Automic VaultAutomic Vault

brew

Install cargo-auditable with Homebrew, apk, apt, Nix, pacman, zypper

Make production Rust binaries auditable. Version 0.7.5 via Homebrew; verified 2026-05-22.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install cargo-auditable

local Homebrew formula metadata

Linux

Alpine Linux apkverified · 92%
sudo apk add cargo-auditable

Alpine Linux edge package indexes · cargo-auditable · source: dl-cdn.alpinelinux.org

Debian aptverified · 92%
sudo apt install cargo-auditable

Debian stable package indexes · cargo-auditable · source: deb.debian.org

Nixverified · 92%
nix profile install nixpkgs#cargo-auditable

nixpkgs package indexes · pkgs/by-name/ca/cargo-auditable/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S cargo-auditable

Arch Linux sync databases · cargo-auditable · source: geo.mirror.pkgbuild.com

openSUSE zypperverified · 92%
sudo zypper install cargo-auditable

openSUSE Tumbleweed package metadata · cargo-auditable · source: download.opensuse.org

overview

Package summary

Make production Rust binaries auditable

Commands and aliases

  • cargo-auditable

history

Project history and usage

cargo-auditable is a Rust supply-chain tool that makes compiled Rust binaries self-describing by embedding dependency-tree data into a dedicated linker section. Its practical purpose is to let tools such as cargo-audit, Trivy, Grype, Syft, OSV Scanner, and related SBOM tooling recover what crates went into a production executable.

Project history

The public repository was created in January 2019 under the rust-secure-code organization. The README says the end goal is for Cargo itself to encode this kind of information in binaries, and points to Rust RFC work as the long-term upstream path.

The project's design is intentionally package-manager friendly: the embedded data is JSON, zlib-compressed, placed in a linker section named `.dep-v0`, and designed not to disrupt reproducible builds.

Adoption history

cargo-auditable has unusually concrete adoption evidence for a niche Rust tool. Its README states that Microsoft uses it internally, that multiple Linux distributions build Rust packages with it, and that Chainguard includes it in a Rust base container with a default cargo wrapper.

The README names Alpine Linux, NixOS, openSUSE, Void Linux, Chimera Linux, Wolfi OS, and Ubuntu 26.04 adoption or opt-in paths. The supplied package-manager facts also list Alpine, Homebrew, Debian, Nix, Arch Linux, Ubuntu, and openSUSE packages.

How it is used

The standard workflow is to install cargo-auditable and cargo-audit, build with `cargo auditable build --release`, and then run `cargo audit bin` on the resulting executable.

The tool works as a wrapper around Cargo: arguments are passed through, and users who cannot change direct Cargo invocation can use documented replacement-cargo guidance. On nightly Rust, the README documents using Cargo's unstable SBOM precursor for more accurate dependency recording.

Why package nerds care

cargo-auditable matters because binary packages sever the obvious connection between an executable and its Cargo.lock. Embedding dependency metadata lets downstream package repositories, container scanners, and security teams audit Rust binaries after they have left the build tree.

For package nerds, it is a bridge between language-package metadata and distro/container reality. It makes Rust binaries inspectable in the same places where operators already scan containers, distribution packages, and release artifacts.

Timeline

  • 2019: cargo-auditable repository created on GitHub.
  • 2024: GitHub releases show a v0.6.4 release in May.
  • 2026: README documents distribution adoption, cargo-audit integration, and nightly Cargo SBOM precursor support.

Related projects

  • cargo-auditable is directly related to cargo-audit, which can scan binaries built with it accurately.
  • The README lists consumer tools including Trivy, Grype, OSV Scanner, Syft, Docker BuildKit Syft scanner, Blint, wasm-tools, rust-audit-info, and auditable2cdx, plus Cargo SBOM and Rust RFC work as upstream-adjacent efforts.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
cargo-auditablecliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.7.5
manager updated2026-05-22
local dataok
upstreamcurrent
latest detectedv0.7.5

https://github.com/rust-secure-code/cargo-auditable

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:cargo-auditable
Version0.7.5
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/cargo-auditable
Homepagehttps://github.com/rust-secure-code/cargo-auditable
Repositoryhttps://github.com/rust-secure-code/cargo-auditable
Upstream docshttps://github.com/rust-secure-code/cargo-auditable#readme
LicenseApache-2.0 OR MIT
Source archivehttps://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v0.7.5.tar.gz
Last updated2026-05-22T03:20:40Z
Pulseupdated
Build dependenciesrust
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecargo-auditable
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

cargo-auditable 0.6.6-1+b1

Make production Rust binaries auditable

https://github.com/rust-secure-code/cargo-auditable

sudo apt install cargo-auditable
  • Section: utils
  • Architecture: amd64
  • Source Package: rust-cargo-auditable
  • 2 dependencies
  • normalized package name match
  • Matched by: Cargo Auditable
Debian stable package indexes · deb.debian.org · Debian stable package indexes: cargo-auditable from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix95%

cargo-auditable

nix profile install nixpkgs#cargo-auditable
  • normalized package name match
  • Matched by: Cargo Auditable
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ca/cargo-auditable/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
Ubuntu apt95%

cargo-auditable 0.6.1-3

Make production Rust binaries auditable

sudo apt install cargo-auditable
  • Section: universe/utils
  • Architecture: amd64
  • Source Package: rust-cargo-auditable
  • 2 dependencies
  • normalized package name match
  • Matched by: Cargo Auditable
Ubuntu 24.04 LTS package indexes · archive.ubuntu.com · Ubuntu 24.04 LTS package indexes: cargo-auditable from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz
apk95%

cargo-auditable 0.7.5-r0

Cargo wrapper for embedding auditing data

https://github.com/rust-secure-code/cargo-auditable

sudo apk add cargo-auditable
  • License: MIT OR Apache-2.0
  • Architecture: x86_64
  • Source Package: cargo-auditable
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cargo Auditable
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cargo-auditable from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
apk95%

cargo-auditable-doc 0.7.5-r0

Cargo wrapper for embedding auditing data (documentation)

https://github.com/rust-secure-code/cargo-auditable

sudo apk add cargo-auditable-doc
  • License: MIT OR Apache-2.0
  • Architecture: x86_64
  • Source Package: cargo-auditable
  • normalized package name match
  • Matched by: Cargo Auditable
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cargo-auditable-doc from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
pacman95%

cargo-auditable 0.7.5-1

A cargo-subcommand to make production Rust binaries auditable

https://github.com/rust-secure-code/cargo-auditable

sudo pacman -S cargo-auditable
  • License: Apache-2.0 AND MIT
  • Architecture: x86_64
  • 3 dependencies
  • normalized package name match
  • Matched by: Cargo Auditable
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: cargo-auditable from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

cargo-auditable 0.7.5~0-1.1

A tool to embed auditing information in ELF sections of rust binaries

https://github.com/rust-secure-code/cargo-auditable

sudo zypper install cargo-auditable
  • License: (Apache-2.0 OR MIT) AND Unicode-DFS-2016 AND (0BSD OR MIT OR Apache-2.0) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH
  • Category: Development/Languages/Rust
  • Architecture: x86_64
  • Source Package: cargo-auditable
  • 4 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cargo Auditable
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: cargo-auditable from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment