{"id":14110204,"url":"https://github.com/cackle-rs/cackle","last_synced_at":"2025-04-08T01:35:30.402Z","repository":{"id":149314015,"uuid":"621101554","full_name":"cackle-rs/cackle","owner":"cackle-rs","description":"A code ACL checker for Rust","archived":false,"fork":false,"pushed_at":"2024-10-10T21:54:27.000Z","size":941,"stargazers_count":200,"open_issues_count":5,"forks_count":7,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-10-29T07:06:35.315Z","etag":null,"topics":["rust-lang","security","supply-chain"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cackle-rs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"davidlattimore"}},"created_at":"2023-03-30T01:55:48.000Z","updated_at":"2024-10-27T09:12:58.000Z","dependencies_parsed_at":"2024-01-01T23:49:04.642Z","dependency_job_id":"9263c6e0-b515-4040-b124-0d53e83b1d7b","html_url":"https://github.com/cackle-rs/cackle","commit_stats":null,"previous_names":["cackle-rs/cackle","davidlattimore/cackle"],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cackle-rs%2Fcackle","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cackle-rs%2Fcackle/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cackle-rs%2Fcackle/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cackle-rs%2Fcackle/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cackle-rs","download_url":"https://codeload.github.com/cackle-rs/cackle/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247761051,"owners_count":20991531,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["rust-lang","security","supply-chain"],"created_at":"2024-08-14T10:02:43.056Z","updated_at":"2025-04-08T01:35:30.383Z","avatar_url":"https://github.com/cackle-rs.png","language":"Rust","funding_links":["https://github.com/sponsors/davidlattimore"],"categories":["Rust"],"sub_categories":[],"readme":"# Cackle / cargo acl\n\nA code ACL checker for Rust.\n\nCackle is a tool to analyse the transitive dependencies of your crate to see what kinds of APIs each\ncrate uses.\n\nThe idea is look for crates that are using APIs that you don't think they should be using. For\nexample a crate that from its description should just be doing some data processing, but is actually\nusing network APIs.\n\n## Installation\n\nCurrently Cackle only works on Linux. See [PORTING.md](PORTING.md) for more details.\n\n```sh\ncargo install --locked cargo-acl\n```\n\nOr if you'd like to install from git:\n\n```sh\ncargo install --locked --git https://github.com/cackle-rs/cackle.git cargo-acl\n```\n\nInstalling `bubblewrap` is recommended as it allows build scripts (build.rs), tests and rustc to be\nrun inside a sandbox.\n\nOn systems with `apt`, this can be done by running:\n\n```sh\nsudo apt install bubblewrap\n```\n\n## Usage\n\nFrom the root of your project (the directory containing `Cargo.toml`), run:\n\n```sh\ncargo acl\n```\n\nThis will interactively guide you through creating an initial `cackle.toml`. Some manual editing of\nyour `cackle.toml` is recommended. In particular, you should look through your dependency tree and\nthink about which crates export APIs that you'd like to restrict. e.g. if you're using a crate that\nprovides network APIs, you should declare this in your config. See [CONFIG.md](CONFIG.md) for more\ndetails.\n\n## Running from CI\n\nCackle can be run from GitHub actions. See the instructions in the\n[cackle-action](https://github.com/cackle-rs/cackle-action) repository.\n\n## Features\n\n* Checks what APIs are used by each crate in your dependency tree.\n* Ignores dead code, so if a crate uses an API, but in code that isn't called in your binary, then\n  it doesn't count.\n* Restrict which crates are allowed to use unsafe.\n* A terminal UI that shows problems as they're found.\n  * Preview the source where the API usage or unsafe was detected.\n  * For API usages, show a backtrace of how that code is reachable.\n  * Select from several edits that can be applied to your config file to allow the usage.\n* Can run build scripts, tests in a sandbox to restrict network and filesystem access.\n* The sandbox for each build script is configured separately, so if one build script needs extra\n  access you can grant it to just that build script.\n* Can run rustc in a sandbox, thus sandboxing all proc macros. This however is currently not\n  granular, so if one proc macro needs more access it needs to be granted to all. Fortunately proc\n  macros that need network access are relatively rare.\n\n## Limitations and precautions\n\n* A proc macro might detect that it's being run under Cackle and emit different code.\n* Even without proc macros, a crate may only use problematic APIs only in certain configurations\n  that don't match the configuration used when you run Cackle.\n* This tool is intended to supplement and aid manual review of 3rd party code, not replace it.\n* Your configuration might miss defining an API provided by a crate as falling into a certain\n  category that you care about.\n* There are undoubtedly countless ways that a determined person could circumvent detection that\n  they're using some APIs. With time we may try to prevent such circumventions, but for now, you\n  should definitely assume that circumvention is possible.\n\nWith all these limitations, what's the point? The goal really is to just raise the bar for what's\nrequired to sneak problematic code unnoticed into some package. Use of Cackle should not replace any\nmanual code reviews of your dependencies that you would otherwise have done.\n\n## How it works\n\nSee [HOW_IT_WORKS.md](HOW_IT_WORKS.md).\n\n## FAQ\n\n[FAQ](FAQ.md)\n\n## Contributing\n\nContributions are very welcome. If you'd like to get involved, please reach out either by filing an\nissue or emailing David Lattimore (email address is in the commit log).\n\n## License\n\nThis software is distributed under the terms of both the MIT license and the Apache License (Version\n2.0).\n\nSee LICENSE for details.\n\nUnless you explicitly state otherwise, any contribution intentionally submitted for inclusion in\nthis crate by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without\nany additional terms or conditions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcackle-rs%2Fcackle","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcackle-rs%2Fcackle","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcackle-rs%2Fcackle/lists"}