cargo scan
is a supply chain auditing tool for Cargo (Rust) dependencies using static analysis.
It can also be used in tandem with cargo vet.
cargo scan
is under active development. All interfaces are currently unstable.
Make sure you have Rust, then run make install
.
This installs cargo-download and builds the Rust source. Installation has been tested on Mac OS (Monterey) and Linux (Arch Linux).
To use Cargo Scan you first need a crate. You can either:
- Fetch an existing crate from crates.io:
cargo download -x <crate name>
- Use one of the provided test crates in
data/test-crates
- Provide your own (given the directory to the source files)
To scan a crate, looking for dangerous function calls:
cargo run <path to crate>
Crates can be put anywhere, but are generally placed in data/packages
for our scripting. For example,
cargo run data/packages/num_cpus
cargo run data/test-packages/permissions-ex
To audit a package:
cargo run --bin audit <path to crate> crate.policy
-
Run
cargo test
to run Rust unit tests -
Run
make test
to re-run the tool on all our test packages, whose results are indata/results
and placed under version control to check for any regressions.
You can also run ./scripts/scan.py -h
to see options for running an experiment; this is useful for running a scan on a large list of crates, e.g. the top 100 crates on crates.io or your own provided list. Alternatively, see Makefile
for some pre-defined experiments to run, such as make top10
.