### Install and Run cargo-deny Source: https://embarkstudios.github.io/cargo-deny/index.html Installs cargo-deny, initializes your project with a default configuration, then runs all of the checks against your project. ```bash cargo install --locked cargo-deny && cargo deny init && cargo deny check ``` -------------------------------- ### Cargo-Deny Top-Level Config Example Source: https://embarkstudios.github.io/cargo-deny/print.html Example of the top-level configuration file for cargo-deny. ```toml [graph] ``` -------------------------------- ### Cargo-Deny Configuration Example Source: https://embarkstudios.github.io/cargo-deny/print.html Example configuration for allowed Git repositories and organizations. ```toml allow-git = [] [sources.allow-org] github = [] gitlab = [] bitbucket = [] ``` -------------------------------- ### Install cargo-deny from Source Source: https://embarkstudios.github.io/cargo-deny/print.html Installs cargo-deny by compiling it from source using Cargo. Requires Rust and a C toolchain. ```bash cargo install --locked cargo-deny ``` -------------------------------- ### Global and Project-Local License Configuration Source: https://embarkstudios.github.io/cargo-deny/print.html This example demonstrates a configuration where 'Apache-2.0' and 'MIT' are globally allowed, with a specific exception for the 'cloudabi' crate to allow 'BSD-2-Clause'. ```toml __ [licenses] allow = [ "Apache-2.0", "MIT", ] exceptions = [ # This is the only crate that cannot be licensed with either Apache-2.0 # or MIT, so we just add an exception for it, meaning we'll get a warning # if we add another crate that also requires this license { crate = "cloudabi", allow = ["BSD-2-Clause"] }, ] ``` -------------------------------- ### Install cargo-deny from Crates.io Source: https://embarkstudios.github.io/cargo-deny/cli/index.html Install the latest release of cargo-deny from Crates.io using Cargo. Ensure Cargo's bin directory is in your PATH. ```bash cargo install --locked cargo-deny ``` -------------------------------- ### Install cargo-deny via Pacman Source: https://embarkstudios.github.io/cargo-deny/cli/index.html Install cargo-deny on Arch Linux using the pacman package manager. ```bash pacman -S cargo-deny ``` -------------------------------- ### Allowing Specific GNU Licenses Source: https://embarkstudios.github.io/cargo-deny/print.html When dealing with GNU licenses, specify exact versions or 'or-later' expressions. This example shows how to allow 'GPL-2.0-or-later', 'GPL-3.0', and 'GPL-3.0-or-later'. ```toml __ allow = ['GPL-2.0-or-later', 'GPL-3.0', 'GPL-3.0-or-later'] ``` -------------------------------- ### Install cargo-deny from Git Repository Source: https://embarkstudios.github.io/cargo-deny/cli/index.html Install the development version of cargo-deny directly from its Git repository. This includes the latest bug fixes and features. ```bash cargo install --locked --git https://github.com/EmbarkStudios/cargo-deny cargo-deny ``` -------------------------------- ### Cargo.toml for Private Crate Source: https://embarkstudios.github.io/cargo-deny/print.html Example Cargo.toml showing a private package with a placeholder license. ```toml [package] name = "sekret" license = "¯\_(ツ)_/¯" publish = false # "private"! ``` -------------------------------- ### Cargo.toml for Crate Publishing to Private Registry Source: https://embarkstudios.github.io/cargo-deny/print.html Example Cargo.toml for a crate publishing to a specific private registry. ```toml [package] name = "sekret" license = "¯\_(ツ)_/¯" publish = ["sauce"] ``` -------------------------------- ### Cargo-Deny List Command: JSON Output Format Source: https://embarkstudios.github.io/cargo-deny/print.html Example of how to specify JSON output format for the 'list' command. ```bash -f, --format The format of the output * human (default) - Simple format where each crate or license is its own line * json * tsv ``` -------------------------------- ### Crate-Specific License Exceptions Source: https://embarkstudios.github.io/cargo-deny/print.html Use the `exceptions` field to define specific license allowances for individual crates. This example allows 'CDDL-1.0' only for the 'inferno' crate. ```toml __ exceptions = [ # Each entry is the crate and version constraint, and its specific allow list. { allow = ["CDDL-1.0"], crate = "inferno" }, ] ``` -------------------------------- ### Manual Download and Run Script Source: https://embarkstudios.github.io/cargo-deny/cli/index.html A bash script to manually download, unpack, and run a specific version of cargo-deny. This is useful if you prefer not to use the Github Action or direct installation methods. ```bash #!/bin/bash set -eu NAME="cargo-deny" VS="0.8.5" DIR="/tmp/$NAME" mkdir $DIR # Download the tarball curl -L -o $DIR/archive.tar.gz https://github.com/EmbarkStudios/$NAME/releases/download/$VS/$NAME-$VS-x86_64-unknown-linux-musl.tar.gz # Unpack the tarball into the temp directory tar -xzvf $DIR/archive.tar.gz --strip-components=1 -C $DIR # Run cargo deny check in our current directory $DIR/$NAME -L debug check bans licenses advisories ``` -------------------------------- ### Configure unmaintained crate handling Source: https://embarkstudios.github.io/cargo-deny/checks/advisories/index.html Customize how cargo-deny handles advisories for unmaintained crates. This example configures it to only error if an unmaintained crate is directly depended upon from the workspace. ```toml [advisories] unmaintained = "workspace" ``` -------------------------------- ### Clarifying Crate Licenses Source: https://embarkstudios.github.io/cargo-deny/print.html The `clarify` field allows manual assignment of a crate's SPDX license expression. This example clarifies the license for the 'webpki' crate as 'ISC', referencing a specific 'LICENSE' file and its hash. ```toml __ [[licenses.clarify]] crate = "webpki" expression = "ISC" license-files = [ { path = "LICENSE", hash = 0x001c7e6c }, ] ``` -------------------------------- ### Initialize cargo-deny configuration Source: https://embarkstudios.github.io/cargo-deny/cli/init.html Run this command in your project's root directory to create a default `deny.toml` configuration file. ```bash cargo deny init ``` -------------------------------- ### Cargo-Deny Check Command: Example Diagnostic Message Source: https://embarkstudios.github.io/cargo-deny/print.html An example of how cargo-deny displays crate inclusion information when the inclusion graph is not hidden. ```text __ some diagnostic message the-crate ├── a-crate └── b-crate └── c-crate ``` -------------------------------- ### Initialize cargo-deny configuration with a custom path Source: https://embarkstudios.github.io/cargo-deny/cli/init.html Specify a custom path for the `deny.toml` configuration file instead of using the default location in the current working directory. ```bash cargo deny init path/to/config.toml ``` -------------------------------- ### Run cargo-deny sources check Source: https://embarkstudios.github.io/cargo-deny/checks/sources/index.html Execute the cargo-deny sources check to verify trusted crate sources. ```bash cargo deny check sources ``` -------------------------------- ### Configure advisories check with custom databases and ignores Source: https://embarkstudios.github.io/cargo-deny/print.html This configuration sets up the advisories check with custom advisory database URLs, a local database path, and specifies how to handle yanked, unmaintained, and unsound crates. It also includes a list of advisories to ignore. ```toml [advisories] db-path = "~/.cargo/advisories-db" db-urls = ["https://github.com/RustSec/advisory-db"] yanked = "warn" unmaintained = "all" unsound = "workspace" git-fetch-with-cli = false maximum-db-staleness = "P90D" unused-ignored-advisory = "warn" ``` -------------------------------- ### Opt-in to Fetching Advisory Databases with Git CLI Source: https://embarkstudios.github.io/cargo-deny/print.html The `git-fetch-with-cli` field allows opting into using the git CLI for fetching advisory databases instead of `gix`. Set to `true` to enable; `false` is the default. ```toml git-fetch-with-cli = true ``` -------------------------------- ### Basic license configuration Source: https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html Configure license checks with unused allowed license warnings, confidence thresholds, and explicit allow lists. Includes settings for private registries and exceptions for specific crates. ```toml [licenses] unused-allowed-license = "warn" confidence-threshold = 0.95 allow = [ "EUPL-1.2", "Apache-2.0 WITH LLVM-exception", ] [licenses.private] ignore = true registries = ["sekrets"] [[licenses.exceptions]] allow = ["Zlib"] name = "adler32" version = "0.1.1" [[licenses.clarify]] name = "ring" expression = "MIT AND ISC AND OpenSSL" license-files = [ { path = "LICENSE", hash = 0xbd0eed23 } ] ``` -------------------------------- ### Configure Allowed Licenses and Exceptions Source: https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html Define globally allowed licenses and specific exceptions for crates that require different licenses. Exceptions can override the