cargo auditable is a project by Rust's Secure Code WG. It embeds the list of dependencies into the binary itself, so that it can then be audited for known vulnerabilities.

Auditing such binaries is already supported by cargo audit and Trivy. It would be nice to get support for it in osv-scanner as well.

cargo auditable is used for all Rust builds by at least 5 Linux distributions, including Alpine. A number of organizations use cargo auditable, but to the best of my knowledge only Microsoft has spoken about it publicly.

There is already a Go library for extracting this data, which should make the integration quite easy: https://github.com/microsoft/go-rustaudit

I am the principal author of cargo auditable and I'm happy to answer any questions you might have.