Agent-Skills.md

Agent Skills: Rust Dependency Audit

Audit Rust dependencies for vulnerabilities, license compliance, supply chain integrity, and freshness using cargo-audit, cargo-deny, cargo-vet, and cargo-outdated. Use whenever the user asks about dependency auditing, vulnerability scanning, license checks, supply chain verification, crate freshness, or says 'cargo outdated' or 'cargo update'. Also use before any Rust crate release. Do NOT use for Rust tooling guidance on refactoring, profiling, or benchmarking (use rust-sota-arsenal instead).

UncategorizedID: terrylica/cc-skills/rust-dependency-audit

Repository

terrylica/cc-skills
terrylicaLicense: MIT
264

Install this agent skill to your local

pnpm dlx add-skill https://github.com/terrylica/cc-skills/tree/HEAD/plugins/rust-tools/skills/rust-dependency-audit

Skill Files

Browse the full folder contents for rust-dependency-audit.

Download Skill

Loading file tree…

plugins/rust-tools/skills/rust-dependency-audit/SKILL.md

Skill Metadata

Name
rust-dependency-audit
Description
"Audit Rust dependencies for vulnerabilities, license compliance, supply chain integrity, and freshness using cargo-audit, cargo-deny, cargo-vet, and cargo-outdated. Use whenever the user asks about dependency auditing, vulnerability scanning, license checks, supply chain verification, crate freshness, or says 'cargo outdated' or 'cargo update'. Also use before any Rust crate release. Do NOT use for Rust tooling guidance on refactoring, profiling, or benchmarking (use rust-sota-arsenal instead)."

Rust Dependency Audit

Comprehensive dependency audit workflow using four complementary tools: freshness checking, vulnerability scanning, license/advisory compliance, and supply chain verification.

CRITICAL: Web-Verify Before Upgrade Decisions

Always check crates.io for latest versions before recommending upgrades. Static docs go stale; the crates.io API is ground truth.

  1. Before upgrading a crate: Check what version is current and what it depends on

    WebFetch: https://crates.io/api/v1/crates/{crate_name}
Prompt: "What is the latest version? List recent versions and their dependencies."

  2. Before ignoring a vulnerability: Verify whether a patched version exists

    WebSearch: "{advisory_id} {crate_name} fix patch"

  3. Check compatibility chains: When crate A depends on crate B, verify both latest versions are compatible

    WebFetch: https://crates.io/api/v1/crates/{crate_name}/{version}/dependencies
Prompt: "What version of {dependency} does this require?"

  4. Fallback: Firecrawl scrape (if WebFetch fails — JS-heavy pages, rate limits, incomplete data):

    curl -s -X POST http://172.25.236.1:3002/v1/scrape \
  -H "Content-Type: application/json" \
  -d '{"url": "https://crates.io/crates/{crate_name}", "formats": ["markdown"], "waitFor": 0}' \
  | jq -r '.data.markdown'

    Requires ZeroTier connectivity. See /devops-tools:firecrawl-research-patterns for full API reference.

When to Use

  • Before a release (full audit pipeline)
  • After cargo update (verify no new vulnerabilities)
  • CI pipeline setup (automated dependency checks)
  • License compliance review (open source projects)
  • Supply chain security assessment

Four-Tool Audit Workflow

Run in this order — each tool catches different issues:

# 1. Freshness — what's outdated?
cargo outdated

# 2. Vulnerabilities — any known CVEs?
cargo audit

# 3. Licenses + Advisories — compliance check
cargo deny check

# 4. Supply Chain — who audited these crates?
cargo vet

Quick Assessment

# One-liner: run all four (stop on first failure)
cargo outdated && cargo audit && cargo deny check && cargo vet

Freshness: Finding Outdated Dependencies

Three tools for different needs:

| Tool | Install | Purpose | Best For | | ---------------------------- | ------------------------------ | -------------------------------------------------------- | ------------------- | | cargo-outdated | cargo install cargo-outdated | Full outdated report with compatible/latest versions | Comprehensive audit | | cargo-upgrades | cargo install cargo-upgrades | Lightweight — only shows incompatible (breaking) updates | Quick check | | cargo upgrade (cargo-edit) | cargo install cargo-edit | Actually updates Cargo.toml versions | Performing updates |

# Show all outdated deps (compatible + incompatible)
cargo outdated --root-deps-only

# Show only breaking updates needed
cargo upgrades

# Actually update Cargo.toml (dry run first)
cargo upgrade --dry-run
cargo upgrade --incompatible

# Nightly: native cargo support (experimental)
cargo +nightly update --breaking

Recommendation: Use cargo-upgrades for quick checks, cargo-outdated for full audits, cargo upgrade (cargo-edit) when ready to actually update.

