39 Rust Static Analysis Tools
What is Rust?
Rust is a multi-paradigm programming language focused on performance and safety, especially safe concurrency. Rust is syntactically similar to C++, and provides memory safety without using garbage collection.
Rust was originally designed by Graydon Hoare at Mozilla Research, with contributions from Dave Herman, Brendan Eich, and others. The designers refined the language while writing the Servo layout or browser engine, and the Rust compiler. It has gained increasing use in industry, and…
What are the best Rust analysis tools?
Mega-Linter
Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes
- ansible
- apex
- arm
- c
- ci
- clojure
- cloudformation
- coffeescript
- configfile
- configmanagement
- container
- cpp
- css
- csharp
- dart
- dockerfile
- dotenv
- dotnet
- editorconfig
- formatter
- gherkin
- go
- graphql
- groovy
- html
- java
- javascript
- json
- jsonschema
- jsx
- kotlin
- kubernetes
- latex
- lua
- lwc
- markdown
- nodejs
- perl
- php
- powershell
- protobuf
- puppet
- python
- r
- raku
- rst
- ruby
- rust
- scala
- shell
- snakemake
- sql
- terraform
- typescript
- vbnet
- vue
- writing
- xml
- yaml
ThreatMapper
Vulnerability Scanner and Risk Evaluation for containers, serverless and hosts at runtime. ThreatMapper generates runtime BOMs from dependencies and operating system packages, matches against multiple threat feeds, scans for unprotected secrets, and scores issues based on severity and risk-of-exploit.
cargo-audit
Audit Cargo.lock for crates with security vulnerabilities reported to the [RustSec Advisory Database](https://github.com/RustSec/advisory-db/).
rust-analyzer
Supports functionality such as 'goto definition', type inference, symbol search, reformatting, and code completion, and enables renaming and refactorings.
trunk
Modern repositories include many technologies, each with its own set of linters. With 30+ linters and counting, Trunk makes it dead-simple to identify, install, configure, and run the right linters, static analyzers, and formatters for all your repos.
Rust Language Server
Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings.
cargo-bloat
Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries.
cargo-spellcheck
Checks all your documentation for spelling and grammar mistakes with hunspell (ready) and languagetool (preview)
cargo-expand
Cargo subcommand to show result of macro expansion and #[derive] expansion applied to the current crate. This is a wrapper around a more verbose compiler command.
cargo udeps
Find unused dependencies in Cargo.toml. It either prints out a "unused crates" line listing the crates, or it prints out a line saying that no crates were unused.
Prusti
A static verifier for Rust, based on the Viper verification infrastructure. By default Prusti verifies absence of panics by proving that statements such as unreachable!() and panic!() are unreachable.
cargo-inspect
Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains.
dylint
A tool for running Rust lints from dynamic libraries. Dylint makes it easy for developers to maintain their own personal lint collections.
electrolysis
A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover.
cargo-deny
A cargo plugin for linting your dependencies. It can be used either as a command line too, a Rust crate, or a Github action for CI. It checks for valid license information, duplicate crates, security vulnerabilities, and more.
rustfix
Read and apply the suggestions made by rustc (and third-party lints, like those offered by clippy).
RustViz
RustViz is a tool that generates visualizations from simple Rust programs to assist users in better understanding the Rust Lifetime and Borrowing mechanism. It generates SVG files with graphical indicators that integrate with mdbook to render visualizations of data-flow in Rust programs.
trivy
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.
cargo-unused-features
Find potential unused enabled feature flags and prune them. You can generate a simple HTML report from the json to make it easier to inspect results. It removes a feature of a dependency and then compiles the project to see if it still compiles. If it does, the feature flag can possibly be removed, but it can be a false-positve.
herbie
Adds warnings or errors to your crate when using a numerically unstable floating point expression.
lizard
Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.
Rudra
Rust Memory Safety & Undefined Behavior Detection. It is capable of analyzing single Rust packages as well as all the packages on crates.io.
rust-audit
Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable.
cargo-breaking
cargo-breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.
cargo-show-asm
cargo subcommand showing the assembly, LLVM-IR and MIR generated for Rust code
Sigrid
Sigrid helps you to improve your software by measuring your system's code quality, and then compares the results against a benchmark of thousands of industry systems to give you concrete advice on areas where you can improve.
C2Rust
C2Rust helps you migrate C99-compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.
Deprecated/unmaintained tools
Corrode
Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust.
❤️ Sponsor this project
We are currently looking for partners who want to sponsor hosting and development of the project.
Missing an entry? Please let us know.