cargo-call-stack
Whole program static stack analysis The tool produces the full call graph of a program as a dot file.
Tutorials / Guides
36 Alternatives for cargo-call-stack
cargo-audit
Audit Cargo.lock for crates with security vulnerabilities reported to the RustSec Advisory Database.
cargo-bloat
Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries.
cargo-breaking
cargo-breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.
cargo-deny
A cargo plugin for linting your dependencies. It can be used either as a command line too, a Rust crate, or a Github action for CI. It checks for valid license information, duplicate crates, security vulnerabilities, and more.
cargo-expand
Cargo subcommand to show result of macro expansion and #[derive] expansion applied to the current crate. This is a wrapper around a more verbose compiler command.
cargo-geiger
A cargo plugin for analysing the usage of unsafe Rust code Provides statistical output to aid security auditing
cargo-inspect
Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains.
cargo-semver-checks
Scan your Rust crate releases for semver violations. It can be used either directly via the CLI, as a GitHub Action in CI, or via release managers like release-plz
. It found semver violations in more than 1 in 6 of the top 1000 most-downloaded crates on crates.io.
cargo-show-asm
cargo subcommand showing the assembly, LLVM-IR and MIR generated for Rust code
cargo-spellcheck
Checks all your documentation for spelling and grammar mistakes with hunspell (ready) and languagetool (preview)
cargo udeps
Find unused dependencies in Cargo.toml. It either prints out a "unused crates" line listing the crates, or it prints out a line saying that no crates were unused.
cargo-unused-features
Find potential unused enabled feature flags and prune them. You can generate a simple HTML report from the json to make it easier to inspect results. It removes a feature of a dependency and then compiles the project to see if it still compiles. If it does, the feature flag can possibly be removed, but it can be a false-positive.
electrolysis
A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover.
kani
The Kani Rust Verifier is a bit-precise model checker for Rust. Kani is particularly useful for verifying unsafe code blocks in Rust, where the "unsafe superpowers" are unchecked by the compiler. Kani verifies:
- Memory safety (e.g., null pointer dereferences)
- User-specified assertions (i.e., assert!(...))
- The absence of panics (e.g., unwrap() on None values)
- The absence of some types of unexpected behavior (e.g., arithmetic overflows)
rust-audit
Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable.
RustViz
RustViz is a tool that generates visualizations from simple Rust programs to assist users in better understanding the Rust Lifetime and Borrowing mechanism. It generates SVG files with graphical indicators that integrate with mdbook to render visualizations of data-flow in Rust programs.
cargo-careful
Execute Rust code carefully, with extra checking along the way. It builds the standard library with debug assertions. Here are some of the checks this enables:
get_unchecked
in slices performs bounds checks *copy
,copy_nonoverlapping
, andwrite_bytes
check that pointers are aligned and non-null and (if applicable) non-overlapping{NonNull,NonZero*,...}::new_unchecked
check that the value is valid * plenty of internal consistency checks in the collection types * mem::zeroed and the deprecated mem::uninitialized panic if the type does not allow that kind of initialization
16 Multi-Language Tools
autocorrect
A linter and formatter to help you to improve copywriting, correct spaces, words, punctuations between CJK (Chinese, Japanese, Korean).
lizard
Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.
Mega-Linter
Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes
StaticReviewer
Static Reviewer executes code checks according to the most relevant Secure Coding Standards, OWASP, CWE, CVE, CVSS, MISRA, CERT, for 40+ programming languages, using 1000+ built-in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.
trivy
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.
allocscope
allocscope is a tool for tracking down where the most egregiously large allocations are occurring in a C, C++ or Rust codebase. It is particularly intendend to be useful for developers who want to get a handle on excessive allocations and are working in a large codebase with multiple contributors with allocations occuring in many modules or libraries.
Help make this list better
Suggest Tools