☢️ Cargo-Geiger: Unsafe Rust Detection

Crates.io

cargo-geiger is a specialized utility designed to scan a Rust crate and its entire dependency tree to identify and quantify the use of unsafe Rust code.

🛠️ Installation Guide

Depending on your environment's OpenSSL configuration, you have three primary ways to install this tool:

Option 1: System OpenSSL

If you already have OpenSSL installed on your system, use:

cargo install --locked cargo-geiger

Option 2: Vendored OpenSSL

To build and statically link OpenSSL directly into the binary, use the vendored-openssl feature:

cargo install --locked cargo-geiger --features vendored-openssl

Option 3: Pre-compiled Binaries

You can bypass the build process by downloading official releases from the GitHub releases page.

🚀 Getting Started

To analyze a project, follow these steps:

Open your terminal.
cd into the directory containing the Cargo.toml of the target project.
Execute the analysis command:

cargo geiger

Example output

⚠️ Intended Use & Philosophy

It is crucial to understand that cargo-geiger is a statistical tool, not a security auditor.

Important: This tool does not determine if a piece of code is "secure" or "insecure." Its goal is to provide raw data that can inform a deeper manual audit.

The presence of unsafe code is not inherently a flaw; in many cases, it is necessary for performance or low-level system access. ~~Unsafe code is always a bug.~~ Instead, it should be viewed like ionizing radiation (hence the name Geiger Counter): it is unavoidable in certain contexts but must be carefully contained.

Recommended Auditing Workflow

For a comprehensive safety review, combine cargo-geiger with:

cargo-crev
safety-dance

Educational Resources

To better understand the nuances of unsafe Rust, refer to:

Reddit: Discussions on The Stigma around Unsafe.
YouTube: Jon Gjengset's talk, Demystifying unsafe code (Rust NYC).
Official Guidelines: The Rust-lang WG Unsafe Code Guidelines.

🏗️ Technical Architecture

The project is structured into three distinct libraries:

Library	Stability	Purpose
`cargo-geiger`	🔴 Unstable	Internal logic for the binary; functions may change without notice.
`cargo-geiger-serde`	🟢 Stable	Provides serializable types for report generation.
`geiger`	🟡 Decoupled	General cargo components utilized by the main tool.

Logic Flow

Risk Calculation (Conceptual)

While the tool provides counts, one might think of the "Unsafe Surface Area" as: $\text{Total Risk} = \sum_{i=1}^{n} (\text{unsafe blocks in crate}_i)$

📊 Repository Metadata

Metric	Value
Latest Version	`v0.13.0` (Aug 31, 2025)
Stars	1.6k
Forks	75
Watchers	11
Primary Language	Rust (99.8%)
Secondary Language	Dockerfile (0.2%)

Additional Links: