macOS
brew install cargo-auditlocal Homebrew formula metadata
brew
Audit Cargo.lock files for crates with security vulnerabilities. Version 0.22.2 via Homebrew; verified 2026-06-05.
install
brew install cargo-auditlocal Homebrew formula metadata
sudo apk add cargo-auditAlpine Linux edge package indexes · cargo-audit · source: dl-cdn.alpinelinux.org
nix profile install nixpkgs#cargo-auditnixpkgs package indexes · pkgs/by-name/ca/cargo-audit/package.nix · source: api.github.com
sudo pacman -S cargo-auditArch Linux sync databases · cargo-audit · source: geo.mirror.pkgbuild.com
sudo zypper install cargo-auditopenSUSE Tumbleweed package metadata · cargo-audit · source: download.opensuse.org
overview
Audit Cargo.lock files for crates with security vulnerabilities
history
cargo-audit is the canonical RustSec command-line tool for scanning Cargo.lock files against the RustSec Advisory Database. It is one of the Rust ecosystem's best-known supply-chain security utilities because it connects ordinary Cargo projects to a community-maintained vulnerability database.
The RustSec repository was created in February 2017 as RustSec API and tooling. cargo-audit became the user-facing Cargo subcommand for checking project lockfiles against advisories published in the RustSec Advisory Database.
The official RustSec site describes RustSec as a vulnerability database for Rust crates published through crates.io and lists cargo-audit as the get-started tool for auditing Cargo.lock files. The cargo-audit README documents lockfile auditing, advisory ignores, CI usage, an experimental fix command, and binary auditing.
cargo-audit became a standard safety check in Rust projects because it fits Cargo's workflow: install the subcommand, run it at the top level of a project, and fail CI when a dependency matches an advisory.
Distribution adoption is broad. The supplied Homebrew facts list Alpine, Homebrew, Nix, Arch Linux, and openSUSE packages, and the upstream README explicitly documents installation through Alpine, Arch Linux, Homebrew, and OpenBSD in addition to `cargo install`.
The common usage is `cargo audit` in a project containing Cargo.lock. The tool reports advisories from the RustSec database and can be wired into CI systems; the README includes examples for Travis CI and points GitHub Actions users to the RustSec audit-check action.
cargo-audit also has a binary-auditing path. The README documents `cargo audit bin`, noting that binaries built with cargo-auditable can be audited accurately because their dependency lists are embedded in the executable.
cargo-audit is package-nerd significant because it made Rust vulnerability metadata operational at package-install and CI time. For Rust projects, Cargo.lock is the exact package graph, and cargo-audit turns that graph into a security boundary.
It also helped normalize advisory-driven package hygiene in Rust. Instead of treating vulnerability feeds as external enterprise tooling, cargo-audit made them part of the everyday Cargo subcommand culture.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
cargo-audit | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/rustsec/rustsec
install metadata
| Package key | brew:cargo-audit |
|---|---|
| Version | 0.22.2 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/cargo-audit |
| Homepage | https://rustsec.org/ |
| Repository | https://github.com/rustsec/rustsec |
| Upstream docs | https://github.com/rustsec/rustsec/tree/main/cargo-audit#readme |
| License | Apache-2.0 OR MIT |
| Source archive | https://github.com/rustsec/rustsec/archive/refs/tags/cargo-audit/v0.22.2.tar.gz |
| Last updated | 2026-06-05T15:11:00Z |
| Pulse | updated |
| Build dependencies | rust |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | cargo-audit |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
cargo-audit
nix profile install nixpkgs#cargo-auditcargo-audit 0.22.1-r0
Audit Cargo.lock for crates with security vulnerabilities
https://github.com/RustSec/rustsec
sudo apk add cargo-auditcargo-audit-doc 0.22.1-r0
Audit Cargo.lock for crates with security vulnerabilities (documentation)
https://github.com/RustSec/rustsec
sudo apk add cargo-audit-doccargo-audit 0.22.2-1
Audit Cargo.lock for crates with security vulnerabilities
https://github.com/RustSec/cargo-audit
sudo pacman -S cargo-auditcargo-audit 0.22.1~git0.efcde93-2.4
Audit rust sources for known security vulnerabilities
https://github.com/RustSec/cargo-audit
sudo zypper install cargo-auditsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.