TL;DR
Cargo-Geiger is a Rust tool that scans crates for unsafe code usage, offering statistical insights to support security audits. Its release aims to improve code safety awareness among Rust developers.
Rust developers now have access to Cargo-Geiger, a tool that analyzes and reports on the use of unsafe Rust code within crates and their dependencies. The tool’s release aims to assist security audits by providing statistical data on unsafe code usage, which is a nuanced aspect of Rust programming.
Cargo-Geiger is a cargo plugin designed to list statistics related to unsafe Rust code in a crate and all its dependencies. It was originally based on code from two other projects and can be installed via cargo with specific features, such as linking against a system-wide OpenSSL library or building with a vendored version.
The tool is intended for auditing purposes, offering statistical input rather than definitive security assessments. It does not judge whether code is ultimately secure or insecure but provides data to inform security reviews. The output includes reports on unsafe code usage, which can be integrated into broader security workflows like cargo-crev.
Developers can run Cargo-Geiger in the directory containing their Cargo.toml file to generate reports. The tool exposes three libraries, including the core cargo-geiger library, and is actively maintained with a changelog available for updates. Known issues are tracked on its GitHub repository.
Implications for Rust Security Audits
By providing detailed statistics on unsafe code usage, Cargo-Geiger helps developers identify potential security risks in their codebases. Since unsafe Rust code can introduce vulnerabilities if misused, having a tool to quantify and locate unsafe segments supports more informed security decisions. This development is particularly relevant as Rust continues to grow in use for security-critical applications, emphasizing the importance of safety auditing tools.
Rust security auditing tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background and Development of Unsafe Code Analysis Tools
Rust is designed for safety, but it allows unsafe code blocks for performance or low-level system access. Analyzing unsafe code usage has become an important part of security auditing in Rust projects. Prior tools like cargo-osha and cargo-tree laid groundwork for dependency analysis, and Cargo-Geiger extends this by focusing specifically on unsafe code statistics. Its release follows ongoing discussions in the Rust community about balancing safety and performance, and the need for better tooling to monitor unsafe code.
“Cargo-Geiger offers valuable statistical insights but is not a substitute for thorough security reviews. It helps raise awareness about unsafe code usage.”
— an anonymous researcher
unsafe code analysis software for Rust
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Remaining Questions About Cargo-Geiger’s Capabilities
It is not yet clear how comprehensive or accurate Cargo-Geiger’s reports are across large or complex codebases. The extent of its integration into existing security workflows and how developers will interpret the statistical data remains to be seen. Additionally, the impact of false positives or negatives in unsafe code detection has not been fully evaluated.

Pyle Handheld Metal Detector Wand with Holster – Portable Security Wand Scanner, Adjustable Sensitivity, Sound & Vibration Alerts, Detects Weapons, Knives, Metal Objects for Security Guards & Events
Superior Detection Performance: The Pyle Handheld Metal Detector scans even the smallest hidden metal items, ensuring precise detection…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Upcoming Developments and Community Adoption
Further updates to Cargo-Geiger are expected, including improvements in report accuracy and usability. The Rust community is likely to adopt the tool as part of their security audits, and integration with other security tools may follow. Developers are encouraged to test the tool and provide feedback to enhance its features and reliability.
Cargo-Geiger Rust plugin
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What exactly does Cargo-Geiger analyze?
It analyzes Rust crates and their dependencies to identify and provide statistics on the usage of unsafe code blocks.
Is Cargo-Geiger a security scanner?
No, it provides statistical data to support security auditing but does not directly assess whether code is secure or insecure.
How can I install Cargo-Geiger?
You can install it via cargo with the command: cargo install –locked cargo-geiger, optionally with features for vendored OpenSSL.
Will Cargo-Geiger replace existing security tools?
No, it is intended as an additional aid for security audits, complementing other tools and manual reviews.
Is Cargo-Geiger suitable for large projects?
Its effectiveness on large or complex codebases is still being evaluated, and users should interpret reports accordingly.
Source: Hacker News