cargo
Safeguard articles tagged "cargo" — guides, analysis, and best practices for software supply chain and application security.
10 articles
Rust Supply Chain Security: build.rs, Typosquatting, and Auditing crates.io
Rust's borrow checker guarantees memory safety in your code — and nothing about the crates you pull in. A cargo build runs arbitrary code at compile time, before any safe code executes.
cargo-audit and cargo-deny: A Real Workflow
A senior-engineer-grade workflow for using cargo-audit and cargo-deny together, with realistic policy decisions and the mistakes teams repeat.
Reachability Analysis for Rust and Cargo in 2026
How reachability analysis cuts noise for Rust services: cargo features, conditional compilation, RustSec advisories, and the tools that handle Rust well.
Rust crates.io Supply Chain Controls in 2026
crates.io has gained real supply chain features over the past two years. Here is an honest read on what works, what is still immature, and where to invest.
How Snyk Open Source analyzes Cargo.lock for Rust depende...
How Snyk Open Source parses Cargo.lock, matches resolved crate versions against RustSec advisories, and handles Rust workspaces -- a mechanical breakdown of its documented approach.
Vendoring Dependencies: When It Helps and When It Hurts Security
Committing dependencies to your repo buys immutability and availability — and quietly breaks scanners, updates, and license tracking. Here's the honest ledger.
Rust Build Scripts: A Supply Chain Risk Profile
Why build.rs is the highest-leverage attack surface in the Rust ecosystem, with concrete examples from 2023 and 2024 incidents.
Rust Cargo Dependency Security Guide
How to secure your Rust supply chain with Cargo.lock, crate auditing, and build script controls.
Cargo Build Script Security: What build.rs Can Do to Your Machine
Rust build scripts run arbitrary code during compilation. Here is what they can access and how to evaluate the risk in your dependency tree.
Rust Crate Supply Chain Security: Lessons from a Growing Ecosystem
As Rust adoption accelerates, its crate ecosystem faces the same supply chain threats that plague npm and PyPI. Here's what the Rust community is doing right — and where gaps remain.