Stats
Actions
Tags
From gh-guard
Audits third-party Rust crates using cargo-vet for human review attestation of dependencies. Ensures supply chain security and compliance in builds.
How this skill is triggered — by the user, by Claude, or both
Slash command
/gh-guard:cargo-vetThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
`cargo-vet` ensures third-party dependencies have been audited by you or a trusted organization. It complements `cargo-deny` (which checks licenses, advisories, bans) by adding **human review attestation**.
cargo-vet ensures third-party dependencies have been audited by you or a trusted organization. It complements cargo-deny (which checks licenses, advisories, bans) by adding human review attestation.
# Install
cargo install cargo-vet --locked
# Initialize in your project (creates supply-chain/ directory)
cargo vet init
This creates:
supply-chain/
audits.toml # Your audits
config.toml # Trusted import sources
imports.lock # Cached audits from trusted sources
config.toml)[imports.mozilla]
url = "https://raw.githubusercontent.com/nickel-org/nickel.rs/main/supply-chain/audits.toml"
[imports.google]
url = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/AuditEntry?format=TEXT"
[imports.bytecode-alliance]
url = "https://raw.githubusercontent.com/nickel-org/nickel.rs/main/supply-chain/audits.toml"
safe-to-deploy — full review, no unsafe/unsound issues, safe for productionsafe-to-run — lighter review, safe to build and run tests (not ship)# See what needs auditing
cargo vet
# Suggest audits — shows which crates need review
cargo vet suggest
# After reviewing a crate, record your audit
cargo vet certify CRATE VERSION
# Or record that you trust the delta between versions
cargo vet certify CRATE OLD_VERSION NEW_VERSION
# When adding a new dep, cargo vet will flag it
cargo vet
# Quick exemption for now (audit later)
cargo vet add-exemption CRATE VERSION
Add to CI workflow after the deny check:
vet:
name: cargo-vet
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@SHA # pin to current version
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@SHA
with:
toolchain: stable
- run: cargo install cargo-vet --locked
- run: cargo vet --locked
cargo vet suggest and post results as a PR comment — better for open sourcesupply-chain/audits.toml for rapid iteration, audit later| Tool | What It Checks | Overlap |
|---|---|---|
cargo-deny | Licenses, advisories (CVEs), banned crates, source restrictions | No overlap — complementary |
cargo-vet | Human audit attestation of third-party code | No overlap — complementary |
cargo-audit | Known vulnerabilities (RustSec DB) | Partially overlaps cargo-deny advisories |
osv-scanner | Cross-ecosystem vulnerability database | Partially overlaps cargo-audit |
supply-chain/ must be committed — the audit database is part of your repocargo vet fetch-imports periodicallynpx claudepluginhub sbom-tool/gh-guardAudits project dependencies using ecosystem-specific tools (npm audit, cargo audit, pip audit) and reports vulnerabilities with normalized severities. Useful in CI, build pipelines, or ad-hoc scans.
Audits project dependencies from package.json, requirements.txt, go.mod, Gemfile for CVEs, outdated packages, transitive issues, licenses, and supply chain risks. Provides severity assessments, remediation suggestions, and prioritized reports.
Evaluates packages, manages dependencies, and addresses supply chain security for npm/pip/cargo/bundler/Go. Use for auditing packages, reviewing lockfiles, checking vulnerabilities, comparing alternatives, assessing trustworthiness.