rust-dependency-audit

Name: rust-dependency-audit
Author: terrylica/cc-skills
$npx mdskill add terrylica/cc-skills/rust-dependency-audit
Comprehensive dependency audit workflow using four complementary tools: freshness checking, vulnerability scanning, license/advisory compliance, and supply chain verification.
SKILL.md
.github/skills/rust-dependency-auditView on GitHub ↗
---
name: rust-dependency-audit
description: Audit Rust dependencies for vulnerabilities, license compliance, supply chain integrity, and freshness using cargo-audit, cargo-deny, cargo-vet,
allowed-tools: Read, Grep, Bash, WebSearch, WebFetch
---

# Rust Dependency Audit

Comprehensive dependency audit workflow using four complementary tools: freshness checking, vulnerability scanning, license/advisory compliance, and supply chain verification.

> **Self-Evolving Skill**: This skill improves through use. If instructions are wrong, parameters drifted, or a workaround was needed — fix this file immediately, don't defer. Only update for real, reproducible issues.

## CRITICAL: Web-Verify Before Upgrade Decisions

**Always check crates.io for latest versions before recommending upgrades.** Static docs go stale; the crates.io API is ground truth.

1. **Before upgrading a crate**: Check what version is current and what it depends on

   ```
   WebFetch: https://crates.io/api/v1/crates/{crate_name}
   Prompt: "What is the latest version? List recent versions and their dependencies."
   ```

2. **Before ignoring a vulnerability**: Verify whether a patched version exists

   ```
   WebSearch: "{advisory_id} {crate_name} fix patch"
   ```

3. **Check compatibility chains**: When crate A depends on crate B, verify both latest versions are compatible

   ```
   WebFetch: https://crates.io/api/v1/crates/{crate_name}/{version}/dependencies
   Prompt: "What version of {dependency} does this require?"
   ```

4. **Fallback: Firecrawl scrape** (if WebFetch fails — JS-heavy pages, rate limits, incomplete data):

   ```bash
   curl -s -X POST http://littleblack:3002/v1/scrape \
     -H "Content-Type: application/json" \
     -d '{"url": "https://crates.io/crates/{crate_name}", "formats": ["markdown"], "waitFor": 0}' \
     | jq -r '.data.markdown'
   ```

   Requires Tailscale connectivity. See `/devops-tools:firecrawl-research-patterns` for full API reference.

## When to Use

- Before a release (full audit pipeline)
- After `cargo update` (verify no new vulnerabilities)
- CI pipeline setup (automated dependency checks)
- License compliance review (open source projects)
- Supply chain security assessment

## Four-Tool Audit Workflow

Run in this order — each tool catches different issues:

```bash
# 1. Freshness — what's outdated?
cargo outdated

# 2. Vulnerabilities — any known CVEs?
cargo audit

# 3. Licenses + Advisories — compliance check
cargo deny check

# 4. Supply Chain — who audited these crates?
cargo vet
```

### Quick Assessment

```bash
# One-liner: run all four (stop on first failure)
cargo outdated && cargo audit && cargo deny check && cargo vet
```

## Freshness: Finding Outdated Dependencies

Three tools for different needs:

| Tool                         | Install                        | Purpose                                                  | Best For            |
| ---------------------------- | ------------------------------ | -------------------------------------------------------- | ------------------- |
| `cargo-outdated`             | `cargo install cargo-outdated` | Full outdated report with compatible/latest versions     | Comprehensive audit |
| `cargo-upgrades`             | `cargo install cargo-upgrades` | Lightweight — only shows incompatible (breaking) updates | Quick check         |
| `cargo upgrade` (cargo-edit) | `cargo install cargo-edit`     | Actually updates `Cargo.toml` versions                   | Performing updates  |

```bash
# Show all outdated deps (compatible + incompatible)
cargo outdated --root-deps-only

# Show only breaking updates needed
cargo upgrades

# Actually update Cargo.toml (dry run first)
cargo upgrade --dry-run
cargo upgrade --incompatible

# Nightly: native cargo support (experimental)
cargo +nightly update --breaking
```

**Recommendation**: Use `cargo-upgrades` for quick checks, `cargo-outdated` for full audits, `cargo upgrade` (cargo-edit) when ready to actually update.

See [cargo-outdated reference](./references/cargo-outdated-guide.md).

## Security: Vulnerability Scanning

### cargo-audit (RUSTSEC Database)

```bash
# Scan for known vulnerabilities
cargo audit

# Auto-fix where possible (updates Cargo.lock)
cargo audit fix

# Binary scanning (audit compiled binaries)
cargo audit bin ./target/release/my-binary

# Custom config (ignore specific advisories)
# Create audit.toml:
```

```toml
# audit.toml
[advisories]
ignore = [
    "RUSTSEC-YYYY-NNNN",  # Reason for ignoring
]
```

See [cargo-audit reference](./references/cargo-audit-guide.md).

### cargo-deny (Advisories + More)

cargo-deny's advisory check complements cargo-audit with additional sources:

```bash
# Check advisories only
cargo deny check advisories

# All checks (advisories + licenses + bans + sources)
cargo deny check
```

See the License section below for full cargo-deny configuration.

## License: Compliance Checking

### cargo-deny License Check

```toml
# deny.toml
[licenses]
allow = [
    "MIT",
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "Unicode-3.0",
]
confidence-threshold = 0.8

[[licenses.clarify]]
name = "ring"
expression = "MIT AND ISC AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
```

```bash
# Check licenses
cargo deny check licenses

# Generate deny.toml template
cargo deny init
```

See [cargo-deny reference](./references/cargo-deny-guide.md).

## Supply Chain: Audit Verification

### cargo-vet (Mozilla)

cargo-vet tracks which crates have been audited and by whom:

```bash
# Check supply chain status
cargo vet

# Audit a specific crate (certify you've reviewed it)
cargo vet certify <crate> <version>

# Import audits from trusted organizations
cargo vet trust --all mozilla
cargo vet trust --all google

# See what needs auditing
cargo vet suggest
```

Key files:

- `supply-chain/audits.toml` — Your audits
- `supply-chain/imports.lock` — Imported audits
- `supply-chain/config.toml` — Trusted sources

See [cargo-vet reference](./references/cargo-vet-guide.md).

## Unsafe Code: Dependency Safety Audit

### cargo-geiger

cargo-geiger quantifies unsafe code usage across your entire dependency tree:

```bash
# Quick check: which deps forbid unsafe? (fast, no compilation)
cargo geiger --forbid-only

# Full audit: count unsafe blocks per crate
cargo geiger

# Output as ratio (for CI/scripting)
cargo geiger --forbid-only --output-format ratio

# Markdown report
cargo geiger --output-format markdown > unsafe-report.md
```

Key flags:

- `--forbid-only`: Fast mode — only checks `#![forbid(unsafe_code)]` (no compilation)
- `--output-format`: `ratio`, `markdown`, `ascii`, `json`
- `--all-features`: Check with all features enabled

See [cargo-geiger reference](./references/cargo-geiger-guide.md).

## Combined CI Workflow (GitHub Actions)

```yaml
name: Dependency Audit
on:
  pull_request:
  schedule:
    - cron: "0 6 * * 1" # Weekly Monday 6am

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-toolchain@stable

      - name: cargo-audit
        run: |
          cargo install cargo-audit
          cargo audit

      - name: cargo-deny
        uses: EmbarkStudios/cargo-deny-action@v2

      - name: cargo-vet
        run: |
          cargo install cargo-vet
          cargo vet

      - name: cargo-geiger
        run: |
          cargo install cargo-geiger
          cargo geiger --forbid-only

      - name: cargo-outdated
        run: |
          cargo install cargo-outdated
          cargo outdated --root-deps-only --exit-code 1
```

## Reference Documents

- [cargo-audit-guide.md](./references/cargo-audit-guide.md) — Vulnerability scanning
- [cargo-deny-guide.md](./references/cargo-deny-guide.md) — License + advisory compliance
- [cargo-outdated-guide.md](./references/cargo-outdated-guide.md) — Freshness + alternatives
- [cargo-vet-guide.md](./references/cargo-vet-guide.md) — Supply chain audit
- [cargo-geiger-guide.md](./references/cargo-geiger-guide.md) — Unsafe code quantification

## Troubleshooting

| Problem                             | Solution                                                    |
| ----------------------------------- | ----------------------------------------------------------- |
| `cargo audit` stale database        | Run `cargo audit fetch` to update RUSTSEC DB                |
| `cargo deny` false positive license | Add `[[licenses.clarify]]` entry in `deny.toml`             |
| `cargo vet` too many unaudited      | Import trusted org audits: `cargo vet trust --all mozilla`  |
| `cargo outdated` shows yanked       | Run `cargo update` first to refresh `Cargo.lock`            |
| Private registry crates             | Configure `[sources]` in `deny.toml` for private registries |
| Workspace vs single crate           | Most tools support `--workspace` flag                       |

## Post-Execution Reflection

After this skill completes, check before closing:

1. **Did the command succeed?** — If not, fix the instruction or error table that caused the failure.
2. **Did parameters or output change?** — If the underlying tool's interface drifted, update Usage examples and Parameters table to match.
3. **Was a workaround needed?** — If you had to improvise (different flags, extra steps), update this SKILL.md so the next invocation doesn't need the same workaround.

Only update if the issue is real and reproducible — not speculative.