Automic VaultAutomic Vault

brew

Install cargo-audit with Homebrew, apk, Nix, pacman, zypper

Audit Cargo.lock files for crates with security vulnerabilities. Version 0.22.2 via Homebrew; verified 2026-06-05.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install cargo-audit

local Homebrew formula metadata

Linux

Alpine Linux apkverified · 92%
sudo apk add cargo-audit

Alpine Linux edge package indexes · cargo-audit · source: dl-cdn.alpinelinux.org

Nixverified · 92%
nix profile install nixpkgs#cargo-audit

nixpkgs package indexes · pkgs/by-name/ca/cargo-audit/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S cargo-audit

Arch Linux sync databases · cargo-audit · source: geo.mirror.pkgbuild.com

openSUSE zypperverified · 92%
sudo zypper install cargo-audit

openSUSE Tumbleweed package metadata · cargo-audit · source: download.opensuse.org

overview

Package summary

Audit Cargo.lock files for crates with security vulnerabilities

Commands and aliases

  • cargo-audit

history

Project history and usage

cargo-audit is the canonical RustSec command-line tool for scanning Cargo.lock files against the RustSec Advisory Database. It is one of the Rust ecosystem's best-known supply-chain security utilities because it connects ordinary Cargo projects to a community-maintained vulnerability database.

Project history

The RustSec repository was created in February 2017 as RustSec API and tooling. cargo-audit became the user-facing Cargo subcommand for checking project lockfiles against advisories published in the RustSec Advisory Database.

The official RustSec site describes RustSec as a vulnerability database for Rust crates published through crates.io and lists cargo-audit as the get-started tool for auditing Cargo.lock files. The cargo-audit README documents lockfile auditing, advisory ignores, CI usage, an experimental fix command, and binary auditing.

Adoption history

cargo-audit became a standard safety check in Rust projects because it fits Cargo's workflow: install the subcommand, run it at the top level of a project, and fail CI when a dependency matches an advisory.

Distribution adoption is broad. The supplied Homebrew facts list Alpine, Homebrew, Nix, Arch Linux, and openSUSE packages, and the upstream README explicitly documents installation through Alpine, Arch Linux, Homebrew, and OpenBSD in addition to `cargo install`.

How it is used

The common usage is `cargo audit` in a project containing Cargo.lock. The tool reports advisories from the RustSec database and can be wired into CI systems; the README includes examples for Travis CI and points GitHub Actions users to the RustSec audit-check action.

cargo-audit also has a binary-auditing path. The README documents `cargo audit bin`, noting that binaries built with cargo-auditable can be audited accurately because their dependency lists are embedded in the executable.

Why package nerds care

cargo-audit is package-nerd significant because it made Rust vulnerability metadata operational at package-install and CI time. For Rust projects, Cargo.lock is the exact package graph, and cargo-audit turns that graph into a security boundary.

It also helped normalize advisory-driven package hygiene in Rust. Instead of treating vulnerability feeds as external enterprise tooling, cargo-audit made them part of the everyday Cargo subcommand culture.

Timeline

  • 2017: rustsec/rustsec repository created on GitHub.
  • 2021: GitHub releases include cargo-audit/v0.16.0 under the rustsec repository release scheme.
  • 2026: RustSec site continues to list cargo-audit as primary tooling for Cargo.lock vulnerability auditing.

Related projects

  • cargo-audit is tied directly to the RustSec Advisory Database and the RustSec advisory-db repository where vulnerabilities are reported.
  • Related tools include cargo-auditable for binary dependency embedding, audit-check for GitHub Actions, cargo-deny for broader dependency policy checks, and reachsec as an experimental reachability companion mentioned by the cargo-audit README.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
cargo-auditcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.22.2
manager updated2026-06-05
local dataok
upstreamcurrent
latest detectedcargo-audit/v0.22.2

https://github.com/rustsec/rustsec

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:cargo-audit
Version0.22.2
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/cargo-audit
Homepagehttps://rustsec.org/
Repositoryhttps://github.com/rustsec/rustsec
Upstream docshttps://github.com/rustsec/rustsec/tree/main/cargo-audit#readme
LicenseApache-2.0 OR MIT
Source archivehttps://github.com/rustsec/rustsec/archive/refs/tags/cargo-audit/v0.22.2.tar.gz
Last updated2026-06-05T15:11:00Z
Pulseupdated
Build dependenciesrust
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecargo-audit
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

cargo-audit

nix profile install nixpkgs#cargo-audit
  • normalized package name match
  • Matched by: Cargo Audit
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ca/cargo-audit/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

cargo-audit 0.22.1-r0

Audit Cargo.lock for crates with security vulnerabilities

https://github.com/RustSec/rustsec

sudo apk add cargo-audit
  • License: MIT OR Apache-2.0
  • Architecture: x86_64
  • Source Package: cargo-audit
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cargo Audit
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cargo-audit from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

cargo-audit-doc 0.22.1-r0

Audit Cargo.lock for crates with security vulnerabilities (documentation)

https://github.com/RustSec/rustsec

sudo apk add cargo-audit-doc
  • License: MIT OR Apache-2.0
  • Architecture: x86_64
  • Source Package: cargo-audit
  • normalized package name match
  • Matched by: Cargo Audit
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cargo-audit-doc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
pacman95%

cargo-audit 0.22.2-1

Audit Cargo.lock for crates with security vulnerabilities

https://github.com/RustSec/cargo-audit

sudo pacman -S cargo-audit
  • License: Apache-2.0 AND MIT
  • Architecture: x86_64
  • 3 dependencies
  • normalized package name match
  • Matched by: Cargo Audit
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: cargo-audit from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

cargo-audit 0.22.1~git0.efcde93-2.4

Audit rust sources for known security vulnerabilities

https://github.com/RustSec/cargo-audit

sudo zypper install cargo-audit
  • License: ( 0BSD OR MIT OR Apache-2.0 ) AND ( Apache-2.0 OR BSL-1.0 ) AND ( Apache-2.0 OR MIT ) AND ( MIT OR Zlib OR Apache-2.0 ) AND ( Unlicense OR MIT ) AND ( Zlib OR
  • Category: Development/Languages/Rust
  • Architecture: x86_64
  • Source Package: cargo-audit
  • 3 dependencies
  • 2 provides
  • normalized package name match
  • Matched by: Cargo Audit
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: cargo-audit from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment