rust-dependency-audit

Rust Dependency Audit

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "rust-dependency-audit" with this command: npx skills add terrylica/cc-skills/terrylica-cc-skills-rust-dependency-audit

Rust Dependency Audit

Comprehensive dependency audit workflow using four complementary tools: freshness checking, vulnerability scanning, license/advisory compliance, and supply chain verification.

CRITICAL: Web-Verify Before Upgrade Decisions

Always check crates.io for latest versions before recommending upgrades. Static docs go stale; the crates.io API is ground truth.

Before upgrading a crate: Check what version is current and what it depends on

WebFetch: https://crates.io/api/v1/crates/{crate_name} Prompt: "What is the latest version? List recent versions and their dependencies."

Before ignoring a vulnerability: Verify whether a patched version exists

WebSearch: "{advisory_id} {crate_name} fix patch"

Check compatibility chains: When crate A depends on crate B, verify both latest versions are compatible

WebFetch: https://crates.io/api/v1/crates/{crate_name}/{version}/dependencies Prompt: "What version of {dependency} does this require?"

Fallback: Firecrawl scrape (if WebFetch fails — JS-heavy pages, rate limits, incomplete data):

curl -s -X POST http://172.25.236.1:3002/v1/scrape
-H "Content-Type: application/json"
-d '{"url": "https://crates.io/crates/{crate_name}", "formats": ["markdown"], "waitFor": 0}'
| jq -r '.data.markdown'

Requires ZeroTier connectivity. See /devops-tools:firecrawl-research-patterns for full API reference.

When to Use

  • Before a release (full audit pipeline)

  • After cargo update (verify no new vulnerabilities)

  • CI pipeline setup (automated dependency checks)

  • License compliance review (open source projects)

  • Supply chain security assessment

Four-Tool Audit Workflow

Run in this order — each tool catches different issues:

1. Freshness — what's outdated?

cargo outdated

2. Vulnerabilities — any known CVEs?

cargo audit

3. Licenses + Advisories — compliance check

cargo deny check

4. Supply Chain — who audited these crates?

cargo vet

Quick Assessment

One-liner: run all four (stop on first failure)

cargo outdated && cargo audit && cargo deny check && cargo vet

Freshness: Finding Outdated Dependencies

Three tools for different needs:

Tool Install Purpose Best For

cargo-outdated

cargo install cargo-outdated

Full outdated report with compatible/latest versions Comprehensive audit

cargo-upgrades

cargo install cargo-upgrades

Lightweight — only shows incompatible (breaking) updates Quick check

cargo upgrade (cargo-edit) cargo install cargo-edit

Actually updates Cargo.toml versions Performing updates

Show all outdated deps (compatible + incompatible)

cargo outdated --root-deps-only

Show only breaking updates needed

cargo upgrades

Actually update Cargo.toml (dry run first)

cargo upgrade --dry-run cargo upgrade --incompatible

Nightly: native cargo support (experimental)

cargo +nightly update --breaking

Recommendation: Use cargo-upgrades for quick checks, cargo-outdated for full audits, cargo upgrade (cargo-edit) when ready to actually update.

See cargo-outdated reference.

Security: Vulnerability Scanning

cargo-audit (RUSTSEC Database)

Scan for known vulnerabilities

cargo audit

Auto-fix where possible (updates Cargo.lock)

cargo audit fix

Binary scanning (audit compiled binaries)

cargo audit bin ./target/release/my-binary

Custom config (ignore specific advisories)

Create audit.toml:

audit.toml

[advisories] ignore = [ "RUSTSEC-YYYY-NNNN", # Reason for ignoring ]

See cargo-audit reference.

cargo-deny (Advisories + More)

cargo-deny's advisory check complements cargo-audit with additional sources:

Check advisories only

cargo deny check advisories

All checks (advisories + licenses + bans + sources)

cargo deny check

See the License section below for full cargo-deny configuration.

License: Compliance Checking

cargo-deny License Check

deny.toml

[licenses] allow = [ "MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "Unicode-3.0", ] confidence-threshold = 0.8

[[licenses.clarify]] name = "ring" expression = "MIT AND ISC AND OpenSSL" license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]

Check licenses

cargo deny check licenses

Generate deny.toml template

cargo deny init

See cargo-deny reference.

Supply Chain: Audit Verification

cargo-vet (Mozilla)

cargo-vet tracks which crates have been audited and by whom:

Check supply chain status

cargo vet

Audit a specific crate (certify you've reviewed it)

cargo vet certify <crate> <version>

Import audits from trusted organizations

cargo vet trust --all mozilla cargo vet trust --all google

See what needs auditing

cargo vet suggest

Key files:

  • supply-chain/audits.toml — Your audits

  • supply-chain/imports.lock — Imported audits

  • supply-chain/config.toml — Trusted sources

See cargo-vet reference.

Unsafe Code: Dependency Safety Audit

cargo-geiger

cargo-geiger quantifies unsafe code usage across your entire dependency tree:

Quick check: which deps forbid unsafe? (fast, no compilation)

cargo geiger --forbid-only

Full audit: count unsafe blocks per crate

cargo geiger

Output as ratio (for CI/scripting)

cargo geiger --forbid-only --output-format ratio

Markdown report

cargo geiger --output-format markdown > unsafe-report.md

Key flags:

  • --forbid-only : Fast mode — only checks #![forbid(unsafe_code)] (no compilation)

  • --output-format : ratio , markdown , ascii , json

  • --all-features : Check with all features enabled

See cargo-geiger reference.

Combined CI Workflow (GitHub Actions)

name: Dependency Audit on: pull_request: schedule: - cron: "0 6 * * 1" # Weekly Monday 6am

jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

  - name: Install Rust
    uses: dtolnay/rust-toolchain@stable

  - name: cargo-audit
    run: |
      cargo install cargo-audit
      cargo audit

  - name: cargo-deny
    uses: EmbarkStudios/cargo-deny-action@v2

  - name: cargo-vet
    run: |
      cargo install cargo-vet
      cargo vet

  - name: cargo-geiger
    run: |
      cargo install cargo-geiger
      cargo geiger --forbid-only

  - name: cargo-outdated
    run: |
      cargo install cargo-outdated
      cargo outdated --root-deps-only --exit-code 1

Reference Documents

  • cargo-audit-guide.md — Vulnerability scanning

  • cargo-deny-guide.md — License + advisory compliance

  • cargo-outdated-guide.md — Freshness + alternatives

  • cargo-vet-guide.md — Supply chain audit

  • cargo-geiger-guide.md — Unsafe code quantification

Troubleshooting

Problem Solution

cargo audit stale database Run cargo audit fetch to update RUSTSEC DB

cargo deny false positive license Add [[licenses.clarify]] entry in deny.toml

cargo vet too many unaudited Import trusted org audits: cargo vet trust --all mozilla

cargo outdated shows yanked Run cargo update first to refresh Cargo.lock

Private registry crates Configure [sources] in deny.toml for private registries

Workspace vs single crate Most tools support --workspace flag

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

code-hardcode-audit

No summary provided by upstream source.

Repository SourceNeeds Review
69-terrylica
Security

voice-quality-audition

No summary provided by upstream source.

Repository SourceNeeds Review
43-terrylica
Security

audit-now

No summary provided by upstream source.

Repository SourceNeeds Review
22-terrylica
General

pandoc-pdf-generation

No summary provided by upstream source.

Repository SourceNeeds Review
126-terrylica