gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 15:16:33 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
9da33b5aed1269f5fdcfc5b34ba3df59ca86e51b
trivy/docs/guide/coverage/language/rust.md
Owen Rumney 9da33b5aed docs: restructure docs for new hosting (#9799)
2025-11-18 15:45:49 +00:00

44 lines
2.2 KiB
Markdown
Raw Blame History

# Rust
Trivy supports [Cargo](https://doc.rust-lang.org/stable/cargo/), which is the Rust package manager.
The following scanners are supported for Cargo.
| Package manager | SBOM | Vulnerability | License |
| --------------- | :---: | :-----------: | :-----: |
| Cargo | ✓ | ✓ | - |
In addition, it supports binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable).
| Artifact | SBOM | Vulnerability | License |
| -------- | :---: | :-----------: | :-----: |
| Binaries | ✓ | ✓ | - |
## Features
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------|------------|:-----------------------:|:-----------------|:------------------------------------:|:--------:|
| Cargo | Cargo.lock | ✓ | Excluded[^1] | ✓ | ✓ |
| Artifact | Transitive dependencies | Dev dependencies | Dependency graph | Position |
| -------- | :---------------------: | :--------------- | :--------------: | :------: |
| Binaries | ✓ | Excluded | - | - |
### Cargo
Trivy searches for `Cargo.lock` to detect dependencies.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in `Cargo.lock`, Trivy parses `Cargo.toml`, which should be located next to `Cargo.lock`.
If you want to see the dependency tree, please ensure that `Cargo.toml` is present.
Scan `Cargo.lock` and `Cargo.toml` together also removes developer dependencies.
### Binaries
Trivy scans binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable).
If such a binary exists, Trivy will identify it as being built with cargo-audit and scan it.
[^1]: When you scan Cargo.lock and Cargo.toml together.
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
Reference in New Issue View Git Blame Copy Permalink