diff --git a/Dockerfile b/Dockerfile
index 68a0409..14afe8d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -214,8 +214,12 @@ RUN curl -fsSL https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --p
 # mount, so cargo install artifacts there disappear inside the live container.
 USER root
 RUN /home/crafter/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo install \
-        --locked --root /usr/local cargo-audit cargo-deny \
-    && chmod 755 /usr/local/bin/cargo-audit /usr/local/bin/cargo-deny
+        --locked --root /usr/local cargo-deny \
+    && chmod 755 /usr/local/bin/cargo-deny
+# cargo-audit was historically here but its `git2` C-binding dep needs
+# libgit2-sys which fails in this base. cargo-deny supersedes it for our
+# use: `cargo deny check advisories` does the same RustSec-DB scan that
+# cargo-audit does. The rust audit recipe uses cargo-deny accordingly.
 USER crafter
 
 # ============================================================