Skip to content

Commit

Permalink
docs: flesh out security docs
Browse files Browse the repository at this point in the history
This provides some brief high-level details on these features on the
security page before linking to the "how to enable" docs.
  • Loading branch information
mistydemeo authored and ashleygwilliams committed Dec 12, 2024
1 parent 9675cda commit 514267d
Showing 1 changed file with 14 additions and 3 deletions.
17 changes: 14 additions & 3 deletions book/src/supplychain-security/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,21 @@ If you have an integration you are looking for [file an issue](https://github.co

## SBOMs and Dependency Managers

* [cargo-cyclonedx](../reference/config.html#cargo-cyclonedx)
* [cargo-auditable](../reference/config.html#cargo-auditable)
### cargo-cyclonedx

dist can optionally generate a [CycloneDX][CycloneDX]-format Software Bill of Materials (SBOM) for Rust projects using the [cargo-cyclonedx][cargo-cyclonedx] tool. This data is stored as a standalone `bom.xml` file which is distributed alongside your binaries in your tarballs. Users can validate that SBOM file using [any compatible CycloneDX tool](https://cyclonedx.org/tool-center/). For more information about using this feature, see [the config documentation](../reference/config.html#cargo-cyclonedx).

### cargo-auditable

[cargo-auditable][cargo-auditable] can optionally be used to embed dependency information into your Rust binaries, making it possible for users to check your binaries for the full dependency tree they were built from along with their precise versions. This information can then be checked later to scan your binary for any known vulnerabilities using the [cargo-audit][cargo-audit] tool. For more information about using this feature, see [the config documentation](../reference/config.html#cargo-auditable).

## Software identification

* [🔜 Omnibor](https://github.com/axodotdev/cargo-dist/issues/969)
dist can optionally generate an [OmniBOR artifact ID][omnibor] for software artifacts using the [omnibor-cli][omnibor-cli] tool. These identifiers are reproducible and unique to a specific version of your software. For more information about using this feature, see [the config documentation](../reference/config.html#omnibor).

[CycloneDX]: https://cyclonedx.org
[cargo-audit]: https://github.com/rustsec/rustsec/tree/main/cargo-audit#cargo-audit-bin-subcommand
[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable
[cargo-cyclonedx]: https://cyclonedx.org
[omnibor]: https://omnibor.io
[omnibor-cli]: https://github.com/omnibor/omnibor-rs/tree/main/omnibor-cli

0 comments on commit 514267d

Please sign in to comment.