Checklist

Legend: 🔒 Must have, ⭐️ Should have, 👍 Nice to have, ℹ️ Info

Manage dependencies

• 🔒 Transitive dependencies number is minimized by selecting only the required features (DEPS-FEATURES)
• 🔒 Dependencies are vetted (DEPS-ASSESS)
• 👍 Dependencies are reviewed using cargo vet (DEPS-VET)
• 🔒 Known vulnerabilities and unmaintained crates are regularly checked (DEPS-VULNS)
• 🔒 Dependencies are kept up-to-date (DEPS-UPDATES)

Maintain a crate

• Sources of binary programs include necessary information to make the builds consistent
  • 🔒 The Cargo.lock file is committed to your repository (when developing binary programs) (MAINTAIN-LOCK)
  • 👍 The rust-toolchain.toml file is committed to your repository (when developing binary programs) (MAINTAIN-TOOLCHAIN)
• 🔒 Crate features allow to only include transitive dependencies required for a given use case (MAINTAIN-FEATURES)
• Maintaining a -sys crate building C/C++ code
  • ⭐️ Provide flags to control the behavior (MAINTAIN-SRCFLAG) { #MAINTAIN-SRCFLAG }
  • ⭐️ Use a dedicated -src crate (MAINTAIN-SRCCRATE) { #MAINTAIN-SRCCRATE }
• 🔒 Known vulnerabilities are reported to RustSec (MAINTAIN-VULNS)
• Publication access to crates.io is secured
  • 🔒 The GitHub accounts owning the crates have 2FA enabled (MAINTAIN-CRATESIO2FA)
  • 🔒 All tokens have limited rights (MAINTAIN-CRATESIOTKN)
• ⭐️ Apply code security best practices (MAINTAIN-CODESEC)

Build for production

• 👍 Build uses a trusted toolchain (BUILD-TOOLCHAIN)
• 🔒 Build uses --locked for reproducibility (BUILD-LOCKED)
• 👍 Build is fully reproducible (BUILD-REPRODUCIBLE)
• ⭐️ Build environment is ephemeral and isolated (BUILD-ISOLATED)
• ⭐️ Build uses cargo auditable to embed dependencies information (BUILD-AUDITABLE)
• 👍 Built binaries are signed (BUILD-SIGN)
• ℹ️ Build produces a Software Bill of Materials (BUILD-SBOM)

Run in production

• ⭐️ Production artifacts are regularly checked for vulnerabilities (PROD-AUDIT)