-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdeny.toml
More file actions
103 lines (87 loc) · 5.05 KB
/
deny.toml
File metadata and controls
103 lines (87 loc) · 5.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# cargo-deny configuration for cachekit security policy
# Enforces license compliance, vulnerability scanning, and dependency policy
# See: https://embarkstudios.github.io/cargo-deny/
# ═══════════════════════════════════════════════════════════════
# GRAPH - Dependency Graph Configuration
# ═══════════════════════════════════════════════════════════════
[graph]
# Target platforms for cachekit (cross-platform library)
targets = [
"x86_64-unknown-linux-gnu",
"aarch64-unknown-linux-gnu",
"x86_64-apple-darwin",
"aarch64-apple-darwin",
"x86_64-pc-windows-msvc",
]
# Use all features for comprehensive analysis
all-features = true
# ═══════════════════════════════════════════════════════════════
# ADVISORIES - Vulnerability Scanning (RustSec Database)
# ═══════════════════════════════════════════════════════════════
[advisories]
# Check all workspace crates for unmaintained dependencies
unmaintained = "workspace"
# Exemptions for advisories in transitive dependencies
ignore = []
# ═══════════════════════════════════════════════════════════════
# LICENSES - License Policy Enforcement
# ═══════════════════════════════════════════════════════════════
[licenses]
# High confidence threshold for license detection
confidence-threshold = 0.8
# Allowed licenses (MIT/Apache-2.0/BSD-3-Clause compatible with cachekit MIT license)
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception", # LLVM runtime exception
"BSD-3-Clause",
"ISC",
"Unicode-3.0", # Unicode License v3 (OSI approved, permissive)
"MPL-2.0", # Mozilla Public License 2.0 (cbindgen build dependency)
"BSL-1.0", # Boost Software License 1.0 (xxhash-rust)
]
# License exceptions for specific crates (use sparingly)
# Format: { allow = ["LICENSE"], crate = "crate-name" }
exceptions = []
# ═══════════════════════════════════════════════════════════════
# BANS - Dependency Policy Enforcement
# ═══════════════════════════════════════════════════════════════
[bans]
# Deny multiple versions of the same crate (reduces binary size, prevents subtle bugs)
multiple-versions = "deny"
# Deny wildcard dependencies (e.g., "serde = *")
wildcards = "deny"
# Highlight all duplicate versions for review
highlight = "all"
# Ban specific crates (use-instead provides alternative)
# Format: { crate = "name", reason = "explanation", use-instead = "alternative" }
deny = []
# Skip specific dependencies from multiple-version checks
# These are transitive dependencies where version duplication is unavoidable
skip = [
# getrandom has 3 major versions in the dep tree:
# 0.2.x via aes-gcm/crypto-common (encryption)
# 0.3.x via proptest (dev-dependency)
# 0.4.x via tempfile/cbindgen (build-dependency)
{ crate = "getrandom@0.2", reason = "Transitive via aes-gcm crypto chain" },
{ crate = "getrandom@0.3", reason = "Transitive via proptest (dev-dependency)" },
# rand_core duplication from aes-gcm (0.6.x) vs proptest (0.9.x)
{ crate = "rand_core@0.6", reason = "Transitive via aes-gcm crypto chain" },
# libc duplication unavoidable (getrandom versions pull different libc)
{ crate = "libc@0.2", reason = "Transitive via multiple getrandom versions" },
]
# Skip crate trees entirely (e.g., frequently-updated foundational crates)
# Format: { crate = "name", reason = "explanation" }
skip-tree = []
# ═══════════════════════════════════════════════════════════════
# SOURCES - Source Registry Policy
# ═══════════════════════════════════════════════════════════════
[sources]
# Deny unknown registry sources (prevent supply chain attacks)
unknown-registry = "deny"
# Deny unknown git sources (prevent malicious repos)
unknown-git = "deny"
# Only allow crates.io as the source registry
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
# No git dependencies allowed (use crates.io releases for stability)
allow-git = []