Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News GitHub Extends Its Supply Chain Security to Rust

GitHub Extends Its Supply Chain Security to Rust

This item in japanese

GitHub has brought Rust support to its supply chain security feature. Aimed to ensure your project and its dependencies are free of vulnerabilities, GitHub supply chain security includes a database of advisories, a dependency graph analyzer, and Dependabot alerts and security updates.

As a first step, GitHub has published over 400 known Rust vulnerabilities to its GitHub Advisory Database. Most of those vulnerabilities come from RustSec, a repository of security advisories filed against Rust crates maintained by the Rust Secure Code Working Group.

RustSec is already used by Rust's own security audit tool, cargo audit. Since GitHub has not yet provided details concerning how often its Advisory Database is synced against RustSec, you may still want to run cargo audit for your project.

The dependency graph analyzer is able to process a repo's Cargo.toml and Cargo.lock files to list all dependencies used in a project and detect any potential vulnerabilities they may hide. You can display a repository's dependency graph from within the Insights tab in GitHub Web UI.

GitHub is also providing a Dependency Review action that you can use with any project to automatically scan nre pull requests for dependency-related changes. In case a vulnerability is found in any new dependency, the PR is blocked.

While the Dependency Review action helps ensure no new dependency brings in a vulnerability, you can use Dependabot to check all of your existing dependencies for vulnerabilities. Dependabot will display an alert for a new vulnerability and create a PR to automatically update vulnerable packages to a new version.

It is worth noting that the dependency graph for Rust does not currently include full metadata, such as mapping the dependency to its GitHub repo, but it will be extended in the future.

About the Author

Rate this Article