priority: critical

Security & Vulnerability Management

Dependency Auditing

cargo audit on every CI run (fail on known vulns)
cargo deny check advisories bans sources for comprehensive checks
Pin critical deps to known-safe versions

Fuzzing

cargo-fuzz with targets in fuzz/fuzz_targets/ for each public API surface
Run in CI with timeout limits
Save failing inputs as regression tests

Unsafe Code

EVERY unsafe block needs // SAFETY: comment (invariant, why it holds, what breaks)
Isolate unsafe in dedicated modules; public API must be safe
Review checklist: valid pointers, aligned, no UAF, no double-free, no data races, type safety across FFI

Security Testing

No panics on untrusted input (return Result, never unwrap())
Test adversarial inputs: empty, max-size, null pointers, concurrency stress
Property-based testing with proptest

deny.toml

[advisories]
vulnerability = "deny"
unmaintained = "warn"

[bans]
multiple-versions = "warn"
wildcards = "warn"

[sources]
unknown-registry = "warn"
unknown-git = "warn"

Release Security Checklist

cargo audit + cargo deny check pass
All unsafe blocks have SAFETY comments
Fuzzing targets pass
No panics on arbitrary input
SECURITY.md updated

Anti-Patterns

No SAFETY comments on unsafe
Unsafe in public API
Ignoring cargo-audit warnings
unwrap() on untrusted input
No fuzzing of parsers
Outdated dependencies

security-and-vulnerability-managementSafety 95Repository

Package Files

priority: critical

Security & Vulnerability Management

Dependency Auditing

Fuzzing

Unsafe Code

Security Testing

deny.toml

Release Security Checklist

Anti-Patterns

Install

AI Quality Score

Metadata

Tags

security-and-vulnerability-managementSafety 95Repository ShareFavorite skill

Package Files

priority: critical

Security & Vulnerability Management

Dependency Auditing

Fuzzing

Unsafe Code

Security Testing

deny.toml

Release Security Checklist

Anti-Patterns

Install

AI Quality Score

Metadata

Tags

security-and-vulnerability-managementSafety 95Repository