Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From gh-guard
Sets up three-layer Rust dependency defense: cargo-deny for policy enforcement/licenses/bans, Dependabot for updates, osv-scanner for vulnerabilities. Includes configs and CI integration.
npx claudepluginhub sbom-tool/gh-guardHow this skill is triggered — by the user, by Claude, or both
Slash command
/gh-guard:dependency-policyThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
A robust dependency policy uses three complementary layers: cargo-deny for policy enforcement, Dependabot for automated updates, and osv-scanner for vulnerability detection.
Provides Rust-specific guidance for all 18 OpenSSF Scorecard security checks with implementation steps, file templates, and CI workflows to maximize scores.
Audits dependency configs for supply chain risks like unpinned versions, missing lockfiles, postinstall scripts in package.json, requirements.txt, Gemfile, go.mod, Cargo.toml, pom.xml. Hardens with pinning, SBOM, signing best practices.
Scans project dependencies across ecosystems for vulnerabilities, generates SBOMs, assesses risks, and provides automated remediation strategies. Useful for auditing packages, license compliance, and supply chain security.
Share bugs, ideas, or general feedback.
A robust dependency policy uses three complementary layers: cargo-deny for policy enforcement, Dependabot for automated updates, and osv-scanner for vulnerability detection.
| Layer | Tool | What It Does | When It Runs |
|---|---|---|---|
| Policy | cargo-deny | Enforce license, ban, source, and advisory rules | CI (every PR) |
| Updates | Dependabot | Auto-create PRs for dependency updates | Weekly |
| Scanning | osv-scanner | Detect known vulnerabilities | CI + scheduled |
[graph] — Define which targets to check:
[graph]
targets = [
"x86_64-unknown-linux-gnu",
"aarch64-apple-darwin",
"x86_64-pc-windows-msvc",
]
all-features = true
[advisories] — Security advisory handling:
[advisories]
unmaintained = "workspace" # or "all"
ignore = [] # Add RUSTSEC IDs to temporarily ignore
[licenses] — License allowlist:
[licenses]
confidence-threshold = 0.93
allow = [
"MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause",
"ISC", "MPL-2.0", "Unicode-3.0", "CC0-1.0", "Zlib",
]
[bans] — Dependency bans:
[bans]
multiple-versions = "warn" # Warn on duplicate deps (different versions)
wildcards = "deny" # Deny wildcard version requirements
highlight = "all" # Show all duplicates, not just first
deny = [
{ name = "openssl", wrappers = [] }, # Ban openssl
{ name = "openssl-sys", wrappers = [] }, # Ban openssl-sys
]
[sources] — Source origin control:
[sources]
unknown-registry = "deny" # Only allow known registries
unknown-git = "deny" # No git dependencies
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
GOTCHA: cargo-deny v0.19 made breaking changes:
vulnerability key from [advisories]"all" or "workspace" for unmaintained/unsound checksdeny.toml format changed — check your versionSplit into two matrix legs for best UX:
deny:
strategy:
matrix:
checks:
- advisories
- bans licenses sources
continue-on-error: ${{ matrix.checks == 'advisories' }}
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
Two ecosystems:
github-actions — keeps action SHAs up to date (important for Scorecard Pinned-Dependencies)cargo — keeps Rust dependencies freshopen-pull-requests-limit: 5 — Prevents Dependabot from flooding you with PRs. The default is 5, but you can increase it for actively maintained projects.
For projects with many dependencies, group minor/patch updates:
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "weekly"
groups:
minor-and-patch:
update-types:
- "minor"
- "patch"
You need osv-scanner.toml when your project contains non-Rust package references that trigger false positives:
# osv-scanner.toml
[[PackageOverrides]]
ecosystem = "npm"
ignore = true
reason = "Test fixture data, not actual dependencies"
[[PackageOverrides]]
ecosystem = "PyPI"
ignore = true
reason = "Test fixture data, not actual dependencies"
GOTCHA: osv-scanner.toml does NOT propagate to child directories. If you have fixtures in tests/fixtures/, that directory needs its own osv-scanner.toml or the overrides won't apply to files scanned within it.
The Scorecard Vulnerabilities check uses GitHub's dependency graph API, not local osv-scanner.toml. This means:
osv-scanner.toml helps with local/CI scans but may not fix Scorecard false positivestemplates/deny.toml — Complete cargo-deny configurationtemplates/dependabot.yml — Dependabot for cargo + github-actionstemplates/osv-scanner.toml — osv-scanner with common ecosystem overrides