Rust

The Best Rust Static Analysis Tools (Linters/Formatters)

We rank 60 Rust linters, code analyzers, formatters, and more. Find and compare tools like Mega-Linter, clippy, Sonatype, and more. Please rate and review tools that you've used. This helps others find the best tools for their projects.

40 Rust Tools

Sponsored
Need help migrating to Rust?

Need help migrating to Rust?

corrode is a friendly consultancy that helps you make the most of Rust. We offer training, mentoring, and development services. Reach out today for expert help in developing reliable and efficient software!

clippy

A code linter to catch common mistakes and improve your Rust code.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 96% upvoted

rust-analyzer

Supports functionality such as 'goto definition', type inference, symbol search, reformatting, and code completion, and enables renaming and refactorings.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedide-plugin
  • Maintainedformatter
  • 92% upvoted

cargo-audit

Audit Cargo.lock for crates with security vulnerabilities reported to the RustSec Advisory Database.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 94% upvoted

rustfmt

A tool for formatting Rust code according to style guidelines.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedformatter
  • 95% upvoted

cargo-bloat

Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 78% upvoted

MIRAI

And abstract interpreter operating on Rust's mid-level intermediate language, and providing warnings based on taint analysis.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

Prusti

A static verifier for Rust, based on the Viper verification infrastructure. By default Prusti verifies absence of panics by proving that statements such as unreachable!() and panic!() are unreachable.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

cargo-expand

Cargo subcommand to show result of macro expansion and #[derive] expansion applied to the current crate. This is a wrapper around a more verbose compiler command.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 89% upvoted

cargo-spellcheck

Checks all your documentation for spelling and grammar mistakes with hunspell (ready) and languagetool (preview)

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

cargo udeps

Find unused dependencies in Cargo.toml. It either prints out a "unused crates" line listing the crates, or it prints out a line saying that no crates were unused.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

Rust Language Server

Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedide-plugin
  • Deprecatedformatter
  • 68% upvoted

Rudra

Rust Memory Safety & Undefined Behavior Detection. It is capable of analyzing single Rust packages as well as all the packages on crates.io.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

cargo-deny

A cargo plugin for linting your dependencies. It can be used either as a command line too, a Rust crate, or a Github action for CI. It checks for valid license information, duplicate crates, security vulnerabilities, and more.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 83% upvoted

cargo-inspect

Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter
  • 75% upvoted

dylint

A tool for running Rust lints from dynamic libraries. Dylint makes it easy for developers to maintain their own personal lint collections.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

electrolysis

A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter
  • 100% upvoted

rustfix

Read and apply the suggestions made by rustc (and third-party lints, like those offered by clippy).

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

RustViz

RustViz is a tool that generates visualizations from simple Rust programs to assist users in better understanding the Rust Lifetime and Borrowing mechanism. It generates SVG files with graphical indicators that integrate with mdbook to render visualizations of data-flow in Rust programs.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

prae

Provides a convenient macro that allows you to generate type wrappers that promise to always uphold arbitrary invariants that you specified.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter
  • 100% upvoted

cargo-semver-checks

Scan your Rust crate releases for semver violations. It can be used either directly via the CLI, as a GitHub Action in CI, or via release managers like release-plz. It found semver violations in more than 1 in 6 of the top 1000 most-downloaded crates on crates.io.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

cargo-unused-features

Find potential unused enabled feature flags and prune them. You can generate a simple HTML report from the json to make it easier to inspect results. It removes a feature of a dependency and then compiles the project to see if it still compiles. If it does, the feature flag can possibly be removed, but it can be a false-positive.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter
  • 100% upvoted

kani

The Kani Rust Verifier is a bit-precise model checker for Rust. Kani is particularly useful for verifying unsafe code blocks in Rust, where the "unsafe superpowers" are unchecked by the compiler. Kani verifies:

  • Memory safety (e.g., null pointer dereferences)
  • User-specified assertions (i.e., assert!(...))
  • The absence of panics (e.g., unwrap() on None values)
  • The absence of some types of unexpected behavior (e.g., arithmetic overflows)
  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

diff.rs

Web application (WASM) to render a diff between Rust crate versions.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

lockbud

Statically detects Rust deadlocks bugs. It currently detects two common kinds of deadlock bugs: doublelock and locks in conflicting order. It will print bugs in JSON format together with the source code location and an explanation of each bug.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

hyperfine

A command-line benchmarking tool It features statistical analysis across multiple runs, support for arbitrary shell commands, constant feedback about the benchmark progress and current estimates, warmup runs, a simple and expressive syntax, and more.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

loom

Concurrency permutation testing tool for Rust. It runs a test many times, permuting the possible concurrent executions of that test.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

MIRI

An interpreter for Rust's mid-level intermediate representation, which can detect certain classes of undefined behavior like out-of-bounds memory accesses and use-after-free.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

C2Rust

C2Rust helps you migrate C99-compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 50% upvoted

cargo-breaking

cargo-breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

cargo-call-stack

Whole program static stack analysis The tool produces the full call graph of a program as a dot file.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

cargo-geiger

A cargo plugin for analysing the usage of unsafe Rust code Provides statistical output to aid security auditing

