best-of

Rust Static Code Analysis Tools: 12 Best for 2026

The best Rust static code analysis tools - Clippy, cargo-audit, Miri, Semgrep, SonarQube. Covers linting, unsafe code, panics, and supply-chain security.

Published:

Last Updated:

Why Rust static analysis matters

Rust’s reputation rests on the borrow checker - the compile-time system that eliminates use-after-free, double-free, and data races without a garbage collector. That safety is real, and it removes whole categories of bugs before a program ever runs. But it creates a dangerous assumption: that a Rust program which compiles is therefore correct and secure.

It is not. The borrow checker reasons about ownership and lifetimes. It says nothing about whether your logic is right, whether a slice index will panic at runtime, whether an arithmetic operation overflows in release mode, whether you reached for a clone when a borrow would do, or whether the crate you pulled in last week has a published CVE. Those are exactly the gaps that static analysis fills.

Five categories of problems sit outside the borrow checker’s reach:

  • Logic and correctness bugs. Off-by-one errors, inverted conditions, redundant comparisons, and misuse of Option and Result all compile cleanly. Clippy’s correctness lints flag many of them.
  • Panics and runtime aborts. unwrap(), expect(), panic!, array indexing, and integer division can all abort a running process. A type system cannot tell you which unwrap will fire in production.
  • Unsafe blocks. The moment you write unsafe, you opt out of the borrow checker’s guarantees. Raw pointers, FFI boundaries, and manual memory management reintroduce exactly the undefined behavior Rust is famous for preventing.
  • Supply-chain risk. A typical crate pulls in dozens of transitive dependencies from crates.io. Any one of them can carry a known vulnerability or unmaintained advisory, and Cargo will happily build it.
  • Unidiomatic code. Non-idiomatic Rust is slower to read, harder to maintain, and often slower to run. Static analysis enforces the conventions that make Rust code recognizably Rust.

The good news is that Rust has an unusually strong, mostly free static analysis ecosystem, much of it maintained by the Rust project itself. The tools below cover linting, formatting, security, unsafe-code auditing, and platform-scale review.

Comparison table

ToolTypePricingBest for
ClippyLinterFree, open sourceThe default 700+ lint baseline every project needs
rustfmtFormatterFree, open sourceConsistent, non-negotiable formatting
rust-analyzerLSP diagnosticsFree, open sourceReal-time editor feedback while you type
cargo-auditDependency CVE scannerFree, open sourceCatching known vulnerabilities in crates
cargo-denyPolicy / supply chainFree, open sourceLicenses, bans, advisories, duplicate versions
cargo-geigerUnsafe usage counterFree, open sourceAuditing unsafe surface area in your dep tree
MiriUB detectorFree, open sourceFinding undefined behavior in unsafe code
SemgrepPattern SASTFree tier, paid plansCustom security rules across many repos
SonarQubeQuality / security platformFree CE, paid editionsDashboards, quality gates, central reporting
CodeRabbitAI code reviewFree tier, paid plansContext-aware pull request review

Pricing for the commercial tools changes regularly, so confirm current figures on each vendor’s site before budgeting.

1. Clippy

Clippy is the de facto standard Rust linter and the single most important tool on this list. It is maintained by the Rust project, ships with the standard toolchain through rustup, and runs with a single command: cargo clippy. There is nothing to install and nothing to pay for.

Key features: More than 700 lints grouped into correctness, suspicious, style, complexity, performance, pedantic, nursery, and cargo categories. The correctness group flags genuine bugs - things like comparing a value to itself or using a hashed collection where ordering is needed. Performance lints catch needless allocations and clones. You can tune severity per lint with #[allow], #[warn], and #[deny] attributes or a clippy.toml, and enforce a clean build in CI with cargo clippy -- -D warnings.

Pricing: Free and open source.

When to use it: Always. Every Rust project, from a hobby crate to a production service, should run Clippy in CI with warnings denied. It is the baseline that the rest of your stack builds on.

2. rustfmt

rustfmt is the official Rust formatter. Like Clippy, it ships with the toolchain and runs through cargo as cargo fmt. Formatting is not strictly static analysis, but a consistent style is what makes the output of every other tool readable and keeps diffs focused on real changes.

Key features: Deterministic formatting driven by a rustfmt.toml config, a --check mode that fails CI when code is not formatted, and editor integration that formats on save. Because the whole community uses it, rustfmt removes style debates entirely.

Pricing: Free and open source.

When to use it: On every project, enforced in CI with cargo fmt --check. It is the cheapest quality win available.

3. rust-analyzer

rust-analyzer is the official Language Server Protocol implementation for Rust. It powers the Rust experience in VS Code, Neovim, and most other editors, surfacing diagnostics, type information, and quick fixes as you type rather than waiting for a CI run.

Key features: Real-time error and warning diagnostics, inline type hints, macro expansion, go-to-definition, and Clippy integration on save. Catching mistakes in the editor shortens the feedback loop dramatically and reduces the number of issues that ever reach review.

Pricing: Free and open source.

When to use it: Install it in every developer’s editor. It is the front line of static analysis - the issues it catches never become commits.

4. cargo-audit

cargo-audit is the security workhorse of the Rust ecosystem. It scans your Cargo.lock against the RustSec Advisory Database, a community-maintained registry of known vulnerabilities and unmaintained-crate warnings, and reports any affected dependencies.

Key features: Fast lockfile scanning, advisory data covering CVEs and unsoundness reports, warnings for yanked crates, and a non-zero exit code for CI gating. Because it reads the lockfile rather than building the project, a scan completes in seconds.

Pricing: Free and open source, maintained by the Rust Secure Code Working Group.

When to use it: In CI on every project that has dependencies, which is effectively all of them. Pair it with a scheduled run so newly published advisories surface even when your code has not changed.

5. cargo-deny

cargo-deny extends supply-chain control beyond vulnerabilities into policy. It uses the same RustSec advisory data as cargo-audit but adds configurable checks for licenses, banned or duplicate crates, and untrusted sources.

Key features: Four check categories - advisories, licenses, bans, and sources - all driven by a deny.toml. You can block copyleft licenses, forbid specific crates, flag multiple versions of the same dependency, and restrict where crates may come from. It is the tool of choice when legal and compliance requirements enter the picture.

Pricing: Free and open source.

When to use it: On teams with license obligations, large dependency trees, or a need to enforce a curated crate allowlist. It is a superset of cargo-audit’s advisory checking with policy controls layered on top.

6. cargo-geiger

cargo-geiger answers one specific, important question: how much unsafe code is in this project and its dependencies? It walks the dependency tree and counts uses of the unsafe keyword, giving you a quantified view of where the borrow checker’s guarantees are being set aside.

Key features: Per-crate counts of unsafe functions, expressions, and trait implementations, with a radiation-themed report that makes the risky areas obvious at a glance. It does not prove that unsafe code is wrong - it tells you where to focus an audit.

Pricing: Free and open source.

When to use it: When evaluating a new dependency, auditing the unsafe surface of an existing project, or setting a policy that limits unsafe usage. It complements Miri, which analyzes whether that unsafe code is actually sound.

7. Miri

Miri is an interpreter for Rust’s mid-level intermediate representation, and it is the deepest tool available for finding undefined behavior. Where cargo-geiger counts unsafe blocks, Miri actually executes your code and detects whether those blocks violate Rust’s rules.

Key features: Detection of out-of-bounds memory access, use of dangling or misaligned pointers, invalid use of uninitialized memory, data races, and violations of Rust’s aliasing model. You run it against your test suite with cargo miri test, so it exercises real code paths. The tradeoff is speed - interpretation is far slower than native execution.

Pricing: Free and open source, distributed as a rustup component.

When to use it: Any project that contains unsafe code, FFI, or custom data structures with raw pointers. Run it in CI on your test suite, accepting that it runs slower than a normal test pass.

8. Semgrep

Semgrep is a fast, pattern-based static analysis engine that supports Rust among many languages. Its strength is custom rules: you write patterns that look like the code you want to find, and Semgrep matches them across an entire codebase or fleet of repositories.

Key features: Lightweight syntactic and semantic pattern matching, a rule syntax that mirrors real Rust code, and centralized policy enforcement across many projects at once. It is well suited to encoding organization-specific security and style requirements that Clippy does not cover - for example, banning a particular API or enforcing an internal crypto wrapper.

Pricing: Open-source CLI is free; the managed Semgrep platform has paid tiers. Confirm current pricing on Semgrep’s site.

When to use it: When you need custom, organization-wide rules layered on top of Clippy, especially across a large number of Rust services.

9. SonarQube

SonarQube added Rust analysis to its quality and security platform, bringing dashboards, historical trends, and quality gates to Rust codebases. It is designed for organizations that want centralized visibility across many projects and languages rather than per-developer command-line tools.

Key features: Rust rules covering bugs, code smells, and security issues, Clippy result import, quality gates that can block a merge or release, and trend tracking over time. It fits naturally into teams that already run SonarQube for other languages and want Rust held to the same reporting standard.

Pricing: Free Community Edition; Developer, Enterprise, and Data Center editions are paid. SonarCloud offers a hosted option. Check current pricing before committing.

When to use it: Larger organizations that need centralized dashboards, quality gates, and multi-language consistency rather than just local linting.

