cargo audit: Usage, Options & Common CI Errors
Check your dependencies against the RustSec advisory database.
cargo audit is a third-party subcommand (from cargo install cargo-audit) that checks Cargo.lock against the RustSec advisory database and reports vulnerable dependencies. It exits non-zero on findings.
What it does
Reads Cargo.lock, matches each crate version against RustSec advisories, and prints vulnerabilities, unmaintained crates, and yanked versions. A non-zero exit fails the CI job.
Common usage
cargo install cargo-audit --locked # install once
cargo audit # scan Cargo.lock
cargo audit --deny warnings # fail on warnings too
cargo audit --ignore RUSTSEC-2023-0001 # waive one advisoryCommon CI error: stale advisory database
cargo audit fails to fetch the advisory DB ("error: couldn’t fetch advisory database") on a network-restricted runner. Fix: ensure the runner can reach github.com for the RustSec repo, or pre-clone it and point cargo audit at it with --db <path>. To accept a known, triaged advisory, use --ignore <RUSTSEC-ID>.
Options
| Flag | Effect |
|---|---|
| --deny <kind> | Fail on warnings/unmaintained/etc. |
| --ignore <id> | Skip a specific advisory |
| --db <path> | Use a local advisory database |
| --json | Machine-readable output |