Merge pull request #1530 from axodotdev/cargo-auditable-docs

duckinator · web-flow · commit 6d2e441d879d · 2024-11-06T14:07:44.000-05:00
Add cargo-auditable docs.
diff --git a/book/src/reference/config.md b/book/src/reference/config.md
@@ -41,6 +41,7 @@ We're currently in the middle of [a major config migration](https://github.com/a
     * [`msvc-crt-static`](#msvc-crt-static)
     * [`precise-builds`](#precise-builds)
     * [`rust-toolchain-version`](#rust-toolchain-version)
+    * [`cargo-auditable`](#cargo-auditable)
 
 [installer settings](#installer-settings)
 * [`installers`](#installers)
@@ -590,6 +591,15 @@ The syntax must be a valid rustup toolchain like "1.60.0" or "stable" (should no
 
 Without this setting, CI won't explicitly setup a toolchain, so whatever's on the machine will be used (with things like rust-toolchain.toml behaving as normal).
 
+#### `cargo-auditable`
+
+> <span style="float:right">since 0.26.0<br>[package-local][]</span>
+> default = `false`
+
+Specifies whether to use [`cargo auditable`](https://github.com/rust-secure-code/cargo-auditable) to embed metadata about your dependency tree into the built executables.
+When this value is false, dist will run `cargo build`; when it is true, dist will run `cargo auditable build`.
+
+You can then use [`cargo audit`](https://github.com/rustsec/rustsec/blob/main/cargo-audit/README.md) to audit your dependencies for security vulnerabilities that have been reported to the [RustSec Vulnerability Database](https://rustsec.org/).
 
 ## installer settings
 
diff --git a/book/src/supplychain-security/index.md b/book/src/supplychain-security/index.md
@@ -23,7 +23,7 @@ If you have an integration you are looking for [file an issue](https://github.co
 ## SBOMs and Dependency Managers
 
 * [🔜 cargo-CycloneDX](https://github.com/axodotdev/cargo-dist/issues/1016)
-* [🔜 cargo-auditable](https://github.com/axodotdev/cargo-dist/issues/81)
+* [cargo-auditable](../reference/config.html#cargo-auditable)
 
 
 ## Software identification
