macOS
brew install cargo-auditablelocal Homebrew formula metadata
brew
Make production Rust binaries auditable. Version 0.7.5 via Homebrew; verified 2026-05-22.
install
brew install cargo-auditablelocal Homebrew formula metadata
sudo apk add cargo-auditableAlpine Linux edge package indexes · cargo-auditable · source: dl-cdn.alpinelinux.org
sudo apt install cargo-auditableDebian stable package indexes · cargo-auditable · source: deb.debian.org
nix profile install nixpkgs#cargo-auditablenixpkgs package indexes · pkgs/by-name/ca/cargo-auditable/package.nix · source: api.github.com
sudo pacman -S cargo-auditableArch Linux sync databases · cargo-auditable · source: geo.mirror.pkgbuild.com
sudo zypper install cargo-auditableopenSUSE Tumbleweed package metadata · cargo-auditable · source: download.opensuse.org
overview
Make production Rust binaries auditable
history
cargo-auditable is a Rust supply-chain tool that makes compiled Rust binaries self-describing by embedding dependency-tree data into a dedicated linker section. Its practical purpose is to let tools such as cargo-audit, Trivy, Grype, Syft, OSV Scanner, and related SBOM tooling recover what crates went into a production executable.
The public repository was created in January 2019 under the rust-secure-code organization. The README says the end goal is for Cargo itself to encode this kind of information in binaries, and points to Rust RFC work as the long-term upstream path.
The project's design is intentionally package-manager friendly: the embedded data is JSON, zlib-compressed, placed in a linker section named `.dep-v0`, and designed not to disrupt reproducible builds.
cargo-auditable has unusually concrete adoption evidence for a niche Rust tool. Its README states that Microsoft uses it internally, that multiple Linux distributions build Rust packages with it, and that Chainguard includes it in a Rust base container with a default cargo wrapper.
The README names Alpine Linux, NixOS, openSUSE, Void Linux, Chimera Linux, Wolfi OS, and Ubuntu 26.04 adoption or opt-in paths. The supplied package-manager facts also list Alpine, Homebrew, Debian, Nix, Arch Linux, Ubuntu, and openSUSE packages.
The standard workflow is to install cargo-auditable and cargo-audit, build with `cargo auditable build --release`, and then run `cargo audit bin` on the resulting executable.
The tool works as a wrapper around Cargo: arguments are passed through, and users who cannot change direct Cargo invocation can use documented replacement-cargo guidance. On nightly Rust, the README documents using Cargo's unstable SBOM precursor for more accurate dependency recording.
cargo-auditable matters because binary packages sever the obvious connection between an executable and its Cargo.lock. Embedding dependency metadata lets downstream package repositories, container scanners, and security teams audit Rust binaries after they have left the build tree.
For package nerds, it is a bridge between language-package metadata and distro/container reality. It makes Rust binaries inspectable in the same places where operators already scan containers, distribution packages, and release artifacts.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
cargo-auditable | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/rust-secure-code/cargo-auditable
install metadata
| Package key | brew:cargo-auditable |
|---|---|
| Version | 0.7.5 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/cargo-auditable |
| Homepage | https://github.com/rust-secure-code/cargo-auditable |
| Repository | https://github.com/rust-secure-code/cargo-auditable |
| Upstream docs | https://github.com/rust-secure-code/cargo-auditable#readme |
| License | Apache-2.0 OR MIT |
| Source archive | https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v0.7.5.tar.gz |
| Last updated | 2026-05-22T03:20:40Z |
| Pulse | updated |
| Build dependencies | rust |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | cargo-auditable |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
cargo-auditable 0.6.6-1+b1
Make production Rust binaries auditable
https://github.com/rust-secure-code/cargo-auditable
sudo apt install cargo-auditablecargo-auditable
nix profile install nixpkgs#cargo-auditablecargo-auditable 0.6.1-3
Make production Rust binaries auditable
sudo apt install cargo-auditablecargo-auditable 0.7.5-r0
Cargo wrapper for embedding auditing data
https://github.com/rust-secure-code/cargo-auditable
sudo apk add cargo-auditablecargo-auditable-doc 0.7.5-r0
Cargo wrapper for embedding auditing data (documentation)
https://github.com/rust-secure-code/cargo-auditable
sudo apk add cargo-auditable-doccargo-auditable 0.7.5-1
A cargo-subcommand to make production Rust binaries auditable
https://github.com/rust-secure-code/cargo-auditable
sudo pacman -S cargo-auditablecargo-auditable 0.7.5~0-1.1
A tool to embed auditing information in ELF sections of rust binaries
https://github.com/rust-secure-code/cargo-auditable
sudo zypper install cargo-auditablesource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.