Run cargo audit in your project root to scan your Cargo.lock file against the RustSec advisory database for known security vulnerabilities. If you need to check a specific crate or allow certain known issues, use the --deny or --allow flags to control the exit code and reporting behavior.
Here is the basic usage to scan your entire workspace:
# Install the tool if you haven't already
cargo install cargo-audit
# Run the audit in your project directory
cargo audit
If you need to integrate this into a CI pipeline or want to fail the build only on high-severity issues while ignoring low-risk ones, you can configure the output and exit behavior directly:
# Fail only on high severity, ignore others, and output JSON for CI parsing
cargo audit --deny high --format json
For projects where you must temporarily tolerate a specific vulnerability (e.g., waiting for an upstream fix), create a .cargo-audit.toml file in your project root to whitelist the advisory ID:
[advisories]
ignore = ["RUSTSEC-2021-0001"]
Running cargo audit after adding this file will skip the ignored advisory but still report others. Remember that cargo-audit relies on the Cargo.lock file, so ensure you have committed it to your repository or run cargo update before auditing if you are checking a fresh checkout. The tool exits with code 0 if no denied vulnerabilities are found, making it safe to use as a gatekeeper in automated workflows. If you encounter a false positive, you can report it to the RustSec project to have the advisory updated or removed.