Capability Index for crates.io
Command: cargo capsec index (batch scanner) + hosted web UI
Value proposition: A searchable database of capability profiles for every crate on crates.io. Before you cargo add a dependency, check what it does to your system. This is the long-term play that makes capsec ecosystem infrastructure.
User stories:
- As a developer choosing between HTTP clients, I want to compare their capability profiles (NET only? Or also FS, PROC, FFI?) before adding a dependency.
- As a security team, I want to see every crate in our dependency tree with a non-empty capability profile, so I can prioritize review.
Tasks
5.1 — Batch scanner
Build a CLI mode that scans a list of crates from the registry in batch:
#[derive(clap::Args)]
pub struct IndexArgs {
/// File containing crate specifiers, one per line (name@version)
#[arg(long)]
pub crates_file: Option<PathBuf>,
/// Scan top N most-downloaded crates from crates.io
#[arg(long)]
pub top: Option<usize>,
/// Output directory for capability profiles
#[arg(short, long, default_value = "capsec-index")]
pub output: PathBuf,
/// Number of parallel scanners
#[arg(long, default_value_t = 4)]
pub jobs: usize,
}Output: one JSON file per crate with the capability profile.
5.2 — Capability profile schema
{
"crate": "reqwest",
"version": "0.12.12",
"scanned_at": "2026-03-24T12:00:00Z",
"scanner_version": "0.5.0",
"profile": {
"fs": { "count": 3, "max_risk": "medium", "subcategories": ["read", "metadata"] },
"net": { "count": 18, "max_risk": "high", "subcategories": ["connect", "bind", "listen"] },
"env": { "count": 4, "max_risk": "medium", "subcategories": ["read"] },
"process": { "count": 0 },
"ffi": { "count": 12, "max_risk": "high", "subcategories": ["extern", "ffi_call"] }
},
"classification": "resource",
"total_findings": 37,
"findings": [ /* full findings array */ ]
}5.3 — Profile comparison CLI
cargo capsec index compare reqwest ureq reads from the local index directory and outputs the side-by-side comparison from Epic 1.5.
5.4 — Static site generator (stretch)
Generate a searchable static site (Hugo, Zola, or plain HTML) from the index. Deploy to GitHub Pages. Each crate gets a page showing its capability profile, badge, and diff against previous versions.
This is the "capsec.dev" play — become the place people check before adding a dependency.
5.5 — crates.io integration (long-term)
Propose a capsec field in the crates.io API response, or a separate microservice that returns capability profiles on demand.
Capability Index for crates.io
Command:
cargo capsec index(batch scanner) + hosted web UIValue proposition: A searchable database of capability profiles for every crate on crates.io. Before you
cargo adda dependency, check what it does to your system. This is the long-term play that makes capsec ecosystem infrastructure.User stories:
Tasks
5.1 — Batch scanner
Build a CLI mode that scans a list of crates from the registry in batch:
Output: one JSON file per crate with the capability profile.
5.2 — Capability profile schema
{ "crate": "reqwest", "version": "0.12.12", "scanned_at": "2026-03-24T12:00:00Z", "scanner_version": "0.5.0", "profile": { "fs": { "count": 3, "max_risk": "medium", "subcategories": ["read", "metadata"] }, "net": { "count": 18, "max_risk": "high", "subcategories": ["connect", "bind", "listen"] }, "env": { "count": 4, "max_risk": "medium", "subcategories": ["read"] }, "process": { "count": 0 }, "ffi": { "count": 12, "max_risk": "high", "subcategories": ["extern", "ffi_call"] } }, "classification": "resource", "total_findings": 37, "findings": [ /* full findings array */ ] }5.3 — Profile comparison CLI
cargo capsec index compare reqwest ureqreads from the local index directory and outputs the side-by-side comparison from Epic 1.5.5.4 — Static site generator (stretch)
Generate a searchable static site (Hugo, Zola, or plain HTML) from the index. Deploy to GitHub Pages. Each crate gets a page showing its capability profile, badge, and diff against previous versions.
This is the "capsec.dev" play — become the place people check before adding a dependency.
5.5 — crates.io integration (long-term)
Propose a
capsecfield in the crates.io API response, or a separate microservice that returns capability profiles on demand.