See cargo-outdated reference.

Security: Vulnerability Scanning

cargo-audit (RUSTSEC Database)

# Scan for known vulnerabilities
cargo audit

# Auto-fix where possible (updates Cargo.lock)
cargo audit fix

# Binary scanning (audit compiled binaries)
cargo audit bin ./target/release/my-binary

# Custom config (ignore specific advisories)
# Create audit.toml:

# audit.toml
[advisories]
ignore = [
    "RUSTSEC-YYYY-NNNN",  # Reason for ignoring
]

See cargo-audit reference.

cargo-deny (Advisories + More)

cargo-deny's advisory check complements cargo-audit with additional sources:

# Check advisories only
cargo deny check advisories

# All checks (advisories + licenses + bans + sources)
cargo deny check

See the License section below for full cargo-deny configuration.

License: Compliance Checking

cargo-deny License Check

# deny.toml
[licenses]
allow = [
    "MIT",
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "Unicode-3.0",
]
confidence-threshold = 0.8

[[licenses.clarify]]
name = "ring"
expression = "MIT AND ISC AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]

# Check licenses
cargo deny check licenses

# Generate deny.toml template
cargo deny init

See cargo-deny reference.

Supply Chain: Audit Verification

cargo-vet (Mozilla)

cargo-vet tracks which crates have been audited and by whom:

# Check supply chain status
cargo vet

# Audit a specific crate (certify you've reviewed it)
cargo vet certify <crate> <version>

# Import audits from trusted organizations
cargo vet trust --all mozilla
cargo vet trust --all google

# See what needs auditing
cargo vet suggest

Key files:

  • supply-chain/audits.toml — Your audits
  • supply-chain/imports.lock — Imported audits
  • supply-chain/config.toml — Trusted sources

See cargo-vet reference.

Unsafe Code: Dependency Safety Audit

cargo-geiger

cargo-geiger quantifies unsafe code usage across your entire dependency tree:

# Quick check: which deps forbid unsafe? (fast, no compilation)
cargo geiger --forbid-only

# Full audit: count unsafe blocks per crate
cargo geiger

# Output as ratio (for CI/scripting)
cargo geiger --forbid-only --output-format ratio

# Markdown report
cargo geiger --output-format markdown > unsafe-report.md

Key flags:

  • --forbid-only: Fast mode — only checks #![forbid(unsafe_code)] (no compilation)
  • --output-format: ratio, markdown, ascii, json
  • --all-features: Check with all features enabled

See cargo-geiger reference.

Combined CI Workflow (GitHub Actions)

name: Dependency Audit
on:
  pull_request:
  schedule:
    - cron: "0 6 * * 1" # Weekly Monday 6am

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-toolchain@stable

      - name: cargo-audit
        run: |
          cargo install cargo-audit
          cargo audit

      - name: cargo-deny
        uses: EmbarkStudios/cargo-deny-action@v2

      - name: cargo-vet
        run: |
          cargo install cargo-vet
          cargo vet

      - name: cargo-geiger
        run: |
          cargo install cargo-geiger
          cargo geiger --forbid-only

      - name: cargo-outdated
        run: |
          cargo install cargo-outdated
          cargo outdated --root-deps-only --exit-code 1

Reference Documents

Troubleshooting

| Problem | Solution | | ----------------------------------- | ----------------------------------------------------------- | | cargo audit stale database | Run cargo audit fetch to update RUSTSEC DB | | cargo deny false positive license | Add [[licenses.clarify]] entry in deny.toml | | cargo vet too many unaudited | Import trusted org audits: cargo vet trust --all mozilla | | cargo outdated shows yanked | Run cargo update first to refresh Cargo.lock | | Private registry crates | Configure [sources] in deny.toml for private registries | | Workspace vs single crate | Most tools support --workspace flag |