Dependency Vulnerability Scanning

Continuously scan Rust dependencies for known vulnerabilities and treat the lockfile as a security boundary. Integrate cargo audit into CI and adopt a clear update policy to reduce supply chain risk.

On this page

Why dependency security is a production responsibility

Modern Rust services depend on dozens of crates, often indirectly. A single vulnerable transitive dependency can introduce security risk even if your own code is correct. Supply chain security means knowing what you ship, detecting known vulnerabilities early, and having a disciplined update process.

Production goals at this level

Visibility: know exactly which crate versions are in your build.
Continuous scanning: detect known vulnerabilities before deploy.
Lockfile discipline: treat Cargo.lock as part of your security boundary.
Defined update policy: avoid ad-hoc upgrades during incidents.

Cargo.lock is part of your artifact

For applications, Cargo.lock must be committed to version control. It pins exact dependency versions. Without it, builds can drift between environments, increasing unpredictability and risk.

Install cargo audit

cargo audit checks your dependency graph against the RustSec advisory database.

cargo install cargo-audit

Run a vulnerability scan

cargo audit

The tool analyzes Cargo.lock and reports known advisories affecting your dependency tree.

Interpreting audit output

Typical findings include:

Vulnerable crate version with advisory ID
Patched version recommendation
Indirect dependency path

Do not panic at every warning. Classify severity and exposure first.

Integrate into CI

Dependency scanning should not be manual. Add it to your CI pipeline so new vulnerabilities are detected automatically.

# Example CI step
cargo audit --deny warnings

At minimum, fail CI on high severity advisories. For moderate ones, require review.

Update strategy: controlled and measured

Blindly updating all crates can introduce regressions. Adopt a measured strategy:

Regular scheduled dependency review.
Patch updates first.
Minor updates with integration testing.
Major updates with careful review.

Use cargo update intentionally

# Update a specific crate
cargo update -p crate_name

# Update all dependencies
cargo update

After updates, run full test suite and measure performance if critical paths are affected.

Minimal SBOM mindset

Software Bill of Materials means knowing your dependency graph. Even without a full enterprise SBOM system, you can:

Keep Cargo.lock committed.
Archive build artifacts with version metadata.
Document Rust toolchain version.

Toolchain pinning

Pin Rust version to avoid unexpected compiler changes affecting your build.

# rust-toolchain.toml
[toolchain]
channel = "1.76.0"

Supply chain attack awareness

Security issues do not always come from known CVEs. Risks include:

Compromised crate maintainers.
Malicious typosquatting crates.
Unmaintained dependencies.

Prefer well-maintained crates with active communities and review dependency additions carefully.

Common mistakes

Ignoring Cargo.lock in applications.
Running cargo audit only after an incident.
Updating dependencies directly in production branches without testing.
Disabling CI failures for convenience.

Operational checklist

Cargo.lock committed and versioned.
cargo audit runs in CI.
Critical advisories block release.
Dependency updates follow a documented policy.
Rust toolchain version is pinned.

Security maturity mindset

Supply chain security is not about zero dependencies. It is about controlled risk. A disciplined update and scanning process reduces surprise exposure and keeps production predictable.

Section summary

In this section, you hardened input handling, tightened deserialization rules, restricted outbound network access, applied TLS correctly, and introduced dependency vulnerability scanning. Together, these practices form a minimal but production-ready security baseline for Rust services.

← TLS Basics