Best way to protect a project from supply chain attacks?

• cargo-crev

  55 2,030 7.9 Rust

  A cryptographically verifiable code review system for the cargo (Rust) package manager.

  

Another mentioned https://github.com/crev-dev/cargo-crev but it seems like coverage isn't perfect and some versions of libraries covered by it are somewhat old.

• cargo-supply-chain

  20 311 4.9 Rust

  Gather author, contributor and publisher data on crates in your dependency graph.

  

cargo supply-chain to see your attack surface for supply chain attacks

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• cargo-vet

  12 596 7.6 Rust

  supply-chain security for Rust

  

cargo crev and cargo vet for reviewing dependencies and using reviewed versions

• cargo-deny

  15 1,550 8.8 Rust

  ❌ Cargo plugin for linting your dependencies 🦀

  

cargo deny for fetching crates only from trusted sources, blacklisting crates, etc.

• crates.io

  662 2,796 10.0 Rust

  The Rust package registry

  

Your actions will depend on your specific risk factors/tolerances. If you want to protect against a compromised or turned-malicious crates.io, then vendoring or having your own mirror are the only real alternatives. But that's a decent amount of work for a stunningly unlikely problem.

• dust

  48 7,780 7.5 Rust

  A more intuitive version of du in rust

dust (https://github.com/bootandy/dust) made in Rust of course ;)

Suggest a related project