general allow list for a particular crate. ```toml [licenses] allow = [ "Apache-2.0", "MIT", ] exceptions = [ # This is the only crate that cannot be licensed with either Apache-2.0 # or MIT, so we just add an exception for it, meaning we'll get a warning # if we add another crate that also requires this license { crate = "cloudabi", allow = ["BSD-2-Clause"] }, ] ``` -------------------------------- ### Bypass Global Checks for a Specific Crate Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html Suppresses lints on a crate-by-crate basis using PackageSpec. This is an example of bypassing checks for a crate named 'crate-name'. ```toml [build.bypass] crate = "crate-name" ``` -------------------------------- ### Enable Built-in Glob Patterns for Scripting Languages Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html If `true`, enables the builtin glob patterns for common languages that tend to be installed on most developer machines, such as python. ```toml [enable-builtin-globs] true ``` -------------------------------- ### Run Licenses Check Source: https://embarkstudios.github.io/cargo-deny/checks/licenses/index.html Execute the cargo-deny licenses check to verify compliance with configured license terms. ```bash cargo deny check licenses ``` -------------------------------- ### Bypass Scanning of Files Matching Glob Patterns Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html Bypasses scanning of files that match one or more of the glob patterns specified. This example bypasses files matching 'scripts/*.cs' for a specific crate. ```toml [build] script-extensions = ["cs"] [[build.bypass]] crate = "crate-name" allow-globs = [ "scripts/*.cs", ] ``` -------------------------------- ### Basic Advisories Configuration Source: https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html Configures advisory database URLs, local path, and severity levels for yanked, unmaintained, and unsound advisories. ```toml [advisories] db-urls = ["https://github.com/RustSec/advisory-db"] db-path = "~/.cargo/advisory-dbs" # Or wherever $CARGO_HOME/advisory-dbs resolves to yanked = "warn" unmaintained = "all" unsound = "workspace" git-fetch-with-cli = false maximum-db-staleness = "P90D" # Only checked when advisory database fetching has been disabled unused-ignored-advisory = "warn" ``` -------------------------------- ### Run cargo-deny bans check Source: https://embarkstudios.github.io/cargo-deny/checks/bans/index.html Execute the bans check for your project to identify denied crates or version conflicts. ```bash cargo deny check bans ``` -------------------------------- ### Configure Build Executables and Bypass Rules Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html This configuration snippet shows how to set the executable name for the build and define bypass rules for specific files within a crate. The `allow` field specifies the path and optional checksum of a file to bypass scanning. ```toml [build] executables = "deny" [[build.bypass]] crate = "crate-name" allow = [ { path = "bin/x86_64-linux", checksum = "5392f0e58ad06e089462d93304dfe82337acbbefb87a0749a7dc2ed32af04af7" } ] ``` -------------------------------- ### Basic Crate Bans Configuration Source: https://embarkstudios.github.io/cargo-deny/print.html This snippet shows a basic configuration for crate bans, including multiple versions, wildcards, and specific allow/deny lists for crates and their versions. It also demonstrates how to skip certain crates or features. ```toml [bans] multiple-versions = "deny" wildcards = "deny" allow-wildcard-paths = true highlight = "simplest-path" workspace-default-features = "warn" external-default-features = "deny" allow = [ { name = "all-versionsa" }, "version-rangea:<0.1.1", "specific-versionb@0.1.2", "any-version", ] deny = [ "specific-versiond@0.1.9", { name = "all-versionsd", wrappers = [ "specific-versiona", ], reason = "we want to get rid of this crate but there is still one user of it" }, ] skip-tree = [{ name = "blah", depth = 20 }] [bans.workspace-dependencies] duplicates = "allow" include-path-dependencies = false unused = "allow" [[bans.skip]] name = "rand" version = "=0.6.5" [[bans.features]] name = "featured-krate" version = "1.0" deny = ["bad-feature"] allow = ["good-feature"] exact = true reason = "`bad-feature` is bad" [bans.build] allow-build-scripts = [{ name = "all-versionsa" }] executables = "warn" interpreted = "deny" script-extensions = ["cs"] enable-builtin-globs = true include-dependencies = true include-workspace = true include-archives = true [[bans.build.bypass]] name = "allversionsa" build-script = "5392f0e58ad06e089462d93304dfe82337acbbefb87a0749a7dc2ed32af04af7" required-features = ["feature-used-at-build-time"] allow-globs = ["scripts/*.cs"] allow = [ { path = "bin/x86_64-linux", checksum = "5392f0e58ad06e089462d93304dfe82337acbbefb87a0749a7dc2ed32af04af7" }, ] ``` -------------------------------- ### Configure advisories check with ignore list Source: https://embarkstudios.github.io/cargo-deny/print.html This configuration sets up the advisories check with a local database path, custom database URLs, and an ignore list for specific advisories. It also configures the handling of unmaintained and unused ignored advisories. ```toml [advisories] db-path = "~/.cargo/advisories-db" db-urls = ["https://github.com/RustSec/advisory-db"] ignore = [ "RUSTSEC-0000-0000", "crate@0.1", { crate = "yanked", reason = "a new version has not been released" }, ] unmaintained = "workspace" unused-ignored-advisory = "warn" ``` -------------------------------- ### Configure Handling of Native Executables Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html Controls how native executables are handled. Options include 'deny', 'warn', or 'allow'. This check reads file headers and works across platforms. ```toml [executables] # deny (default), warn, or allow ``` -------------------------------- ### Provide a reason for allowing a package Source: https://embarkstudios.github.io/cargo-deny/print.html Similar to denying crates, the `reason` field can be used with the `allow` configuration to explain why a crate is permitted. This information appears in diagnostic output. ```toml __ allow = [{ crate = "package-spec", reason = "the reason this crate is allowed"}] ``` -------------------------------- ### Provide a reason for allowing a crate Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html Use the `reason` field within the `allow` configuration to specify why a crate is permitted. This information is surfaced in diagnostic output. ```toml __ allow = [{ crate = "package-spec", reason = "the reason this crate is allowed"}] ``` -------------------------------- ### Ignoring Specific Advisories and Yanked Crates Source: https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html Demonstrates how to ignore advisories by ID, or by crate name and version, with optional reasons. Also shows how to ignore specific yanked crate versions. ```toml ignore = [ "RUSTSEC-0000-0000", { id = "RUSTSEC-0000-0000", reason = "this vulnerability does not affect us as we don't use the particular code path" }, "yanked@0.1.1", { crate = "yanked-crate@0.1.1", reason = "a semver compatible version hasn't been published yet" }, ] ``` -------------------------------- ### Run cargo-deny advisories check Source: https://embarkstudios.github.io/cargo-deny/checks/advisories/index.html Execute the advisories check to scan crates for known issues using the default advisory database. ```bash cargo deny check advisories ``` -------------------------------- ### Cargo-Deny List Command: Layout Options Source: https://embarkstudios.github.io/cargo-deny/print.html Specifies the layout for the 'list' command output, organizing by license or crate. ```bash -l, --layout The layout of the output. Does not apply to the `tsv` format. * license (default) - Each license acts as the key, and the values are all of the crates that use that license * crate - Each crate is a key, and the values are the list of licenses it uses. ``` -------------------------------- ### Configure Source Handling in cargo-deny Source: https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html This TOML configuration sets up rules for handling various crate sources. It specifies actions for unknown registries and git repositories, lists allowed registries and git URLs, and defines private repository sources. ```toml [sources] unknown-registry = "allow" unknown-git = "deny" required-git-spec = "tag" allow-registry = [ "https://sekretz.com/registry/index", "sparse+https://fake.sparse.com", ] allow-git = [ "https://notgithub.com/orgname/reponame.git", ] private = [ "https://internal-host/repos", ] unused-allowed-source = "warn" [sources.allow-org] github = [ "yourghid", "YourOrg", ] gitlab = [ "gitlab-org", ] bitbucket = [ "atlassian", ] ``` -------------------------------- ### Specify configuration file for cargo-deny Source: https://embarkstudios.github.io/cargo-deny/cli/check.html Path to the config to use. Defaults to `/deny.toml` if not specified. ```bash cargo deny check -c deny.toml ``` -------------------------------- ### Configure bans section in cargo-deny Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html