NAUTILUS / RUST source 3eb18933
Pages

Rust Security and Supply Chain

Relevant Rust source files

  • Cargo.lock
  • deny.toml
  • .supply-chain/config.toml
  • .supply-chain/audits.toml
  • SECURITY.md
  • scripts/ci/security-audit-gate.sh
  • scripts/ci/check-github-action-shas.sh

The Rust supply-chain contract combines a locked dependency graph, advisory/license/policy checks, reviewed dependency audits, pinned CI actions, artifact checksums, and release attestations.

Dependency controls

Cargo.lock fixes resolved versions for reproducible workspace builds. cargo-deny policy in deny.toml checks advisories, licenses, bans, and source provenance. Cargo Vet data under .supply-chain/ records trust and audit criteria for dependencies. These tools answer different questions and should not be collapsed into one green badge.

Dependency updates require source and license review proportional to their role. Parsers, TLS/crypto, database drivers, provider SDKs, serialization, and unsafe/native dependencies deserve extra scrutiny. Keep default features minimal and verify the exact target-feature graph with Cargo metadata or tree inspection.

CI and artifacts

CI actions are pinned and checked by repository scripts. Release workflows create checksums and attestations, verify GitHub assets, and confirm published registry state. The verified subject is the produced artifact and source revision, not merely a successful compilation log.

Runtime secrets

Databento API keys and Interactive Brokers credentials/session state belong in deployment secret stores. Do not place secrets in Cargo config, examples, logs, fixtures, URLs, or crash reports. Diagnostics should report whether required configuration is present and which identity/endpoint is selected, never secret values.

Network and decoding boundaries

Treat all provider, broker, and database input as untrusted. Enforce frame sizes, timeouts, bounded retries, schema/version checks, numeric ranges, and explicit deserialization errors. Reconnect code must avoid unbounded task creation and duplicate subscription fan-out.

Security reports follow SECURITY.md. Public issues are not the correct channel for undisclosed vulnerabilities.