cargo audit checks your project's dependencies for known security vulnerabilites.
cargo audit checks on your
Cargo.lock file, but it can also scan compiled binaries. You can install
cargo-audit and run it against your project with the following commands:
$ cargo install cargo-audit $ cargo audit
What's new in this release
cargo audit now uses the sparse crates.io index when checking for yanked crates. This dramatically speeds up the scanning process because
cargo audit no longer needs to download the entire crates.io index, which could take up to several minutes.
Sparse index is used by default if you are running Rust 1.70 or later, same as in Cargo itself.
cargo audit honors the Cargo settings for the use of sparse index, should you need to opt out for any reason.
In contrast to OpenSSL's history of high-severity vulnerabilities, rustls has a stellar track record and eliminates entire classes vulnerabilities by construction. It has passed an independent audit with flying colors; the auditors even noted that they "had the rare pleasure of being impressed with the exceptional quality of the presented software".
Since TLS constitutes the vast majority of the attack surface of
cargo audit, we are very excited to use a more secure TLS implementation!
cargo auditcan now run in Alpine Linux containers.
- Several instances of
cargo auditrunning in parallel can now fetch Git repositories without issue.
- Accessing Git repositories over SSH is now supported.
- Credential helpers to access private repositories are now supported.
Limited CPU architecture support
CPU architectures other than x86 and ARM are not supported by this release. This is due to ring, the cryptographic library used by rustls, not supporting other CPU architectures yet.
rustls is in the process of adding support for other cryptographic libraries. We will consider adding support for another TLS implementation if no portable cryptographic library for rustls materializes in the near future.
In the meantime we recommend using the previous release on uncommon CPU architectures. You may also consider other tools that read
Cargo.lock files and the RustSec advisory database, such as Trivy, osv-scanner or Dependabot.
cargo audit fix is not converted
The experimental subcommand
cargo audit fix to automatically upgrade vulnerable dependencies has existed for a while but has been disabled by default. It has not been converted to use gitoxide and rustls in this release, and has not benefited from any of these improvements.
We will likely rewrite this feature from the ground up before enabling it by default in subsequent releases.
Due to the sweeping changes to the libraries
cargo audit relies on for git protocol and networking there are bound to be subtle differences in behavior compared to previous versions.
If you encounter issues with this latest release, please report it to us on Github. Thank you!