Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
How this skill is triggered — by the user, by Claude, or both
Slash command
/gh-guard:cargo-vetThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
`cargo-vet` ensures third-party dependencies have been audited by you or a trusted organization. It complements `cargo-deny` (which checks licenses, advisories, bans) by adding **human review attestation**.
Runs ecosystem-appropriate dependency vulnerability audits (npm, cargo, pip) across Node.js, Rust, and Python manifests. Produces a structured supply-chain signal with normalized severities for build pipelines or ad-hoc scanning.
Audits project dependencies from package.json, requirements.txt, go.mod, Gemfile for CVEs, outdated packages, transitive issues, licenses, and supply chain risks. Provides severity assessments, remediation suggestions, and prioritized reports.
Evaluates packages, manages dependencies, and addresses supply chain security for npm/pip/cargo/bundler/Go. Use for auditing packages, reviewing lockfiles, checking vulnerabilities, comparing alternatives, assessing trustworthiness.
Share bugs, ideas, or general feedback.
cargo-vet ensures third-party dependencies have been audited by you or a trusted organization. It complements cargo-deny (which checks licenses, advisories, bans) by adding human review attestation.
# Install
cargo install cargo-vet --locked
# Initialize in your project (creates supply-chain/ directory)
cargo vet init
This creates:
supply-chain/
audits.toml # Your audits
config.toml # Trusted import sources
imports.lock # Cached audits from trusted sources
config.toml)[imports.mozilla]
url = "https://raw.githubusercontent.com/nickel-org/nickel.rs/main/supply-chain/audits.toml"
[imports.google]
url = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/AuditEntry?format=TEXT"
[imports.bytecode-alliance]
url = "https://raw.githubusercontent.com/nickel-org/nickel.rs/main/supply-chain/audits.toml"
safe-to-deploy — full review, no unsafe/unsound issues, safe for productionsafe-to-run — lighter review, safe to build and run tests (not ship)# See what needs auditing
cargo vet
# Suggest audits — shows which crates need review
cargo vet suggest
# After reviewing a crate, record your audit
cargo vet certify CRATE VERSION
# Or record that you trust the delta between versions
cargo vet certify CRATE OLD_VERSION NEW_VERSION
# When adding a new dep, cargo vet will flag it
cargo vet
# Quick exemption for now (audit later)
cargo vet add-exemption CRATE VERSION
Add to CI workflow after the deny check:
vet:
name: cargo-vet
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@SHA # pin to current version
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@SHA
with:
toolchain: stable
- run: cargo install cargo-vet --locked
- run: cargo vet --locked
cargo vet suggest and post results as a PR comment — better for open sourcesupply-chain/audits.toml for rapid iteration, audit later| Tool | What It Checks | Overlap |
|---|---|---|
cargo-deny | Licenses, advisories (CVEs), banned crates, source restrictions | No overlap — complementary |
cargo-vet | Human audit attestation of third-party code | No overlap — complementary |
cargo-audit | Known vulnerabilities (RustSec DB) | Partially overlaps cargo-deny advisories |
osv-scanner | Cross-ecosystem vulnerability database | Partially overlaps cargo-audit |
supply-chain/ must be committed — the audit database is part of your repocargo vet fetch-imports periodically