Skip to content
Latchkey

cargo audit: Scan Cargo.lock for RustSec Advisories

cargo audit checks Cargo.lock against the RustSec advisory database and exits 1 when a vulnerable or unmaintained crate is found.

cargo-audit is the RustSec project's scanner. It reads Cargo.lock (no build needed) and reports advisories, including unmaintained and yanked crates, not just CVEs.

What it does

cargo audit parses Cargo.lock, fetches the RustSec advisory DB, and reports vulnerabilities and warnings (unmaintained, unsound, yanked). Exit 1 means advisories were found, 0 means clean. --deny escalates warnings to failures and --ignore suppresses a specific advisory id.

Common usage

Terminal
cargo audit
# fail on warnings too (unmaintained, yanked)
cargo audit --deny warnings
# ignore a triaged advisory with no fix
cargo audit --ignore RUSTSEC-2023-0001
# emit JSON for a report
cargo audit --json

Options

FlagWhat it does
-D, --deny <kind>Treat warnings/unmaintained/etc. as failures
--ignore <id>Suppress a specific RUSTSEC advisory id
-f, --file <path>Path to a Cargo.lock to audit
--jsonMachine-readable output
-n, --no-fetchDo not fetch the advisory DB (use the local copy)
--staleAllow using a stale advisory database

In CI

cargo audit exits 1 on findings, so it gates the build automatically; add --deny warnings to also fail on unmaintained or yanked crates. It needs Cargo.lock committed (apps have one; libraries may not). The advisory DB is fetched over the network, so an offline runner needs a pre-populated DB or --no-fetch.

Common errors in CI

"Couldn't load ./Cargo.lock: ... No such file" means no lockfile; run cargo generate-lockfile or commit Cargo.lock (common for library crates). "error fetching advisory database" means no network egress to the RustSec git repo; pre-fetch it or use --no-fetch. An ignored advisory still failing means the wrong RUSTSEC id.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →