Skip to content
Latchkey

cargo audit: Usage, Options & Common CI Errors

Check your dependencies against the RustSec advisory database.

cargo audit is a third-party subcommand (from cargo install cargo-audit) that checks Cargo.lock against the RustSec advisory database and reports vulnerable dependencies. It exits non-zero on findings.

What it does

Reads Cargo.lock, matches each crate version against RustSec advisories, and prints vulnerabilities, unmaintained crates, and yanked versions. A non-zero exit fails the CI job.

Common usage

Terminal
cargo install cargo-audit --locked    # install once
cargo audit                            # scan Cargo.lock
cargo audit --deny warnings            # fail on warnings too
cargo audit --ignore RUSTSEC-2023-0001 # waive one advisory

Common CI error: stale advisory database

cargo audit fails to fetch the advisory DB ("error: couldn’t fetch advisory database") on a network-restricted runner. Fix: ensure the runner can reach github.com for the RustSec repo, or pre-clone it and point cargo audit at it with --db <path>. To accept a known, triaged advisory, use --ignore <RUSTSEC-ID>.

Options

FlagEffect
--deny <kind>Fail on warnings/unmaintained/etc.
--ignore <id>Skip a specific advisory
--db <path>Use a local advisory database
--jsonMachine-readable output

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →