Skills
skills/terrylica/cc-skills/rust-dependency-audit

rust-dependency-audit

SKILL.md

Rust Dependency Audit

Comprehensive dependency audit workflow using four complementary tools: freshness checking, vulnerability scanning, license/advisory compliance, and supply chain verification.

CRITICAL: Web-Verify Before Upgrade Decisions

Always check crates.io for latest versions before recommending upgrades. Static docs go stale; the crates.io API is ground truth.

  1. Before upgrading a crate: Check what version is current and what it depends on

    WebFetch: https://crates.io/api/v1/crates/{crate_name}
Prompt: "What is the latest version? List recent versions and their dependencies."

  2. Before ignoring a vulnerability: Verify whether a patched version exists

    WebSearch: "{advisory_id} {crate_name} fix patch"

  3. Check compatibility chains: When crate A depends on crate B, verify both latest versions are compatible

    WebFetch: https://crates.io/api/v1/crates/{crate_name}/{version}/dependencies
Prompt: "What version of {dependency} does this require?"

  4. Fallback: Firecrawl scrape (if WebFetch fails — JS-heavy pages, rate limits, incomplete data):

    curl -s -X POST http://172.25.236.1:3002/v1/scrape \
  -H "Content-Type: application/json" \
  -d '{"url": "https://crates.io/crates/{crate_name}", "formats": ["markdown"], "waitFor": 0}' \
  | jq -r '.data.markdown'

    Requires ZeroTier connectivity. See /devops-tools:firecrawl-research-patterns for full API reference.

When to Use

  • Before a release (full audit pipeline)
  • After cargo update (verify no new vulnerabilities)
  • CI pipeline setup (automated dependency checks)
  • License compliance review (open source projects)
  • Supply chain security assessment

Four-Tool Audit Workflow

Run in this order — each tool catches different issues:

# 1. Freshness — what's outdated?
cargo outdated

# 2. Vulnerabilities — any known CVEs?
cargo audit

# 3. Licenses + Advisories — compliance check
cargo deny check

# 4. Supply Chain — who audited these crates?
cargo vet

Quick Assessment

# One-liner: run all four (stop on first failure)
cargo outdated && cargo audit && cargo deny check && cargo vet

Freshness: Finding Outdated Dependencies

Three tools for different needs:

Tool Install Purpose Best For
cargo-outdated cargo install cargo-outdated Full outdated report with compatible/latest versions Comprehensive audit
cargo-upgrades cargo install cargo-upgrades Lightweight — only shows incompatible (breaking) updates Quick check
cargo upgrade (cargo-edit) cargo install cargo-edit Actually updates Cargo.toml versions Performing updates 
# Show all outdated deps (compatible + incompatible)
cargo outdated --root-deps-only

# Show only breaking updates needed
cargo upgrades

# Actually update Cargo.toml (dry run first)
cargo upgrade --dry-run
cargo upgrade --incompatible

# Nightly: native cargo support (experimental)
cargo +nightly update --breaking

Recommendation: Use cargo-upgrades for quick checks, cargo-outdated for full audits, cargo upgrade (cargo-edit) when ready to actually update.

See cargo-outdated reference.

Security: Vulnerability Scanning

cargo-audit (RUSTSEC Database)

# Scan for known vulnerabilities
cargo audit

# Auto-fix where possible (updates Cargo.lock)
cargo audit fix

# Binary scanning (audit compiled binaries)
cargo audit bin ./target/release/my-binary

# Custom config (ignore specific advisories)
# Create audit.toml:

# audit.toml
[advisories]
ignore = [
    "RUSTSEC-YYYY-NNNN",  # Reason for ignoring
]

See cargo-audit reference.

cargo-deny (Advisories + More)

cargo-deny's advisory check complements cargo-audit with additional sources:

# Check advisories only
cargo deny check advisories

# All checks (advisories + licenses + bans + sources)
cargo deny check

See the License section below for full cargo-deny configuration.

License: Compliance Checking

cargo-deny License Check

# deny.toml
[licenses]
allow = [
    "MIT",
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "Unicode-3.0",
]
confidence-threshold = 0.8

[[licenses.clarify]]
name = "ring"
expression = "MIT AND ISC AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]

# Check licenses
cargo deny check licenses

# Generate deny.toml template
cargo deny init

See cargo-deny reference.

Supply Chain: Audit Verification

cargo-vet (Mozilla)

cargo-vet tracks which crates have been audited and by whom:

# Check supply chain status
cargo vet

# Audit a specific crate (certify you've reviewed it)
cargo vet certify <crate> <version>

# Import audits from trusted organizations
cargo vet trust --all mozilla
cargo vet trust --all google

# See what needs auditing
cargo vet suggest

Key files:

  • supply-chain/audits.toml — Your audits
  • supply-chain/imports.lock — Imported audits
  • supply-chain/config.toml — Trusted sources

See cargo-vet reference.

Unsafe Code: Dependency Safety Audit

cargo-geiger

cargo-geiger quantifies unsafe code usage across your entire dependency tree:

# Quick check: which deps forbid unsafe? (fast, no compilation)
cargo geiger --forbid-only

# Full audit: count unsafe blocks per crate
cargo geiger

# Output as ratio (for CI/scripting)
cargo geiger --forbid-only --output-format ratio

# Markdown report
cargo geiger --output-format markdown > unsafe-report.md

Key flags:

  • --forbid-only: Fast mode — only checks #![forbid(unsafe_code)] (no compilation)
  • --output-format: ratio, markdown, ascii, json
  • --all-features: Check with all features enabled

See cargo-geiger reference.

Combined CI Workflow (GitHub Actions)

name: Dependency Audit
on:
  pull_request:
  schedule:
    - cron: "0 6 * * 1" # Weekly Monday 6am

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-toolchain@stable

      - name: cargo-audit
        run: |
          cargo install cargo-audit
          cargo audit

      - name: cargo-deny
        uses: EmbarkStudios/cargo-deny-action@v2

      - name: cargo-vet
        run: |
          cargo install cargo-vet
          cargo vet

      - name: cargo-geiger
        run: |
          cargo install cargo-geiger
          cargo geiger --forbid-only

      - name: cargo-outdated
        run: |
          cargo install cargo-outdated
          cargo outdated --root-deps-only --exit-code 1

Reference Documents

Troubleshooting

Problem Solution
cargo audit stale database Run cargo audit fetch to update RUSTSEC DB
cargo deny false positive license Add [[licenses.clarify]] entry in deny.toml
cargo vet too many unaudited Import trusted org audits: cargo vet trust --all mozilla
cargo outdated shows yanked Run cargo update first to refresh Cargo.lock
Private registry crates Configure [sources] in deny.toml for private registries
Workspace vs single crate Most tools support --workspace flag
Weekly Installs
3
Repository
terrylica/cc-skills
GitHub Stars
19
First Seen
11 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykWarn
Installed on
opencode3
claude-code3
github-copilot3
codex3
kimi-cli3
gemini-cli3