This TOML snippet shows a comprehensive configuration for the `[bans]` section, including rules for multiple versions, wildcards, default features, and explicit allow/deny lists for crate versions and wrappers. It also demonstrates how to configure workspace dependencies, skip specific crates, and manage features for crates. ```toml [bans] multiple-versions = "deny" wildcards = "deny" allow-wildcard-paths = true highlight = "simplest-path" workspace-default-features = "warn" external-default-features = "deny" allow = [ { name = "all-versionsa" }, "version-rangea:<0.1.1", "specific-versionb@0.1.2", "any-version", ] deny = [ "specific-versiond@0.1.9", { name = "all-versionsd", wrappers = [ "specific-versiona", ], reason = "we want to get rid of this crate but there is still one user of it" }, ] skip-tree = [{ name = "blah", depth = 20 }] [bans.workspace-dependencies] duplicates = "allow" include-path-dependencies = false unused = "allow" [[bans.skip]] name = "rand" version = "=0.6.5" [[bans.features]] name = "featured-krate" version = "1.0" deny = ["bad-feature"] allow = ["good-feature"] exact = true reason = "`bad-feature` is bad" [bans.build] allow-build-scripts = [{ name = "all-versionsa" }] executables = "warn" interpreted = "deny" script-extensions = ["cs"] enable-builtin-globs = true include-dependencies = true include-workspace = true include-archives = true [[bans.build.bypass]] name = "allversionsa" build-script = "5392f0e58ad06e089462d93304dfe82337acbbefb87a0749a7dc2ed32af04af7" required-features = ["feature-used-at-build-time"] allow-globs = ["scripts/*.cs"] allow = [ { path = "bin/x86_64-linux", checksum = "5392f0e58ad06e089462d93304dfe82337acbbefb87a0749a7dc2ed32af04af7" }, ] ``` -------------------------------- ### Project-local license exceptions Source: https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html Define license exceptions for specific crates within a project using a TOML file. This allows for granular control over licenses for individual dependencies. ```toml exceptions = [ # Each entry is the crate and version constraint, and its specific allow list. { allow = ["CDDL-1.0"], crate = "inferno" }, ] ``` -------------------------------- ### Provide a reason for denying a package Source: https://embarkstudios.github.io/cargo-deny/print.html The `reason` field in the `deny` configuration allows you to specify a string explaining why a crate is banned. This message will be included in diagnostic output. ```toml __ deny = [{ crate = "package-spec", reason = "the reason this crate is banned"}] ``` -------------------------------- ### Default cargo-deny configuration template Source: https://embarkstudios.github.io/cargo-deny/cli/init.html This template includes all possible sections and their default values for `deny.toml`. It covers graph construction, output options, and advisory checks. ```toml # This template contains all of the possible sections and their default values # Note that all fields that take a lint level have these possible values: # * deny - An error will be produced and the check will fail # * warn - A warning will be produced, but the check will not fail # * allow - No warning or error will be produced, though in some cases a note # will be # The values provided in this template are the default values that will be used # when any section or field is not specified in your own configuration # Root options # The graph table configures how the dependency graph is constructed and thus # which crates the checks are performed against [graph] # If 1 or more target triples (and optionally, target_features) are specified, # only the specified targets will be checked when running `cargo deny check`. # This means, if a particular package is only ever used as a target specific # dependency, such as, for example, the `nix` crate only being used via the # `target_family = "unix"` configuration, that only having windows targets in # this list would mean the nix crate, as well as any of its exclusive # dependencies not shared by any other crates, would be ignored, as the target # list here is effectively saying which targets you are building for. targets = [ # The triple can be any string, but only the target triples built in to # rustc (as of 1.40) can be checked against actual config expressions #"x86_64-unknown-linux-musl", # You can also specify which target_features you promise are enabled for a # particular target. target_features are currently not validated against # the actual valid features supported by the target architecture. #{ triple = "wasm32-unknown-unknown", features = ["atomics"] }, ] # When creating the dependency graph used as the source of truth when checks are # executed, this field can be used to prune crates from the graph, removing them # from the view of cargo-deny. This is an extremely heavy hammer, as if a crate # is pruned from the graph, all of its dependencies will also be pruned unless # they are connected to another crate in the graph that hasn't been pruned, # so it should be used with care. The identifiers are [Package ID Specifications] # (https://doc.rust-lang.org/cargo/reference/pkgid-spec.html) #exclude = [] # If true, metadata will be collected with `--all-features`. Note that this can't # be toggled off if true, if you want to conditionally enable `--all-features` it # is recommended to pass `--all-features` on the cmd line instead all-features = false # If true, metadata will be collected with `--no-default-features`. The same # caveat with `all-features` applies no-default-features = false # If set, these feature will be enabled when collecting metadata. If `--features` # is specified on the cmd line they will take precedence over this option. #features = [] # The output table provides options for how/if diagnostics are outputted [output] # When outputting inclusion graphs in diagnostics that include features, this # option can be used to specify the depth at which feature edges will be added. # This option is included since the graphs can be quite large and the addition # of features from the crate(s) to all of the graph roots can be far too verbose. # This option can be overridden via `--feature-depth` on the cmd line feature-depth = 1 # This section is considered when running `cargo deny check advisories` # More documentation for the advisories section can be found here: # https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html [advisories] # The path where the advisory databases are cloned/fetched into #db-path = "$CARGO_HOME/advisory-dbs" # The url(s) of the advisory databases to use #db-urls = ["https://github.com/rustsec/advisory-db"] # A list of advisory IDs to ignore. Note that ignored advisories will still # output a note when they are encountered. ignore = [ #"RUSTSEC-0000-0000", #{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" }, #"a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish #{ crate = "a-crate-that-is-yanked@0.1.1", reason = "you can specify why you are ignoring the yanked crate" }, ] # If this is true, then cargo deny will use the git executable to fetch advisory database. ``` -------------------------------- ### Configure skipped dependency trees with `skip-tree` Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html The `skip-tree` field allows skipping a crate and all its direct and transitive dependencies. You can optionally specify a `depth` to limit how many levels of dependencies are skipped. By default, the depth is infinite. ```toml __ skip-tree = [ "windows-sys<=0.52", # will skip this crate and _all_ direct and transitive dependencies { crate = "windows-sys<=0.52", reason = "several crates use the outdated 0.42 and 0.45 versions" }, { crate = "windows-sys<=0.52", depth = 3, reason = "several crates use the outdated 0.42 and 0.45 versions" }, ] ``` -------------------------------- ### Generate dotviz graph for duplicate crates Source: https://embarkstudios.github.io/cargo-deny/cli/check.html If set, a dotviz graph will be created for whenever multiple versions of the same crate are detected. Each file will be created at `/graph_output/.dot` and the directory is recreated each run. ```bash cargo deny check --graph graph_output/ ``` -------------------------------- ### Deny crate with wrappers using crate format Source: https://embarkstudios.github.io/cargo-deny/print.html This configuration uses the crate format to deny the 'simple' crate when it has specific wrappers. This is an alternative to the old table format. ```toml deny = [ { crate = "simple@0.1.0" }, { crate = "simple", wrappers = ["example"] }, ] ``` -------------------------------- ### Advisories Configuration with Ignored Crates Source: https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html Includes specific advisories and crate versions to ignore, along with settings for unmaintained and unused ignored advisories. ```toml [advisories] db-path = "~/.cargo/advisory-dbs" db-urls = ["https://github.com/RustSec/advisory-db"] ignore = [ "RUSTSEC-0000-0000", "crate@0.1", { crate = "yanked", reason = "a new version has not been released" }, ] unmaintained = "workspace" unused-ignored-advisory = "warn" ``` -------------------------------- ### Check Sources Command Source: https://embarkstudios.github.io/cargo-deny/print.html Command to run the sources check in cargo-deny. ```bash cargo deny check sources ``` -------------------------------- ### Unsound Advisories Configuration Source: https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html Configures how unsound advisories are handled, with options to fail all, only for workspace crates, only for transitive dependencies, or to ignore them completely. ```toml unsound = 'workspace' ``` -------------------------------- ### Deny crate versions with predicates Source: https://embarkstudios.github.io/cargo-deny/checks/cfg.html Append version predicates after a colon to specify version requirements for a crate. This allows for more granular control over which versions are denied. ```toml deny = ["simple:<=0.1,>0.2"] ``` -------------------------------- ### Allow specific packages Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html The `allow` field specifies package specifications for crates that are permitted. If an `allow` list is present, any crate not on the list will be denied. ```toml __ allow = ["package-spec"] ``` -------------------------------- ### Allowing specific GNU licenses Source: https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html Explicitly list allowed GNU licenses, including variations like `GPL-3.0-or-later`. This demonstrates pedantic handling of GNU licenses as of cargo-deny version 0.18.4. ```toml allow = ['GPL-2.0-or-later', 'GPL-3.0', 'GPL-3.0-or-later'] ``` -------------------------------- ### Configure workspace dependencies for bans Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html This TOML snippet configures how `[workspace.dependencies]` are handled by cargo-deny. It specifies rules for duplicate workspace dependencies, whether to include path dependencies in checks, and how to treat unused workspace dependencies. ```toml [bans.workspace-dependencies] duplicates = 'deny' include-path-dependencies = true unused = 'deny' ``` -------------------------------- ### Deny crates using the crate format Source: https://embarkstudios.github.io/cargo-deny/checks/cfg.html The crate format uses a 'crate' key for the package specifier and an optional 'wrappers' key. This is the recommended modern format. ```toml deny = [ { crate = "simple@0.1.0" }, # equivalent to "simple@0.1.0" { crate = "simple", wrappers = ["example"] }, ] ``` -------------------------------- ### Define Script Extensions to Scan Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html Scans crates that execute at compile time for any files with the specified extension(s), emitting an error for every match. ```toml [script-extensions] # List of extensions to scan for ``` -------------------------------- ### Check Licenses with Cargo Deny Source: https://embarkstudios.github.io/cargo-deny/print.html This command initiates a license check using cargo-deny to verify that all used crates have acceptable license terms according to your project's configuration. ```bash cargo deny check licenses ``` -------------------------------- ### Custom license identifiers and clarifications Source: https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html Use custom license identifiers prefixed with `LicenseRef-` and clarify licenses for specific crates. This is useful for crates that do not use standard SPDX identifiers. ```toml allow = [ # The Apache license identifier "Apache-2.0", # A custom license identifier "LicenseRef-Embark-Custom", ] # Custom license refs can be specified for crates which don't use a license # in the SPDX list [[licenses.clarify]] crate = "a-crate" expression = "LicenseRef-Embark-Custom" license-files = [ { path = "LICENSE", hash = 0x001c7e6c }, ] ``` -------------------------------- ### Cargo-Deny List Command: Color Options Source: https://embarkstudios.github.io/cargo-deny/print.html Details on color coding for the 'list' command output. ```bash --color Colors: * SPDX identifier - * Crate with 1 license - * Crate with 2 or more licenses - * Crate with 0 licenses - ``` -------------------------------- ### Perform specific checks Source: https://embarkstudios.github.io/cargo-deny/cli/check.html The check(s) to perform. By default, all checks will be performed, unless one or more checks are specified here. Use this to target specific checks like 'advisories' or 'bans'. ```bash cargo deny check advisories bans ``` -------------------------------- ### Allowing Specific Git URLs Source: https://embarkstudios.github.io/cargo-deny/print.html Configure which