dev-security 0.1.0

Security auditing for Rust. Wraps cargo-audit and cargo-deny. Vulnerability scanning, license compliance, banned-crate policies. Part of the dev-* verification suite.
Documentation

What it does

dev-security wraps two best-in-class Rust security tools and emits results as dev-report::Report:

  • cargo-audit scans your dependency tree against the RustSec advisory database for known CVEs.
  • cargo-deny enforces policy: allowed/banned licenses, allowed/ banned crates, allowed/banned sources, multiple-version detection.

Together they cover the audit surface most production Rust projects care about.

Quick start

[dependencies]
dev-security = "0.9"

use dev_security::{AuditRun, AuditScope};

let run = AuditRun::new("my-crate", "0.1.0").scope(AuditScope::All);
let result = run.execute()?;
let report = result.into_report();

if report.failed() {
    eprintln!("Security audit failed: {}", report.to_json()?);
}
# Ok::<(), Box<dyn std::error::Error>>(())

Requirements

cargo install cargo-audit cargo-deny

Scopes

Scope What it runs
Vulnerabilities cargo-audit only (RustSec advisory DB).
Policy cargo-deny only (licenses, banned crates, sources).
All Both.

The dev-* suite

See dev-tools for the full suite.

Status

v0.9.0 is the foundation release: API shape defined, subprocess integration lands in 0.9.1. Production use is discouraged until 1.0.

Minimum supported Rust version

1.85 — pinned in Cargo.toml and verified by CI.

License

Apache-2.0. See LICENSE.