# Install cargo-audit with Homebrew, apk, Nix, pacman, zypper

Audit Cargo.lock files for crates with security vulnerabilities. Version 0.22.2 via Homebrew; verified 2026-06-05.

## Install

```sh
sudo av install brew:cargo-audit
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install cargo-audit
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add cargo-audit
```

  Evidence: Alpine Linux edge package indexes: cargo-audit from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Nix (92%):

```sh
nix profile install nixpkgs#cargo-audit
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ca/cargo-audit/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S cargo-audit
```

  Evidence: Arch Linux sync databases: cargo-audit from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install cargo-audit
```

  Evidence: openSUSE Tumbleweed package metadata: cargo-audit from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:cargo-audit
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/cargo-audit>
- **Version:** 0.22.2
- **Source summary:** Audit Cargo.lock files for crates with security vulnerabilities
- **Homepage:** <https://rustsec.org/>
- **Repository:** <https://github.com/rustsec/rustsec>
- **Upstream docs:** <https://github.com/rustsec/rustsec/tree/main/cargo-audit#readme>
- **License:** Apache-2.0 OR MIT
- **Source archive:** <https://github.com/rustsec/rustsec/archive/refs/tags/cargo-audit/v0.22.2.tar.gz>
- **Last updated:** 2026-06-05T15:11:00Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- cargo-audit (cli)
- cargo-audit (alias)

## Build dependencies

- rust

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.22.2
- Package-manager updated: 2026-06-05
- Local data: ok
- Upstream repository: https://github.com/rustsec/rustsec
- Upstream latest detected: cargo-audit/v0.22.2 (current)
## Project history and usage

cargo-audit is the canonical RustSec command-line tool for scanning Cargo.lock files against the RustSec Advisory Database. It is one of the Rust ecosystem's best-known supply-chain security utilities because it connects ordinary Cargo projects to a community-maintained vulnerability database.

### Project history

The RustSec repository was created in February 2017 as RustSec API and tooling. cargo-audit became the user-facing Cargo subcommand for checking project lockfiles against advisories published in the RustSec Advisory Database.

The official RustSec site describes RustSec as a vulnerability database for Rust crates published through crates.io and lists cargo-audit as the get-started tool for auditing Cargo.lock files. The cargo-audit README documents lockfile auditing, advisory ignores, CI usage, an experimental fix command, and binary auditing.

### Adoption history

cargo-audit became a standard safety check in Rust projects because it fits Cargo's workflow: install the subcommand, run it at the top level of a project, and fail CI when a dependency matches an advisory.

Distribution adoption is broad. The supplied Homebrew facts list Alpine, Homebrew, Nix, Arch Linux, and openSUSE packages, and the upstream README explicitly documents installation through Alpine, Arch Linux, Homebrew, and OpenBSD in addition to `cargo install`.

### How it is used

The common usage is `cargo audit` in a project containing Cargo.lock. The tool reports advisories from the RustSec database and can be wired into CI systems; the README includes examples for Travis CI and points GitHub Actions users to the RustSec audit-check action.

cargo-audit also has a binary-auditing path. The README documents `cargo audit bin`, noting that binaries built with cargo-auditable can be audited accurately because their dependency lists are embedded in the executable.

### Why package nerds care

cargo-audit is package-nerd significant because it made Rust vulnerability metadata operational at package-install and CI time. For Rust projects, Cargo.lock is the exact package graph, and cargo-audit turns that graph into a security boundary.

It also helped normalize advisory-driven package hygiene in Rust. Instead of treating vulnerability feeds as external enterprise tooling, cargo-audit made them part of the everyday Cargo subcommand culture.

### Timeline

- 2017: rustsec/rustsec repository created on GitHub.
- 2021: GitHub releases include cargo-audit/v0.16.0 under the rustsec repository release scheme.
- 2026: RustSec site continues to list cargo-audit as primary tooling for Cargo.lock vulnerability auditing.

### Related projects

- cargo-audit is tied directly to the RustSec Advisory Database and the RustSec advisory-db repository where vulnerabilities are reported.
- Related tools include cargo-auditable for binary dependency embedding, audit-check for GitHub Actions, cargo-deny for broader dependency policy checks, and reachsec as an experimental reachability companion mentioned by the cargo-audit README.

### Sources

- <https://api.github.com/repos/rustsec/rustsec>
- <https://github.com/rustsec/rustsec>
- <https://raw.githubusercontent.com/rustsec/rustsec/main/cargo-audit/README.md>
- <https://rustsec.org/>
- source_facts.package-manager


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** cargo-audit
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - cargo-audit: normalized package name match | nixpkgs package indexes: pkgs/by-name/ca/cargo-audit/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - cargo-audit - 0.22.1-r0: normalized package name match | Alpine Linux edge package indexes: cargo-audit from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Audit Cargo.lock for crates with security vulnerabilities | https://github.com/RustSec/rustsec
- apk - cargo-audit-doc - 0.22.1-r0: normalized package name match | Alpine Linux edge package indexes: cargo-audit-doc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Audit Cargo.lock for crates with security vulnerabilities (documentation) | https://github.com/RustSec/rustsec
- pacman - cargo-audit - 0.22.2-1: normalized package name match | Arch Linux sync databases: cargo-audit from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Audit Cargo.lock for crates with security vulnerabilities | https://github.com/RustSec/cargo-audit
- zypper - cargo-audit - 0.22.1~git0.efcde93-2.4: normalized package name match | openSUSE Tumbleweed package metadata: cargo-audit from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Audit rust sources for known security vulnerabilities | https://github.com/RustSec/cargo-audit


## Related links

- [Package publisher tools](https://www.automicvault.com/pkg/package-publishers/) - Belongs to a package publishing or registry command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [phylum-cli](https://www.automicvault.com/pkg/brew/phylum-cli/) - Shares av.db curated category or tags: cli, security, software-supply-chain.
- [syft](https://www.automicvault.com/pkg/brew/syft/) - Shares av.db curated category or tags: cli, security, software-supply-chain.
- [cargo-cyclonedx](https://www.automicvault.com/pkg/brew/cargo-cyclonedx/) - Shares av.db curated category or tags: cargo, cli, rust, security, software-supply-chain.
- [cargo-deny](https://www.automicvault.com/pkg/brew/cargo-deny/) - Shares av.db curated category or tags: cargo, cli, rust, security.
- [cargo-geiger](https://www.automicvault.com/pkg/brew/cargo-geiger/) - Shares av.db curated category or tags: cargo, cli, rust, security.
- [cdxgen](https://www.automicvault.com/pkg/brew/cdxgen/) - Shares av.db curated category or tags: cli, security, software-supply-chain.
- [chainloop-cli](https://www.automicvault.com/pkg/brew/chainloop-cli/) - Shares av.db curated category or tags: cli, security, software-supply-chain.
- [cyclonedx-gomod](https://www.automicvault.com/pkg/brew/cyclonedx-gomod/) - Shares av.db curated category or tags: cli, security, software-supply-chain.
- [cargo-audit](https://www.automicvault.com/pkg/cargo/cargo-audit/) - Same normalized package name exists in another local package ecosystem.

## Combined YAML source

View the package source record on GitHub. [combined/cargo-audit.yml](https://github.com/automic-vault/db/blob/main/combined/cargo-audit.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
