Automic VaultAutomic Vault

brew

Install cargo-deny with Homebrew, apk, dnf, Nix, pacman

Cargo plugin for linting your dependencies. Version 0.19.9 via Homebrew; verified 2026-06-15.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install cargo-deny

local Homebrew formula metadata

Linux

Alpine Linux apkverified · 92%
sudo apk add cargo-deny

Alpine Linux edge package indexes · cargo-deny · source: dl-cdn.alpinelinux.org

Fedora dnfverified · 92%
sudo dnf install cargo-deny

Fedora Rawhide package metadata · cargo-deny · source: dl.fedoraproject.org

Nixverified · 92%
nix profile install nixpkgs#cargo-deny

nixpkgs package indexes · pkgs/by-name/ca/cargo-deny/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S cargo-deny

Arch Linux sync databases · cargo-deny · source: geo.mirror.pkgbuild.com

overview

Package summary

Cargo plugin for linting your dependencies

Commands and aliases

  • cargo-deny

history

Project history and usage

cargo-deny is an Embark Studios Cargo plugin for linting Rust dependency graphs. It checks advisories, license policy, banned crates, duplicate versions, and allowed package sources from a project-level deny.toml file.

Project history

Embark Studios created the repository and published the crate in May 2019. The README frames cargo-deny as an open-source release of a tool Embark uses internally, with a dedicated book for in-depth documentation.

The project grew into one of the standard Rust dependency-policy tools, with docs organized around checks for licenses, bans, advisories, and sources. Its repository topics and README both present it as a Cargo subcommand for dependency linting.

Adoption history

cargo-deny has broad adoption for Rust CI because it covers policy decisions that Cargo itself intentionally does not enforce: which licenses are acceptable, whether multiple versions are allowed, whether vulnerable advisories should fail builds, and which registries or git sources are trusted.

The tool is packaged in apk, Homebrew, dnf, Nix, and pacman, and crates.io metadata shows more than four million downloads by June 2026. The README also points to cargo-deny-action for GitHub Actions use.

How it is used

The quickstart is `cargo install --locked cargo-deny && cargo deny init && cargo deny check`. The init command creates a deny.toml template in the current working directory unless a path is supplied.

Users commonly run `cargo deny check` in CI, or run targeted checks such as `cargo deny check licenses`, `cargo deny check bans`, `cargo deny check advisories`, and `cargo deny check sources`.

Why package nerds care

cargo-deny is package-nerd infrastructure because it makes dependency policy executable. Instead of tracking license allowlists, source restrictions, duplicate-version rules, and advisories in prose, teams can encode them in deny.toml and fail builds consistently.

It is also an example of Cargo's external-tool model handling ecosystem governance concerns without bloating Cargo itself.

Timeline

  • 2019: GitHub repository created and first crates.io publication recorded.
  • 2019-2020: Early 0.6.x tags show rapid iteration on dependency linting.
  • 2024-2026: Release stream continues through 0.19.x.
  • 2026: crates.io metadata shows more than four million downloads and version 0.19.9 current in the sampled registry data.

Related projects

  • cargo-deny-action packages cargo-deny for GitHub Actions workflows.
  • RustSec advisory data is part of the broader ecosystem behind advisory checking.
  • SPDX license identifiers and license lists are central to the licenses check documented by cargo-deny.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for cargo-deny. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 2 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
<cwd>/deny.toml

executables

Installed executables

CommandKindExposureNote
cargo-denycliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.19.9
manager updated2026-06-15
local dataok
upstreamcurrent
latest detected0.19.9

https://github.com/EmbarkStudios/cargo-deny

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:cargo-deny
Version0.19.9
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/cargo-deny
Homepagehttps://github.com/EmbarkStudios/cargo-deny
Repositoryhttps://github.com/EmbarkStudios/cargo-deny
Upstream docshttps://embarkstudios.github.io/cargo-deny
LicenseApache-2.0 OR MIT
Source archivehttps://github.com/EmbarkStudios/cargo-deny/archive/refs/tags/0.19.9.tar.gz
Last updated2026-06-15T16:13:41Z
Pulseupdated
Build dependenciespkgconf, rust
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecargo-deny
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

cargo-deny

nix profile install nixpkgs#cargo-deny
  • normalized package name match
  • Matched by: Cargo Deny
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ca/cargo-deny/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

cargo-deny 0.18.6-r0

Cargo plugin for linting your dependencies

https://github.com/EmbarkStudios/cargo-deny

sudo apk add cargo-deny
  • License: MIT OR Apache-2.0
  • Architecture: x86_64
  • Source Package: cargo-deny
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cargo Deny
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cargo-deny from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
dnf95%

cargo-deny 0.18.9-5.fc45

Cargo plugin to help you manage large dependency graphs

https://crates.io/crates/cargo-deny

sudo dnf install cargo-deny
  • License: Apache-2.0 AND Apache-2.0 WITH LLVM-exception AND BSD-3-Clause AND CC0-1.0 AND CDLA-Permissive-2.0 AND ISC AND MIT AND Unicode-3.0 AND Unicode-DFS-2016 AND
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: rust-cargo-deny
  • 4 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cargo Deny
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: cargo-deny from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
pacman95%

cargo-deny 0.19.8-1

Cargo plugin for linting your dependencies

https://github.com/EmbarkStudios/cargo-deny

sudo pacman -S cargo-deny
  • License: MIT AND Apache-2.0
  • Architecture: x86_64
  • 4 dependencies
  • normalized package name match
  • Matched by: Cargo Deny
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: cargo-deny from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment