cargo-auditable
cargo-auditable embeds dependency tree metadata into Rust binaries, enabling post-deployment vulnerability auditing without external tracking. It works transparently as a Cargo wrapper, adds minimal binary overhead (~4KB), and integrates with standard security scanning tools like cargo-audit, Trivy, and Grype.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | rust-secure-code/cargo-auditable |
| Owner | rust-secure-code |
| Primary language | Rust |
| License | Apache-2.0 — OSI-approved |
| Stars | 832 |
| Forks | 40 |
| Open issues | 15 |
| Latest release | v0.7.5 (2026-05-21) |
| Last updated | 2026-05-28 |
| Source | https://github.com/rust-secure-code/cargo-auditable |
What cargo-auditable is
A Rust cargo plugin that compresses and injects dependency information (crate names, versions) into a dedicated `.dep-v0` linker section as Zlib-compressed JSON. Supports Linux, Windows, macOS, WebAssembly, and ELF targets; compatible with Cargo's native SBOM precursor on nightly. Data format is language-agnostic and designed to preserve reproducible builds.
Get the cargo-auditable source
Clone the repository and explore it locally.
git clone https://github.com/rust-secure-code/cargo-auditable.gitcd cargo-auditable# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Transparent drop-in replacement: alias cargo or use REPLACING_CARGO.md approach; no code changes needed if standard Cargo workflow is maintained.
- Binary size impact is negligible (~1/1000 to 1/10,000 of executable); no reproducible build disruption (no timestamps, sorted JSON).
- Nightly Cargo SBOM support (CARGO_BUILD_SBOM=true) offers more accurate recording but requires workaround for known Cargo bug (#15695).
- Requires end-of-pipeline tooling (cargo-audit, Trivy, Grype, Syft) to consume embedded data; data format is language-agnostic (5-line Python parser provided).
- Embedded data format is stable (JSON schema available); backwards compatibility is maintained; statically-linked C libraries are not yet tracked.
When to avoid it — and what to weigh
- Embedded/Highly Constrained Systems — Not suitable for bare-metal or IoT environments where every byte matters. README explicitly recommends hash-based tracking for such targets instead of embedding metadata.
- Active Supply Chain Attack Mitigation Required — SBOMs do not prevent or detect supply chain attacks. Use cargo-vet or cargo-crev for code review-based risk reduction; cargo-auditable only surfaces what is already in your dependencies.
- Closed/Proprietary Dependency Chains — Embeds crate names and versions in the binary. If you require absolute confidentiality of your dependency list, this is a disclosure mechanism and should be evaluated accordingly.
- Offline/Air-Gapped Binary Analysis — Requires compatible scanning tools (cargo-audit 0.17.3+, Trivy 0.31.0+, Grype 0.83.0+) to extract and analyze the embedded data. Cannot work standalone without supporting infrastructure.
License & commercial use
Licensed under Apache-2.0 (Apache License 2.0), a permissive OSI-approved license allowing commercial use, modification, and distribution with standard attribution and liability disclaimers.
Apache-2.0 permits commercial use, modification, and redistribution. No license restrictions on using cargo-auditable in production or closed-source projects. Requires standard Apache-2.0 compliance (attribution, license inclusion). Microsoft's public adoption and inclusion in commercial Linux distributions (Ubuntu, Chainguard) indicate industry acceptance for commercial environments. Verify any proprietary modifications against Apache-2.0 terms.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Embeds crate names and versions in the binary; does not hide dependency information (already exposed in panic messages and debug info). Does not prevent supply chain attacks; complements (not replaces) code-review tools like cargo-vet/cargo-crev. Data format excludes timestamps and file paths (preserves reproducibility). No known vulnerabilities cited; format is stable and designed for interoperability. Not a security-hardening tool, but an auditability enhancement for post-deployment vulnerability response.
Alternatives to consider
cargo-vet / cargo-crev
Supply-chain security through code review and vetting, not auditability. Complementary to cargo-auditable; solves different risk (attack prevention vs. incident response).
Software Composition Analysis (SCA) tools (e.g., Snyk, Whitehat, Black Duck)
Commercial SBOMs and continuous monitoring, but require external tracking and infrastructure. cargo-auditable embeds data in the binary itself, requiring no centralized database.
Cargo.lock + Build Artifact Hashing (Manual Approach)
Hash-based tracking without binary bloat; suitable for embedded systems. Requires external database and custom tooling; less automated than cargo-auditable.
Build on cargo-auditable with DEV.co software developers
Install cargo-auditable (cargo install cargo-auditable) and switch one command: cargo auditable build. No code changes. Immediate integration with Trivy, Grype, cargo-audit, and standard SBOM tools. Already adopted by Microsoft, Alpine, NixOS, Ubuntu, and Chainguard.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
cargo-auditable FAQ
Does cargo-auditable bloat my binary?
What scanning tools can read the embedded data?
Can I make cargo always use auditable builds?
Does this work with reproducible builds?
Software development & web development with DEV.co
DEV.co helps companies turn open-source tools like cargo-auditable into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Add Auditability to Your Rust Binaries Today
Install cargo-auditable (cargo install cargo-auditable) and switch one command: cargo auditable build. No code changes. Immediate integration with Trivy, Grype, cargo-audit, and standard SBOM tools. Already adopted by Microsoft, Alpine, NixOS, Ubuntu, and Chainguard.