cargo audit reads your Cargo.lock and checks each crate against the RustSec Advisory Database — fast, well-maintained, and free. But RustSec only covers advisory-backed vulnerabilities. DepWarden adds the supply-chain and exploitability layer that cargo audit doesn't.
Typosquatting on crates.io. A crate named serede (vs serde) or tokio-async (vs tokio) can slip in as a typo or dependency confusion attack. cargo audit has no detection; DepWarden runs name-similarity checks across your entire dependency tree.
Abandoned crates and supply-chain health. Individual crates go unmaintained, get marked deprecated, or transfer ownership in ways that signal risk. DepWarden surfaces OpenSSF Scorecard scores, deprecation markers and last-commit staleness.
Cross-ecosystem CVEs. CVEs in C libraries linked via Rust FFI, in system dependencies, or in polyglot projects mixing Rust with Python/Node won't appear in RustSec. DepWarden uses the OSV mirror plus CISA KEV and FIRST EPSS across all ecosystems.
Usage: paste Cargo.lock at depwarden.in, or npx depwarden scan Cargo.lock --fail-on high in CI. cargo audit and DepWarden are complementary — cargo audit has the deepest RustSec integration; DepWarden adds supply-chain signals and cross-ecosystem coverage. Related: software composition analysis, CVSS, EPSS and KEV guide, detect typosquats in CI.