cargo-audit 0.22.2 adds binary scans to verify real vulnerability exposure
cargo-audit now shows which vulnerable functions are actually reached in binaries, helping Rust teams separate real exposure from noisy dependency alerts.

Cargo-audit 0.22.2 added binary scans that show whether an advisory’s affected functions are actually called, giving Rust teams a sharper way to decide what gets fixed, suppressed, or escalated. The release was tagged June 5, 2026, and the GitHub notes credit @smoelius for “Show affected functions in binaries.”
That matters because cargo-audit has long worked at the dependency level: it audits Cargo.lock files for crates with security vulnerabilities reported in the RustSec Advisory Database. That model is useful for broad coverage, but it can also flag code paths a project never uses, especially when an advisory applies only to a feature, branch, or optional API. Binary-level evidence changes the workflow by tying an alert to what actually ships, not just what sits in the lockfile.

The 0.22.2 release also included “Affected binary tweaks” from Dirkjan Ochtman and a new command-line option to skip checking for yanked crates. The tool still requires Rust 1.74 or later, and it remains installable with cargo install. In the README, Trail of Bits also points to reachsec, an experimental companion for additional function-level reachability context, which fits the same direction: less guesswork, more proof about what code paths matter.
RustSec describes cargo-audit as a tool for auditing Cargo.lock files, limiting the use of particular dependencies, and detecting multiple versions of the same package in a tree. That broader package-level view remains useful, but the new binary scans move the discussion closer to the call graph. Trail of Bits has pushed in that direction before with it-depends, which maps dependency graphs to known vulnerabilities, and siderophile, which traces dependency unsafety up the call graph.
The new release is already moving into the ecosystem. Arch Linux packaged cargo-audit 0.22.2-1 with a build date of June 5, 2026, and Homebrew lists 0.22.2 as the current stable version with about 290 installs in the last 30 days and 1,279 in the last 365 days. For teams already using cargo-audit in CI, the change makes the output more actionable: a dependency warning can now be backed by binary evidence, instead of forcing every advisory into the same queue.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?

