config
The top level config for cargo-deny, by default called deny.toml
.
Example - cargo-deny's own configuration
# cargo-deny is really only ever intended to run on the "normal" tier-1 targets
targets = [
{ triple = "x86_64-unknown-linux-gnu" },
{ triple = "aarch64-unknown-linux-gnu" },
{ triple = "x86_64-unknown-linux-musl" },
{ triple = "aarch64-apple-darwin" },
{ triple = "x86_64-apple-darwin" },
{ triple = "x86_64-pc-windows-msvc" },
]
[advisories]
vulnerability = "deny"
unmaintained = "deny"
notice = "deny"
unsound = "deny"
ignore = [
# rmp-serde used by askalono for the cache files, these are always utf-8 so
# the advisory is not relevant
"RUSTSEC-2022-0092",
]
[bans]
multiple-versions = "deny"
deny = [
# We use gix
{ name = "git2" },
# NEVER AGAIN
{ name = "openssl" },
{ name = "openssl-sys" },
{ name = "libssh2-sys" },
]
skip = [
# indexmap + imara-diff
{ name = "hashbrown", version = "=0.12.3" },
# petgraph + h2 use an old version
{ name = "indexmap", version = "=1.9.3" },
# hyper/tokio uses an old version
{ name = "socket2", version = "=0.4.9" },
# strum_macros + maybe-async
{ name = "syn", version = "=1.0.109" },
# security-framework uses an ooooold version
{ name = "bitflags", version = "=1.3.2" },
]
skip-tree = [
# Sigh
{ name = "windows-sys", version = "<=0.45" },
]
[sources]
unknown-registry = "deny"
unknown-git = "deny"
# [sources.allow-org]
# github = ["EmbarkStudios"]
[licenses]
unlicensed = "deny"
allow-osi-fsf-free = "neither"
copyleft = "deny"
# We want really high confidence when inferring licenses from text
confidence-threshold = 0.93
allow = [
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"MIT",
"MPL-2.0",
"BSD-3-Clause",
"ISC",
]
exceptions = [
{ allow = [
"Zlib",
], name = "tinyvec" },
{ allow = [
"Unicode-DFS-2016",
], name = "unicode-ident" },
{ allow = [
"OpenSSL",
], name = "ring" },
]
# Sigh
[[licenses.clarify]]
name = "ring"
# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
# https://spdx.org/licenses/OpenSSL.html
# ISC - Both BoringSSL and ring use this for their new files
# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
# license, for third_party/fiat, which, unlike other third_party directories, is
# compiled into non-test libraries, is included below."
# OpenSSL - Obviously
expression = "ISC AND MIT AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
[[licenses.clarify]]
name = "webpki"
expression = "ISC"
license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]
# Actually "ISC-style"
[[licenses.clarify]]
name = "rustls-webpki"
expression = "ISC"
license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]
The targets
field (optional)
By default, cargo-deny will consider every single crate that is resolved by cargo, including target specific dependencies eg
[target.x86_64-pc-windows-msvc.dependencies]
winapi = "0.3.8"
[target.'cfg(target_os = "fuchsia")'.dependencies]
fuchsia-cprng = "0.1.1"
But unless you are actually targeting x86_64-fuchsia
or aarch64-fuchsia
, the fuchsia-cprng
is never actually going to be compiled or linked into your project, so checking it is pointless for you.
The targets
field allows you to specify one or more targets which you actually build for. Every dependency link to a crate is checked against this list, and if none of the listed targets satisfy the target constraint, the dependency link is ignored. If a crate has no dependency links to it, it is not included into the crate graph that the checks are executed against.
The triple
field
The target triple for the target you wish to filter target specific dependencies with. If the target triple specified is not one of the targets builtin to rustc
, the configuration check for that target will be limited to only the raw [target.<target-triple>.dependencies]
style of target configuration, as cfg()
expressions require us to know the details about the target.
The targets.features
field (optional)
Rust cfg()
expressions support the target_feature = "feature-name"
predicate, but at the moment, the only way to actually pass them when compiling is to use the RUSTFLAGS
environment variable. The features
field allows you to specify 1 or more target_feature
s you plan to build with, for a particular target triple. At the time of this writing, cargo-deny does not attempt to validate that the features you specify are actually valid for the target triple, but this is planned.
The exclude
field (optional)
Just as with the --exclude
command line option, this field allows you to specify one or more Package ID specifications that will cause the crate(s) in question to be excluded from the crate graph that is used for the operation you are performing.
Note that excluding a crate is recursive, if any of its transitive dependencies are only referenced via the excluded crate, they will also be excluded from the crate graph.
The all-features
field (optional)
If set to true
, --all-features
will be used when collecting metadata.
The no-default-features
field (optional)
If set to true
, --no-default-features
will be used when collecting metadata.
The features
field (optional)
If set, and --features
is not specified on the cmd line, these features will be used when collecting metadata.
The feature-depth
field (optional)
The maximum depth that features will be displayed when inclusion graphs are included in diagnostics, unless specified via --feature-depth
on the command line. Only applies to diagnostics that actually print features. If not specified defaults to 1
.
The exclude-dev
field (optional)
If set to true
, all dev-dependencies
, even one for workspace crates, are not included in the crate graph used for any of the checks. This option can also be enabled on cmd line with --exclude-dev
either before or after the check
subcommand.
The [licenses]
section
See the licenses config for more info.
The [bans]
section
See the bans config for more info.
The [advisories]
section
See the advisories config for more info.
The [sources]
section
See the sources config for more info.