GitHub also provides a Dependency Review action that you can use with any project to scan and pull requests for dependency-related changes automatically
GitHub has brought Rust support to its supply chain security feature. Aimed to ensure your project and its dependencies are free of vulnerabilities, GitHub supply chain security includes a database of advisories, a dependency graph analyser, and Dependabot alerts and security updates.
As a first step, GitHub has published over 400 known Rust vulnerabilities to its GitHub Advisory Database. Most of those vulnerabilities come from RustSec, a repository of security advisories filed against Rust crates maintained by the Rust Secure Code Working Group.
RustSec is already used by Rust’s security audit tool, cargo audit. Since GitHub has not yet provided details concerning how often its Advisory Database is synced against RustSec, you may still want to run cargo audit for your project.
The dependency graph analyser can process a repo’s Cargo.toml and Cargo.lock files to list all dependencies used in a project and detect any potential vulnerabilities they may hide. You can display a repository’s dependency graph within the Insights tab in GitHub Web UI.
GitHub also provides a Dependency Review action that you can use with any project to scan and pull requests for dependency-related changes automatically. In case a vulnerability is found in any new dependency, the PR is blocked.
While the Dependency Review action helps ensure no new dependency brings in a vulnerability, you can use Dependabot to check all your existing dependencies for vulnerabilities. Dependabot will automatically display an alert for a new vulnerability and create a PR to update vulnerable packages to a recent version.
It is worth noting that the dependency graph for Rust does not currently include full metadata, such as mapping the dependency to its GitHub repo, but it will be extended in the future.