Overview
make audit and make deny invoke cargo audit and cargo deny check directly (Makefile lines for audit and deny). On a fresh contributor environment or CI runner without those binaries pre-installed, both targets fail with make: cargo: Command not found (or worse, "command missing" mid-pipeline) and block the CI explanation ("load a deny.toml") rather than guiding the user to install the tool first. README's "Security Scans" section promises make audit and make deny as entry points but doesn't list the dependency.
Evidence
# Makefile
audit:
@echo "🔒 Running security audit..."
cargo audit
@echo "✅ Security audit passed"
deny:
@echo "📋 Checking license compliance..."
cargo deny check
@echo "✅ License check passed"
Neither target guards for the absence of the binary. CONTRIBUTING.md does not mention cargo-audit / cargo-deny as install steps. CI does not pre-install them either (assumed from a typical GH Actions workflow — not strictly visible from the repo).
Impact
- New contributors hit a wall at
make audit / make deny with no recovery instruction.
- CI that lints both ways is silently disabled when one tool is missing.
- Hard to triage: a real vulnerability finding and a missing binary look the same in the logs.
Recommended Approach
Pre-check the binary and produce a crisp error message, e.g.:
audit:
@if ! command -v cargo-audit >/dev/null 2>&1; then \
echo "❌ cargo-audit not installed. Run 'cargo install cargo-audit --locked' then retry." >&2; \
exit 1; \
fi
@echo "🔒 Running security audit..."
cargo audit
@echo "✅ Security audit passed"
deny:
@if ! command -v cargo-deny >/dev/null 2>&1; then \
echo "❌ cargo-deny not installed. Run 'cargo install cargo-deny --locked' then retry." >&2; \
exit 1; \
fi
@echo "📋 Checking license compliance..."
cargo deny check
@echo "✅ License check passed"
Alternatively, factor into a single make setup step that the README/CONTRIBUTING.md recommends users run first.
Acceptance Criteria
Affected Files
MakefileREADME.md (Security Scans section)CONTRIBUTING.md (if it exists; otherwise create it — see related docs hygiene).github/workflows/ci.yml or equivalent
Overview
make auditandmake denyinvokecargo auditandcargo deny checkdirectly (Makefile lines forauditanddeny). On a fresh contributor environment or CI runner without those binaries pre-installed, both targets fail withmake: cargo: Command not found(or worse, "command missing" mid-pipeline) and block the CI explanation ("load a deny.toml") rather than guiding the user to install the tool first. README's "Security Scans" section promisesmake auditandmake denyas entry points but doesn't list the dependency.Evidence
Neither target guards for the absence of the binary. CONTRIBUTING.md does not mention
cargo-audit/cargo-denyas install steps. CI does not pre-install them either (assumed from a typical GH Actions workflow — not strictly visible from the repo).Impact
make audit/make denywith no recovery instruction.Recommended Approach
Pre-check the binary and produce a crisp error message, e.g.:
Alternatively, factor into a single
make setupstep that the README/CONTRIBUTING.md recommends users run first.Acceptance Criteria
make auditandmake denyemit a clear "tool not installed — runcargo install …" message and a non-zero exit code when the binary is missingmake audit/make deny.github/workflows/*.yml) installscargo-auditandcargo-denyeither via dedicated steps or via a matrix that fails-fast if missingAffected Files
MakefileREADME.md(Security Scans section)CONTRIBUTING.md(if it exists; otherwise create it — see related docs hygiene).github/workflows/ci.ymlor equivalent