Skip to content


Trivy supports Cargo, which is the Rust package manager. The following scanners are supported for Cargo.

Package manager SBOM Vulnerability License
Cargo -

In addition, it supports binaries built with cargo-auditable.

Artifact SBOM Vulnerability License
Binaries -


The following table provides an outline of the features Trivy offers.

Package manager File Transitive dependencies Dev dependencies Dependency graph Position
Cargo Cargo.lock Excluded1
Artifact Transitive dependencies Dev dependencies Dependency graph Position
Binaries Excluded - -


Trivy searches for Cargo.lock to detect dependencies.

Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project. Since this information is not included in Cargo.lock, Trivy parses Cargo.toml, which should be located next to Cargo.lock. If you want to see the dependency tree, please ensure that Cargo.toml is present.

Scan Cargo.lock and Cargo.toml together also removes developer dependencies.


Trivy scans binaries built with cargo-auditable. If such a binary exists, Trivy will identify it as being built with cargo-audit and scan it.

  1. When you scan Cargo.lock and Cargo.toml together.