cargo audit: Scan Cargo.lock for RustSec Advisories
cargo audit checks Cargo.lock against the RustSec advisory database and exits 1 when a vulnerable or unmaintained crate is found.
cargo-audit is the RustSec project's scanner. It reads Cargo.lock (no build needed) and reports advisories, including unmaintained and yanked crates, not just CVEs.
What it does
cargo audit parses Cargo.lock, fetches the RustSec advisory DB, and reports vulnerabilities and warnings (unmaintained, unsound, yanked). Exit 1 means advisories were found, 0 means clean. --deny escalates warnings to failures and --ignore suppresses a specific advisory id.
Common usage
cargo audit
# fail on warnings too (unmaintained, yanked)
cargo audit --deny warnings
# ignore a triaged advisory with no fix
cargo audit --ignore RUSTSEC-2023-0001
# emit JSON for a report
cargo audit --jsonOptions
| Flag | What it does |
|---|---|
| -D, --deny <kind> | Treat warnings/unmaintained/etc. as failures |
| --ignore <id> | Suppress a specific RUSTSEC advisory id |
| -f, --file <path> | Path to a Cargo.lock to audit |
| --json | Machine-readable output |
| -n, --no-fetch | Do not fetch the advisory DB (use the local copy) |
| --stale | Allow using a stale advisory database |
In CI
cargo audit exits 1 on findings, so it gates the build automatically; add --deny warnings to also fail on unmaintained or yanked crates. It needs Cargo.lock committed (apps have one; libraries may not). The advisory DB is fetched over the network, so an offline runner needs a pre-populated DB or --no-fetch.
Common errors in CI
"Couldn't load ./Cargo.lock: ... No such file" means no lockfile; run cargo generate-lockfile or commit Cargo.lock (common for library crates). "error fetching advisory database" means no network egress to the RustSec git repo; pre-fetch it or use --no-fetch. An ignored advisory still failing means the wrong RUSTSEC id.