# Install cargo-deny with Homebrew, apk, dnf, Nix, pacman

Cargo plugin for linting your dependencies. Version 0.19.9 via Homebrew; verified 2026-06-15.

## Install

```sh
sudo av install brew:cargo-deny
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install cargo-deny
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add cargo-deny
```

  Evidence: Alpine Linux edge package indexes: cargo-deny from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- dnf (92%):

```sh
sudo dnf install cargo-deny
```

  Evidence: Fedora Rawhide package metadata: cargo-deny from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#cargo-deny
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ca/cargo-deny/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S cargo-deny
```

  Evidence: Arch Linux sync databases: cargo-deny from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

## Package facts

- **Package key:** brew:cargo-deny
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/cargo-deny>
- **Version:** 0.19.9
- **Source summary:** Cargo plugin for linting your dependencies
- **Homepage:** <https://github.com/EmbarkStudios/cargo-deny>
- **Repository:** <https://github.com/EmbarkStudios/cargo-deny>
- **Upstream docs:** <https://embarkstudios.github.io/cargo-deny>
- **License:** Apache-2.0 OR MIT
- **Source archive:** <https://github.com/EmbarkStudios/cargo-deny/archive/refs/tags/0.19.9.tar.gz>
- **Last updated:** 2026-06-15T16:13:41Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- cargo-deny (cli)
- cargo-deny (alias)

## Build dependencies

- pkgconf
- rust

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.19.9
- Package-manager updated: 2026-06-15
- Local data: ok
- Upstream repository: https://github.com/EmbarkStudios/cargo-deny
- Upstream latest detected: 0.19.9 (current)
## Project history and usage

cargo-deny is an Embark Studios Cargo plugin for linting Rust dependency graphs. It checks advisories, license policy, banned crates, duplicate versions, and allowed package sources from a project-level deny.toml file.

### Project history

Embark Studios created the repository and published the crate in May 2019. The README frames cargo-deny as an open-source release of a tool Embark uses internally, with a dedicated book for in-depth documentation.

The project grew into one of the standard Rust dependency-policy tools, with docs organized around checks for licenses, bans, advisories, and sources. Its repository topics and README both present it as a Cargo subcommand for dependency linting.

### Adoption history

cargo-deny has broad adoption for Rust CI because it covers policy decisions that Cargo itself intentionally does not enforce: which licenses are acceptable, whether multiple versions are allowed, whether vulnerable advisories should fail builds, and which registries or git sources are trusted.

The tool is packaged in apk, Homebrew, dnf, Nix, and pacman, and crates.io metadata shows more than four million downloads by June 2026. The README also points to cargo-deny-action for GitHub Actions use.

### How it is used

The quickstart is `cargo install --locked cargo-deny && cargo deny init && cargo deny check`. The init command creates a deny.toml template in the current working directory unless a path is supplied.

Users commonly run `cargo deny check` in CI, or run targeted checks such as `cargo deny check licenses`, `cargo deny check bans`, `cargo deny check advisories`, and `cargo deny check sources`.

### Why package nerds care

cargo-deny is package-nerd infrastructure because it makes dependency policy executable. Instead of tracking license allowlists, source restrictions, duplicate-version rules, and advisories in prose, teams can encode them in deny.toml and fail builds consistently.

It is also an example of Cargo's external-tool model handling ecosystem governance concerns without bloating Cargo itself.

### Timeline

- 2019: GitHub repository created and first crates.io publication recorded.
- 2019-2020: Early 0.6.x tags show rapid iteration on dependency linting.
- 2024-2026: Release stream continues through 0.19.x.
- 2026: crates.io metadata shows more than four million downloads and version 0.19.9 current in the sampled registry data.

### Related projects

- cargo-deny-action packages cargo-deny for GitHub Actions workflows.
- RustSec advisory data is part of the broader ecosystem behind advisory checking.
- SPDX license identifiers and license lists are central to the licenses check documented by cargo-deny.

### Sources

- <https://api.github.com/repos/EmbarkStudios/cargo-deny>
- <https://crates.io/api/v1/crates/cargo-deny>
- <https://embarkstudios.github.io/cargo-deny>
- <https://github.com/EmbarkStudios/cargo-deny#readme>
- <https://github.com/EmbarkStudios/cargo-deny/blob/main/docs/src/cli/init.md>


## Security Notes

No matching local secret-handling manifest was found for cargo-deny. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: <cwd>/deny.toml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** cargo-deny
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - cargo-deny: normalized package name match | nixpkgs package indexes: pkgs/by-name/ca/cargo-deny/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - cargo-deny - 0.18.6-r0: normalized package name match | Alpine Linux edge package indexes: cargo-deny from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Cargo plugin for linting your dependencies | https://github.com/EmbarkStudios/cargo-deny
- dnf - cargo-deny - 0.18.9-5.fc45: normalized package name match | Fedora Rawhide package metadata: cargo-deny from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Cargo plugin to help you manage large dependency graphs | https://crates.io/crates/cargo-deny
- pacman - cargo-deny - 0.19.8-1: normalized package name match | Arch Linux sync databases: cargo-deny from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Cargo plugin for linting your dependencies | https://github.com/EmbarkStudios/cargo-deny


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Package publisher tools](https://www.automicvault.com/pkg/package-publishers/) - Belongs to a package publishing or registry command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [cargo-cyclonedx](https://www.automicvault.com/pkg/brew/cargo-cyclonedx/) - Shares av.db curated category or tags: cargo, cli, rust, security, software-composition-analysis.
- [cargo-audit](https://www.automicvault.com/pkg/brew/cargo-audit/) - Shares av.db curated category or tags: cargo, cli, rust, security.
- [cargo-geiger](https://www.automicvault.com/pkg/brew/cargo-geiger/) - Shares av.db curated category or tags: cargo, cli, rust, security.
- [dependency-check](https://www.automicvault.com/pkg/brew/dependency-check/) - Shares av.db curated category or tags: cli, security, software-composition-analysis.
- [checkpwn](https://www.automicvault.com/pkg/brew/checkpwn/) - Shares av.db curated category or tags: cli, rust, security.
- [feluda](https://www.automicvault.com/pkg/brew/feluda/) - Shares av.db curated category or tags: cli, rust, security.
- [jwt-cli](https://www.automicvault.com/pkg/brew/jwt-cli/) - Shares av.db curated category or tags: cli, rust, security.
- [observerward](https://www.automicvault.com/pkg/brew/observerward/) - Shares av.db curated category or tags: cli, rust, security.
- [cargo-deny](https://www.automicvault.com/pkg/cargo/cargo-deny/) - Same normalized package name exists in another local package ecosystem.

## Combined YAML source

View the package source record on GitHub. [combined/cargo-deny.yml](https://github.com/automic-vault/db/blob/main/combined/cargo-deny.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
