Trivy supports Cargo, which is the Rust package manager. The following scanners are supported for Cargo.
In addition, it supports binaries built with cargo-auditable.
The following table provides an outline of the features Trivy offers.
|Package manager||File||Transitive dependencies||Dev dependencies||Dependency graph||Position|
|Artifact||Transitive dependencies||Dev dependencies||Dependency graph||Position|
Trivy searches for
Cargo.lock to detect dependencies.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in
Cargo.lock, Trivy parses
Cargo.toml, which should be located next to
If you want to see the dependency tree, please ensure that
Cargo.toml is present.
Cargo.toml together also removes developer dependencies.
Trivy scans binaries built with cargo-auditable. If such a binary exists, Trivy will identify it as being built with cargo-audit and scan it.
When you scan Cargo.lock and Cargo.toml together. ↩