#cargo #cargo-subcommand #list #vulnerability #subcommand #materials #vulnerabilities

bin+lib cargo-pants

cargo-pants is a cargo subcommand application that provides a bill of materials and a list of which dependencies have a vulnerability, powered by Sonatype OSSIndex

32 releases

0.1.24 Apr 6, 2021
0.1.23 Mar 2, 2021
0.1.21 Feb 11, 2021
0.1.17 Dec 16, 2020
0.1.1 Mar 27, 2019

#51 in Cargo plugins

Download history 2/week @ 2020-12-22 1/week @ 2020-12-29 4/week @ 2021-01-05 4/week @ 2021-01-12 77/week @ 2021-01-19 13/week @ 2021-01-26 16/week @ 2021-02-02 63/week @ 2021-02-09 151/week @ 2021-02-16 9/week @ 2021-02-23 51/week @ 2021-03-02 33/week @ 2021-03-09 8/week @ 2021-03-16 82/week @ 2021-03-23 46/week @ 2021-03-30 77/week @ 2021-04-06

188 downloads per month


719 lines

Circle CI Build Status

cargo pants

cargo-pants is a Cargo subcommand that provides a bill of materials in a project, and any vulnerabilities that are found on those dependencies, powered by Sonatype OSS Index.

Why pants?

Don't you check your pants for holes? Similarly, we think you should check your app's dependencies for vulnerabilities, and that's what cargo-pants does! As well, we provide a Bill Of Materials from parsing your Cargo.lock file, so you can see all the dependencies you are using.


cargo-pants was built with Rust 1.49.0, you should likely start there.


cargo-pants is a Cargo subcommand, and can be installed using cargo install:

$ cargo install cargo-pants

Set an environment variable OSS_INDEX_API_KEY to auth requests with your key.

Once you have installed cargo-pants, you can run it like so:

$ cargo pants


cargo pants can be run in your builds context, or ran separately. Two command line options are supported:

$ cargo pants --lockfile /path/to/Cargo.lock

This allows you to run cargo pants on a Cargo.lock file anywhere on your filesystem.

If this option is not supplied, cargo pants will assume a local Cargo.lock file.

We will also inform you of our opinions of your pants style choice:

$ cargo pants --pants_style JNCO

We are very serious about pants.

There is also the option to show all non-vulnerable dependencies for a complete Bill of Materials.

$ cargo pants --loud --lockfile /path/to/Cargo.lock

If vulnerabilities are found, cargo-pants exits with status code 3, and prints the Bill Of Materials/Found Vulnerabilities. If there are no issues, it will exit with status code 0.

CI Usage

Similar to cargo audit but with more pants, you can run cargo pants on your builds on Travis CI using this example config:

language: rust
  - cargo install --force cargo-pants
  - cargo pants

We use CircleCI to build this project. See our CircleCI config: .circleci/config.yml for how we use cargo-pants in our CI build. This file is also a good reference for a number of useful cargo commands.


We care a lot about making the world a safer place, and that's why we created cargo-pants. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!


The code for cargo-pants was largely written by Glenn Mohre, and we want to give ultimate thanks, kudos, congratulations to Glenn for contributing this to the community. Open Source is awesome, and you help make it better!

The cargo-pants logo was grabbed from www.pexels.com, specifically from this image.

Code for cargo-pants was influenced by cargo-audit, and we acknowledge we stand on the shoulders of giants.

The Fine Print

It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)


  • Use this contribution at the risk tolerance that you have
  • Do NOT file Sonatype support tickets related to cargo-pants support in regard to this project
  • DO file issues here on GitHub, so that the community can pitch in

Phew, that was easier than I thought. Last but not least of all:

Have fun creating and using cargo-pants and the Sonatype OSS Index, we are glad to have you here!

Getting help

Looking to contribute to our code but need some help? There's a few ways to get information:


~482K SLoC