Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: flesh out security docs #1625

Merged
merged 1 commit into from
Dec 12, 2024
Merged

docs: flesh out security docs #1625

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 14 additions & 3 deletions book/src/supplychain-security/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,21 @@ If you have an integration you are looking for [file an issue](https://github.co

## SBOMs and Dependency Managers

* [cargo-cyclonedx](../reference/config.html#cargo-cyclonedx)
* [cargo-auditable](../reference/config.html#cargo-auditable)
### cargo-cyclonedx

dist can optionally generate a [CycloneDX][CycloneDX]-format Software Bill of Materials (SBOM) for Rust projects using the [cargo-cyclonedx][cargo-cyclonedx] tool. This data is stored as a standalone `bom.xml` file which is distributed alongside your binaries in your tarballs. Users can validate that SBOM file using [any compatible CycloneDX tool](https://cyclonedx.org/tool-center/). For more information about using this feature, see [the config documentation](../reference/config.html#cargo-cyclonedx).

### cargo-auditable

[cargo-auditable][cargo-auditable] can optionally be used to embed dependency information into your Rust binaries, making it possible for users to check your binaries for the full dependency tree they were built from along with their precise versions. This information can then be checked later to scan your binary for any known vulnerabilities using the [cargo-audit][cargo-audit] tool. For more information about using this feature, see [the config documentation](../reference/config.html#cargo-auditable).

## Software identification

* [🔜 Omnibor](https://github.com/axodotdev/cargo-dist/issues/969)
dist can optionally generate an [OmniBOR artifact ID][omnibor] for software artifacts using the [omnibor-cli][omnibor-cli] tool. These identifiers are reproducible and unique to a specific version of your software. For more information about using this feature, see [the config documentation](../reference/config.html#omnibor).

[CycloneDX]: https://cyclonedx.org
[cargo-audit]: https://github.com/rustsec/rustsec/tree/main/cargo-audit#cargo-audit-bin-subcommand
[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable
[cargo-cyclonedx]: https://cyclonedx.org
[omnibor]: https://omnibor.io
[omnibor-cli]: https://github.com/omnibor/omnibor-rs/tree/main/omnibor-cli
Loading