Security & supply chain
- Dependency scanning.
cargo-denyruns in CI (and weekly, to catch newly-published advisories) checking vulnerabilities, licenses, banned/duplicate crates, and that every dependency comes from crates.io. Config:deny.toml. - Automated updates. Dependabot opens weekly PRs for Rust deps and GitHub Actions, so security patches land promptly.
- Build provenance. Release binaries carry
SLSA build-provenance attestations
generated by cargo-dist, so you can verify an artifact was built by this
repo's CI:
gh attestation verify revector-x86_64-unknown-linux-gnu.tar.xz \ --repo diegoglozano/revector - Reproducibility.
Cargo.lockis committed andcargo publish --lockedis used, so published builds resolve to pinned versions. - Minimal runtime surface. The known advisories in the tree are confined to
dev-dependencies (the test harness) and don't ship in the binary; see
deny.tomlfor the tracked exceptions.