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

cargo-show-asm

cargo subcommand showing the assembly, LLVM-IR and MIR generated for Rust code

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

herbie

Adds warnings or errors to your crate when using a numerically unstable floating point expression.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter
  • 50% upvoted

linter-rust

Linting your Rust-files in Atom, using rustc and cargo.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter
  • 50% upvoted

rust-audit

Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 50% upvoted

warnalyzer

Show unused code from multi-crate Rust projects

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

cargo-careful

Execute Rust code carefully, with extra checking along the way. It builds the standard library with debug assertions. Here are some of the checks this enables:

  • get_unchecked in slices performs bounds checks * copy, copy_nonoverlapping, and write_bytes check that pointers are aligned and non-null and (if applicable) non-overlapping {NonNull,NonZero*,...}::new_unchecked check that the value is valid * plenty of internal consistency checks in the collection types * mem::zeroed and the deprecated mem::uninitialized panic if the type does not allow that kind of initialization
  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

puffin

Instrumentation profiler for Rust.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

rust-san

How-to sanitize your Rust code with built-in Rust dynamic analyzers

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

stuck

provides a visualization for quickly identifying common bottlenecks in running, asynchronous, and concurrent applications.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

20 Multi-Language Tools

Mega-Linter

Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 67% upvoted

Sonatype

Reports known vulnerabilities in common dependencies and recommends updated packages to minimize breaking changes

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedservice
  • Maintainedlinter
  • 72% upvoted

ThreatMapper

Vulnerability Scanner and Risk Evaluation for containers, serverless and hosts at runtime. ThreatMapper generates runtime BOMs from dependencies and operating system packages, matches against multiple threat feeds, scans for unprotected secrets, and scores issues based on severity and risk-of-exploit.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedservice
  • Maintainedlinter
  • 83% upvoted

Sigrid

Sigrid helps you to improve your software by measuring your system's code quality, and then compares the results against a benchmark of thousands of industry systems to give you concrete advice on areas where you can improve.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter
  • 92% upvoted

trunk

Modern repositories include many technologies, each with its own set of linters. With 30+ linters and counting, Trunk makes it dead-simple to identify, install, configure, and run the right linters, static analyzers, and formatters for all your repos.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • MaintainedlinterMaintainedformatter
  • 77% upvoted

DerScanner

Multi-language Static Application Security Testing (SAST) platform that detects critical vulnerabilities, including hardcoded secrets, weak cryptography, backdoors, SQL injections, insecure configurations, etc.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter
  • 100% upvoted

callGraph

Statically generates a call graph image and displays it on screen.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 73% upvoted

trivy

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 83% upvoted

Corrode

Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter
  • 0% upvoted

lizard

Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 50% upvoted

allocscope

allocscope is a tool for tracking down where the most egregiously large allocations are occurring in a C, C++ or Rust codebase. It is particularly intendend to be useful for developers who want to get a handle on excessive allocations and are working in a large codebase with multiple contributors with allocations occuring in many modules or libraries.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

bytehound

A memory profiler for Linux. Can be used to analyze memory leaks, see where exactly the memory is being consumed, identify temporary allocations and investigate excessive memory fragmentation.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

Sydr

Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • MaintainedlinterMaintainedfuzzer
  • 50% upvoted

CodeSee

CodeSee is mapping and automating your app's services, directories, file dependencies, and code changes. It's like Google Map, but for code.t

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedserviceMaintainedide-plugin
  • Maintainedlinter
  • 33% upvoted

pfff

Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedformatter
  • 43% upvoted

todocheck

Linter for integrating annotated TODOs with your issue trackers

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 44% upvoted

CASR

Crash Analysis and Severity Report.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 43% upvoted

autocorrect

A linter and formatter to help you to improve copywriting, correct spaces, words, punctuations between CJK (Chinese, Japanese, Korean).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • MaintainedlinterMaintainedformatter
  • 0% upvoted

StaticReviewer

Static Reviewer executes code checks according to the most relevant Secure Coding Standards, OWASP, CWE, CVE, CVSS, MISRA, CERT, for 40+ programming languages, using 1000+ built-in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 36% upvoted

ShiftLeft Scan

Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter
  • 36% upvoted

Frequently Asked Questions

What are Rust tools?

Rust is a multi-paradigm programming language focused on performance and safety, especially safe concurrency. Rust is syntactically similar to C++, and provides memory safety without using garbage collection. Rust was originally designed by Graydon Hoare at Mozilla Research, with contributions from Dave Herman, Brendan Eich, and others. The designers refined the language while writing the Servo layout or browser engine, and the Rust compiler. It has gained increasing use in industry, and Microsoft has been experimenting with the language for secure and safety-critical software components. Rust has been named the "most loved programming language" in the Stack Overflow Developer Survey every year since 2016.

What are the best Rust static analysis tools and linters?

The most popular Rust tools ranked by user votes are: Mega-Linter, clippy, Sonatype, rust-analyzer, cargo-audit.

Which Rust tools are free to use?

Tools with a free plan include trunk, CodeSee. On top of that, there are also a number of open source like Mega-Linter, clippy, Sonatype, rust-analyzer, cargo-audit, ThreatMapper, rustfmt, trunk, cargo-bloat, MIRAI.

Related Tags

Our Sponsors

This website is completely open source. To fund our work, we fully rely on sponsors. Thanks to them, we can keep the site free for everybody. Please check out their offers below.

  • BugProve
  • Pixee
  • semgrep
  • Offensive 360
  • BetterScan