2. Clones or updates the RustSec advisory-db to `~/.cache/cargo-safe-audit/advisory-db/`
3. Parses advisory files (`.md` files with TOML frontmatter) from the database
4. Matches advisories against lockfile packages by name and semver version range
5. Reports findings with advisory IDs, affected versions, and patched versions

## License

Licensed under either of:

- Apache License, Version 2.0 ([LICENSE-APACHE](LICENSE-APACHE) or <http://www.apache.org/licenses/LICENSE-2.0>)
- MIT License ([LICENSE-MIT](LICENSE-MIT) or <http://opensource.org/licenses/MIT>)

at your option.