Skip to content

Commit

Permalink
Merge pull request #1625 from axodotdev/security-docs
Browse files Browse the repository at this point in the history 
docs: flesh out security docs
  • Loading branch information
@ashleygwilliams
ashleygwilliams authored Dec 12, 2024
2 parents 9675cda + 514267d commit ad8fa57
Showing 1 changed file with 14 additions and 3 deletions.
17 changes: 14 additions & 3 deletions book/src/supplychain-security/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,21 @@ If you have an integration you are looking for [file an issue](https://github.co

## SBOMs and Dependency Managers

* [cargo-cyclonedx](../reference/config.html#cargo-cyclonedx)
* [cargo-auditable](../reference/config.html#cargo-auditable)
### cargo-cyclonedx

dist can optionally generate a [CycloneDX][CycloneDX]-format Software Bill of Materials (SBOM) for Rust projects using the [cargo-cyclonedx][cargo-cyclonedx] tool. This data is stored as a standalone `bom.xml` file which is distributed alongside your binaries in your tarballs. Users can validate that SBOM file using [any compatible CycloneDX tool](https://cyclonedx.org/tool-center/). For more information about using this feature, see [the config documentation](../reference/config.html#cargo-cyclonedx).

### cargo-auditable

[cargo-auditable][cargo-auditable] can optionally be used to embed dependency information into your Rust binaries, making it possible for users to check your binaries for the full dependency tree they were built from along with their precise versions. This information can then be checked later to scan your binary for any known vulnerabilities using the [cargo-audit][cargo-audit] tool. For more information about using this feature, see [the config documentation](../reference/config.html#cargo-auditable).

## Software identification

* [🔜 Omnibor](https://github.com/axodotdev/cargo-dist/issues/969)
dist can optionally generate an [OmniBOR artifact ID][omnibor] for software artifacts using the [omnibor-cli][omnibor-cli] tool. These identifiers are reproducible and unique to a specific version of your software. For more information about using this feature, see [the config documentation](../reference/config.html#omnibor).

[CycloneDX]: https://cyclonedx.org
[cargo-audit]: https://github.com/rustsec/rustsec/tree/main/cargo-audit#cargo-audit-bin-subcommand
[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable
[cargo-cyclonedx]: https://cyclonedx.org
[omnibor]: https://omnibor.io
[omnibor-cli]: https://github.com/omnibor/omnibor-rs/tree/main/omnibor-cli

0 comments on commit ad8fa57

Please sign in to comment.