git URLs are allowed for crate sources. If a crate's source is not in one of the listed URLs, the `unknown-git` setting determines how it is handled. The URL must match exactly, though `.git` is stripped if it exists. ```toml [sources] allow-git = [ "https://github.com/EmbarkStudios/cargo-deny", ] ``` -------------------------------- ### Configuring the Dependency Graph with `graph` Source: https://embarkstudios.github.io/cargo-deny/checks/cfg.html Customize how the dependency graph is constructed. This includes specifying build targets, features, and crates to exclude from the graph. ```toml [graph] targets = [ "x86_64-unknown-linux-gnu", { triple = "aarch64-apple-darwin" }, { triple = "x86_64-pc-windows-msvc", features = ["sse2"] }, ] exclude = ["some-crate@0.1.0"] all-features = true no-default-features = false features = ["some-feature"] exclude-dev = true ``` -------------------------------- ### Specify an alternative crate for use Source: https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html The `use-instead` field provides a shorthand for banning a crate and suggesting an alternative. This is common when a project has adopted a different crate for the same functionality. ```toml __ deny = [{ crate = "openssl", use-instead = "rustls"}] ``` -------------------------------- ### Workspace Dependencies Configuration Source: https://embarkstudios.github.io/cargo-deny/print.html This snippet configures how workspace dependencies are treated, specifying rules for duplicates, inclusion of path dependencies, and handling of unused dependencies. ```toml [bans.workspace-dependencies] duplicates = 'deny' include-path-dependencies = true unused = 'deny' ``` -------------------------------- ### Default cargo-deny Configuration Source: https://embarkstudios.github.io/cargo-deny/checks/cfg.html This is the default configuration for `deny.toml`. It sets up rules for allowed targets, advisories, dependency bans, source restrictions, and license policies. ```toml [graph] targets = [ "x86_64-unknown-linux-gnu", "aarch64-unknown-linux-gnu", "x86_64-unknown-linux-musl", "aarch64-apple-darwin", "x86_64-apple-darwin", "x86_64-pc-windows-msvc", ] all-features = true [advisories] unmaintained = "workspace" sound = "all" ignore = [ ] [bans] multiple-versions = "deny" wildcards = 'deny' deny = [ { crate = "git2", use-instead = "gix" }, { crate = "openssl", use-instead = "rustls" }, { crate = "openssl-sys", use-instead = "rustls" }, "libssh2-sys", { crate = "cmake", use-instead = "cc" }, { crate = "windows", reason = "bloated and unnecessary", use-instead = "ideally inline bindings, practically, windows-sys" }, ] skip = [ { crate = "getrandom@0.2.17", reason = "ring uses this old version" }, { crate = "hashbrown@0.15.5", reason = "petgraph uses this old version" }, ] skip-tree = [ { crate = "windows-sys", reason = "a foundational crate for many that bumps far too frequently to ever have a shared version" }, ] [sources] unknown-registry = "deny" unknown-git = "deny" [licenses] # We want really high confidence when inferring licenses from text confidence-threshold = 0.93 allow = [ "Apache-2.0", "Apache-2.0 WITH LLVM-exception", "MIT", "ISC", "Unicode-3.0", "Zlib", ] exceptions = [ ] ``` -------------------------------- ### Custom and Allowed Licenses Source: https://embarkstudios.github.io/cargo-deny/print.html Define custom license identifiers using the 'LicenseRef-' prefix and specify allowed licenses, including custom ones. This is useful for crates that do not use standard SPDX identifiers. ```toml allow = [ # The Apache license identifier "Apache-2.0", # A custom license identifier "LicenseRef-Embark-Custom", ] # Custom license refs can be specified for crates which don't use a license # in the SPDX list [[licenses.clarify]] crate = "a-crate" expression = "LicenseRef-Embark-Custom" license-files = [ { path = "LICENSE", hash = 0x001c7e6c }, ] ``` -------------------------------- ### deny.toml Sources Configuration Source: https://embarkstudios.github.io/cargo-deny/print.html Comprehensive configuration for the `cargo deny check sources` command, defining allowed and denied registries and git sources. ```toml [sources] unknown-registry = "allow" unknown-git = "deny" required-git-spec = "tag" allow-registry = [ "https://sekretz.com/registry/index", "sparse+https://fake.sparse.com", ] allow-git = [ "https://notgithub.com/orgname/reponame.git", ] private = [ "https://internal-host/repos", ] unused-allowed-source = "warn" [sources.allow-org] github = [ "yourghid", "YourOrg", ] gitlab = [ "gitlab-org", ] bitbucket = [ "atlassian", ] ```