# Install cargo-auditable with Homebrew, apk, apt, Nix, pacman, zypper

Make production Rust binaries auditable. Version 0.7.5 via Homebrew; verified 2026-05-22.

## Install

```sh
sudo av install brew:cargo-auditable
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install cargo-auditable
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add cargo-auditable
```

  Evidence: Alpine Linux edge package indexes: cargo-auditable from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install cargo-auditable
```

  Evidence: Debian stable package indexes: cargo-auditable from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- Nix (92%):

```sh
nix profile install nixpkgs#cargo-auditable
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ca/cargo-auditable/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S cargo-auditable
```

  Evidence: Arch Linux sync databases: cargo-auditable from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install cargo-auditable
```

  Evidence: openSUSE Tumbleweed package metadata: cargo-auditable from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:cargo-auditable
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/cargo-auditable>
- **Version:** 0.7.5
- **Source summary:** Make production Rust binaries auditable
- **Homepage:** <https://github.com/rust-secure-code/cargo-auditable>
- **Repository:** <https://github.com/rust-secure-code/cargo-auditable>
- **Upstream docs:** <https://github.com/rust-secure-code/cargo-auditable#readme>
- **License:** Apache-2.0 OR MIT
- **Source archive:** <https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v0.7.5.tar.gz>
- **Last updated:** 2026-05-22T03:20:40Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- cargo-auditable (cli)
- cargo-auditable (alias)

## Build dependencies

- rust

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.7.5
- Package-manager updated: 2026-05-22
- Local data: ok
- Upstream repository: https://github.com/rust-secure-code/cargo-auditable
- Upstream latest detected: v0.7.5 (current)
## Project history and usage

cargo-auditable is a Rust supply-chain tool that makes compiled Rust binaries self-describing by embedding dependency-tree data into a dedicated linker section. Its practical purpose is to let tools such as cargo-audit, Trivy, Grype, Syft, OSV Scanner, and related SBOM tooling recover what crates went into a production executable.

### Project history

The public repository was created in January 2019 under the rust-secure-code organization. The README says the end goal is for Cargo itself to encode this kind of information in binaries, and points to Rust RFC work as the long-term upstream path.

The project's design is intentionally package-manager friendly: the embedded data is JSON, zlib-compressed, placed in a linker section named `.dep-v0`, and designed not to disrupt reproducible builds.

### Adoption history

cargo-auditable has unusually concrete adoption evidence for a niche Rust tool. Its README states that Microsoft uses it internally, that multiple Linux distributions build Rust packages with it, and that Chainguard includes it in a Rust base container with a default cargo wrapper.

The README names Alpine Linux, NixOS, openSUSE, Void Linux, Chimera Linux, Wolfi OS, and Ubuntu 26.04 adoption or opt-in paths. The supplied package-manager facts also list Alpine, Homebrew, Debian, Nix, Arch Linux, Ubuntu, and openSUSE packages.

### How it is used

The standard workflow is to install cargo-auditable and cargo-audit, build with `cargo auditable build --release`, and then run `cargo audit bin` on the resulting executable.

The tool works as a wrapper around Cargo: arguments are passed through, and users who cannot change direct Cargo invocation can use documented replacement-cargo guidance. On nightly Rust, the README documents using Cargo's unstable SBOM precursor for more accurate dependency recording.

### Why package nerds care

cargo-auditable matters because binary packages sever the obvious connection between an executable and its Cargo.lock. Embedding dependency metadata lets downstream package repositories, container scanners, and security teams audit Rust binaries after they have left the build tree.

For package nerds, it is a bridge between language-package metadata and distro/container reality. It makes Rust binaries inspectable in the same places where operators already scan containers, distribution packages, and release artifacts.

### Timeline

- 2019: cargo-auditable repository created on GitHub.
- 2024: GitHub releases show a v0.6.4 release in May.
- 2026: README documents distribution adoption, cargo-audit integration, and nightly Cargo SBOM precursor support.

### Related projects

- cargo-auditable is directly related to cargo-audit, which can scan binaries built with it accurately.
- The README lists consumer tools including Trivy, Grype, OSV Scanner, Syft, Docker BuildKit Syft scanner, Blint, wasm-tools, rust-audit-info, and auditable2cdx, plus Cargo SBOM and Rust RFC work as upstream-adjacent efforts.

### Sources

- <https://api.github.com/repos/rust-secure-code/cargo-auditable>
- <https://github.com/rust-secure-code/cargo-auditable>
- <https://raw.githubusercontent.com/rust-secure-code/cargo-auditable/master/README.md>
- <https://rustsec.org/>
- source_facts.package-manager


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** cargo-auditable
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - cargo-auditable - 0.6.6-1+b1: normalized package name match | Debian stable package indexes: cargo-auditable from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Make production Rust binaries auditable | https://github.com/rust-secure-code/cargo-auditable
- Nix - cargo-auditable: normalized package name match | nixpkgs package indexes: pkgs/by-name/ca/cargo-auditable/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - cargo-auditable - 0.6.1-3: normalized package name match | Ubuntu 24.04 LTS package indexes: cargo-auditable from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Make production Rust binaries auditable
- apk - cargo-auditable - 0.7.5-r0: normalized package name match | Alpine Linux edge package indexes: cargo-auditable from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Cargo wrapper for embedding auditing data | https://github.com/rust-secure-code/cargo-auditable
- apk - cargo-auditable-doc - 0.7.5-r0: normalized package name match | Alpine Linux edge package indexes: cargo-auditable-doc from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Cargo wrapper for embedding auditing data (documentation) | https://github.com/rust-secure-code/cargo-auditable
- pacman - cargo-auditable - 0.7.5-1: normalized package name match | Arch Linux sync databases: cargo-auditable from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | A cargo-subcommand to make production Rust binaries auditable | https://github.com/rust-secure-code/cargo-auditable
- zypper - cargo-auditable - 0.7.5~0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: cargo-auditable from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | A tool to embed auditing information in ELF sections of rust binaries | https://github.com/rust-secure-code/cargo-auditable


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Package publisher tools](https://www.automicvault.com/pkg/package-publishers/) - Belongs to a package publishing or registry command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Text processing packages](https://www.automicvault.com/pkg/text-processing-tools/) - Matched text, document, or structured-data processing metadata.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [cargo-binstall](https://www.automicvault.com/pkg/brew/cargo-binstall/) - Shares av.db curated category or tags: cargo, cli, developer-tools, rust.
- [cargo-binutils](https://www.automicvault.com/pkg/brew/cargo-binutils/) - Shares av.db curated category or tags: cargo, cli, developer-tools, rust.
- [cargo-bloat](https://www.automicvault.com/pkg/brew/cargo-bloat/) - Shares av.db curated category or tags: cargo, cli, developer-tools, rust.
- [cargo-bundle](https://www.automicvault.com/pkg/brew/cargo-bundle/) - Shares av.db curated category or tags: cargo, cli, developer-tools, rust.
- [cargo-c](https://www.automicvault.com/pkg/brew/cargo-c/) - Shares av.db curated category or tags: cargo, cli, developer-tools, rust.
- [cargo-cache](https://www.automicvault.com/pkg/brew/cargo-cache/) - Shares av.db curated category or tags: cargo, cli, developer-tools, rust.
- [cargo-careful](https://www.automicvault.com/pkg/brew/cargo-careful/) - Shares av.db curated category or tags: cargo, cli, developer-tools, rust.
- [cargo-chef](https://www.automicvault.com/pkg/brew/cargo-chef/) - Shares av.db curated category or tags: cargo, cli, developer-tools, rust.
- [cargo-crev](https://www.automicvault.com/pkg/brew/cargo-crev/) - Both packages touch the same language runtime or ecosystem. Shared terms: cargo, chain, cli, developer, developer-tools.

## Combined YAML source

View the package source record on GitHub. [combined/cargo-auditable.yml](https://github.com/automic-vault/db/blob/main/combined/cargo-auditable.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
