Security & supply chain

  • Dependency scanning. cargo-deny runs in CI (and weekly, to catch newly-published advisories) checking vulnerabilities, licenses, banned/duplicate crates, and that every dependency comes from crates.io. Config: deny.toml.
  • Automated updates. Dependabot opens weekly PRs for Rust deps and GitHub Actions, so security patches land promptly.
  • Build provenance. Release binaries carry SLSA build-provenance attestations generated by cargo-dist, so you can verify an artifact was built by this repo's CI:
    gh attestation verify revector-x86_64-unknown-linux-gnu.tar.xz \
        --repo diegoglozano/revector
    
  • Reproducibility. Cargo.lock is committed and cargo publish --locked is used, so published builds resolve to pinned versions.
  • Minimal runtime surface. The known advisories in the tree are confined to dev-dependencies (the test harness) and don't ship in the binary; see deny.toml for the tracked exceptions.