50 releases

0.20.0 Feb 16, 2024
0.18.3 Oct 24, 2023
0.17.6 May 10, 2023
0.17.5 Mar 23, 2023
0.2.0 Mar 6, 2017

#89 in Cargo plugins

Download history 14882/week @ 2024-01-30 14792/week @ 2024-02-06 15259/week @ 2024-02-13 14893/week @ 2024-02-20 14443/week @ 2024-02-27 15120/week @ 2024-03-05 17349/week @ 2024-03-12 18322/week @ 2024-03-19 12239/week @ 2024-03-26 14399/week @ 2024-04-02 14277/week @ 2024-04-09 13399/week @ 2024-04-16 13590/week @ 2024-04-23 14010/week @ 2024-04-30 14488/week @ 2024-05-07 13984/week @ 2024-05-14

58,520 downloads per month
Used in 14 crates (13 directly)

Apache-2.0 OR MIT


RustSec: cargo audit

Latest Version Build Status Safety Dance MSRV Apache 2.0 OR MIT licensed Project Chat

Audit your dependencies for crates with security vulnerabilities reported to the RustSec Advisory Database.


cargo audit requires Rust 1.70 or later.


Packaging status

cargo audit is a Cargo subcommand and can be installed with cargo install:

$ cargo install cargo-audit

Once installed, run cargo audit at the toplevel of any Cargo project.

Alpine Linux

# apk add cargo-audit

Arch Linux

# pacman -S cargo-audit


$ brew install cargo-audit


# pkg_add cargo-audit



cargo audit fix subcommand

This tool supports an experimental feature to automatically update Cargo.toml to fix vulnerable dependency requirements.

To enable it, install cargo audit with the fix feature enabled:

$ cargo install cargo-audit --features=fix

Once installed, run cargo audit fix to automatically fix vulnerable dependency requirements in your Cargo.toml:


This will modify Cargo.toml in place. To perform a dry run instead, which shows a preview of what dependencies would be upgraded, run cargo audit fix --dry-run.

cargo audit bin subcommand

Run cargo audit bin followed by the paths to your binaries to audit them:


If your programs have been compiled with cargo auditable, the audit is fully accurate because all the necessary information is embedded in the compiled binary.

For binaries that were not compiled with cargo auditable it will recover a part of the dependency list by parsing panic messages. This will miss any embedded C code (e.g. OpenSSL) as well as roughly half of the Rust dependencies because the Rust compiler is very good at removing unnecessary panics, but that's better than having no vulnerability information whatsoever.

Ignoring advisories

The first and best way to fix a vulnerability is to upgrade the vulnerable crate.

But there may be situations where an upgrade isn't available and the advisory doesn't affect your application. For example the advisory might involve a cargo feature or API that is unused.

In these cases, you can ignore advisories using the --ignore option.

$ cargo audit --ignore RUSTSEC-2017-0001

This option can also be configured via the audit.toml file.

Using cargo audit on Travis CI

To automatically run cargo audit on every build in Travis CI, you can add the following to your .travis.yml:

language: rust
cache: cargo # cache cargo-audit once installed
  - cargo install --force cargo-audit
  - cargo generate-lockfile
  - cargo audit

Using cargo audit on GitHub Action

Please use audit-check action directly.

Reporting Vulnerabilities

Report vulnerabilities by opening pull requests against the RustSec Advisory Database GitHub repo:

Report Vulnerability


Licensed under either of:

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you shall be dual licensed as above, without any additional terms or conditions.


~276K SLoC