Skip to content

feat: capability index for crates.io #56

Open
Open
feat: capability index for crates.io#56
Assignees
bordumb
@bordumb

Description

@bordumb
bordumb
opened on Mar 24, 2026

Capability Index for crates.io

Command: cargo capsec index (batch scanner) + hosted web UI

Value proposition: A searchable database of capability profiles for every crate on crates.io. Before you cargo add a dependency, check what it does to your system. This is the long-term play that makes capsec ecosystem infrastructure.

User stories:

  • As a developer choosing between HTTP clients, I want to compare their capability profiles (NET only? Or also FS, PROC, FFI?) before adding a dependency.
  • As a security team, I want to see every crate in our dependency tree with a non-empty capability profile, so I can prioritize review.

Tasks

5.1 — Batch scanner

Build a CLI mode that scans a list of crates from the registry in batch:

#[derive(clap::Args)]
pub struct IndexArgs {
    /// File containing crate specifiers, one per line (name@version)
    #[arg(long)]
    pub crates_file: Option<PathBuf>,
    /// Scan top N most-downloaded crates from crates.io
    #[arg(long)]
    pub top: Option<usize>,
    /// Output directory for capability profiles
    #[arg(short, long, default_value = "capsec-index")]
    pub output: PathBuf,
    /// Number of parallel scanners
    #[arg(long, default_value_t = 4)]
    pub jobs: usize,
}

Output: one JSON file per crate with the capability profile.

5.2 — Capability profile schema

{
  "crate": "reqwest",
  "version": "0.12.12",
  "scanned_at": "2026-03-24T12:00:00Z",
  "scanner_version": "0.5.0",
  "profile": {
    "fs": { "count": 3, "max_risk": "medium", "subcategories": ["read", "metadata"] },
    "net": { "count": 18, "max_risk": "high", "subcategories": ["connect", "bind", "listen"] },
    "env": { "count": 4, "max_risk": "medium", "subcategories": ["read"] },
    "process": { "count": 0 },
    "ffi": { "count": 12, "max_risk": "high", "subcategories": ["extern", "ffi_call"] }
  },
  "classification": "resource",
  "total_findings": 37,
  "findings": [ /* full findings array */ ]
}

5.3 — Profile comparison CLI

cargo capsec index compare reqwest ureq reads from the local index directory and outputs the side-by-side comparison from Epic 1.5.

5.4 — Static site generator (stretch)

Generate a searchable static site (Hugo, Zola, or plain HTML) from the index. Deploy to GitHub Pages. Each crate gets a page showing its capability profile, badge, and diff against previous versions.

This is the "capsec.dev" play — become the place people check before adding a dependency.

5.5 — crates.io integration (long-term)

Propose a capsec field in the crates.io API response, or a separate microservice that returns capability profiles on demand.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions