ARN

GitHub adds supply chain security tools for Rust language

GitHub’s supply chain security features including the advisory database, Dependabot alerts, and dependency graph are now available for Rust Cargo files.

Aiming to help Rust developers discover and prevent security vulnerabilities, GitHub has made its suite of supply chain security features available for the fast-growing Rust language.

These features include the GitHub Advisory Database, which already has more than 400 Rust security advisories, as well Dependabot alerts and updates, and dependency graph support, providing alerts on vulnerable dependencies in Rust’s Cargo package files. Rust users can report and ultimately prevent security vulnerabilities when using GitHub.

The GitHub Advisory Database is a database of security advisories focused on actionable vulnerability information for developers. The majority of vulnerabilities cited in the database come from RustSec, an organisation that publishes security advisories related to Rust libraries. 

Rust package maintainers can use the security advisories to collaborate with vulnerability reporters to privately discuss and fix vulnerabilities prior to announcing them publicly. Developers can report Rust vulnerabilities with a CVE through a community contribution.

GitHub’s dependency graph analyses a repository’s Cargo.toml and Cargo.lock files to determine dependencies in a project. The dependency graph backs Dependabot, which alerts developers of a known vulnerability and creates pull requests to update the affected dependency. While the dependency graph is enabled by default in public repositories, developers must enable it for private repositories.

If a dependency graph for a public repository has not already been populated, it will be soon, GitHub said. Dependency graph support for Rust is being rolled out in two phases. Full package metadata for Rust dependencies, including mapping packages to GitHub repositories, is due in a future release.

Developers can prevent Rust vulnerabilities from being introduced at all with the dependency review GitHub Action, which scans pull requests for changes in Rust dependencies and identifies if any new ones have known vulnerabilities. Developers then can block them from being merged into code. GitHub offers guidance for securing Rust repositories in GitHub Docs.