10. CodeRabbit

CodeRabbit is an AI-powered code review tool that supports Rust at the pull request level. Where Clippy and Semgrep match fixed patterns, an AI reviewer reasons about the intent and context of a change, which lets it surface issues that rule-based tools structurally cannot - subtle logic problems, unclear error handling, or a change that contradicts a comment.

Key features: Context-aware review comments on pull requests, awareness of the surrounding codebase, natural-language explanations, and the ability to follow up in conversation. It complements deterministic tools rather than replacing them, adding a layer of judgment on top of the lint baseline.

Pricing: Free tier for open source and small teams, with paid plans for larger organizations. Verify current pricing on CodeRabbit’s site.

When to use it: As a reviewer of pull requests alongside Clippy and cargo-audit, especially when you want feedback on intent and design rather than only mechanical rule violations.

The Rust ecosystem makes a strong free baseline easy to assemble, so most teams should start there and add commercial tools only when scale demands them.

Every project, no exceptions:

  • rustfmt enforced in CI with cargo fmt --check
  • Clippy in CI with cargo clippy -- -D warnings
  • rust-analyzer in every developer’s editor

Any project with dependencies (effectively all of them):

  • cargo-audit in CI, plus a scheduled run to catch new advisories
  • cargo-deny if you have license or policy requirements

Any project with unsafe code, FFI, or raw pointers:

  • cargo-geiger to measure the unsafe surface area
  • Miri running against your test suite to detect undefined behavior

At organization scale:

  • SonarQube for centralized dashboards and quality gates, or Semgrep for custom cross-repository rules
  • An AI reviewer such as CodeRabbit for context-aware pull request feedback

The pattern is consistent: the free, Rust-native tools form the foundation, and the commercial platforms add centralized reporting, custom policy, and review-level judgment on top. A small team can get excellent coverage for nothing; a large one layers paid tooling onto the same base. The mistake to avoid is assuming the borrow checker has already done the job. It has done one important part of it - the rest is up to the tools above.

Further reading

Frequently Asked Questions

Does Rust need static analysis if it already has a borrow checker?

Yes. The borrow checker eliminates whole classes of memory-safety bugs at compile time, but it says nothing about logic errors, panics, unidiomatic code, integer overflow, denial-of-service patterns, or vulnerable dependencies. Clippy catches over 700 categories of correctness, style, and performance issues that the compiler permits. Tools like cargo-audit and Miri cover supply-chain CVEs and undefined behavior in unsafe blocks that the borrow checker cannot reach.

What is the best static analysis tool for Rust?

Clippy is the de facto standard. It ships with the official toolchain via rustup, runs through cargo as cargo clippy, and provides more than 700 lints maintained by the Rust project itself. Every Rust team should run it in CI with warnings denied. Beyond Clippy, most teams add cargo-audit for dependency CVEs and either Miri or cargo-geiger when they work with unsafe code.

How do I scan Rust dependencies for vulnerabilities?

Use cargo-audit, which checks your Cargo.lock against the RustSec Advisory Database, a community-maintained registry of known vulnerabilities in crates. For broader policy control - blocking specific licenses, duplicate versions, or banned crates - cargo-deny wraps the same advisory data with configurable rules. Both run in seconds and integrate cleanly into CI.

Is Clippy free?

Yes. Clippy is open source, maintained by the Rust project, and installed automatically with the standard Rust toolchain. There is no paid tier. The same is true of rustfmt, rust-analyzer, cargo-audit, cargo-deny, cargo-geiger, and Miri - the core Rust static analysis ecosystem is entirely free and open source.

How do I check unsafe Rust code?

Two tools complement each other. cargo-geiger counts and reports the volume of unsafe code in your crate and its dependencies so you can audit the surface area. Miri actually interprets your code and detects undefined behavior such as out-of-bounds access, invalid pointer use, and data races inside unsafe blocks. Run Miri against your test suite to exercise unsafe paths dynamically.

Can SonarQube and Semgrep analyze Rust?

Yes. SonarQube added Rust analysis, importing Clippy results and adding its own quality and security rules with dashboards and quality gates. Semgrep supports Rust for custom pattern-based rules, which is useful for enforcing organization-specific security policies across many repositories. Both complement Clippy rather than replace it.

What does a complete Rust static analysis stack look like?

A strong free baseline is rustfmt for formatting, Clippy with warnings denied for linting, cargo-audit or cargo-deny for dependency CVEs, and Miri for projects with unsafe code, all wired into CI. Larger organizations layer SonarQube or Semgrep for centralized dashboards and custom rules, and an AI reviewer like CodeRabbit for pull-request-level context that pattern matchers miss.

Explore More

Free Newsletter

Stay ahead with AI dev tools

Weekly insights on AI code review, static analysis, and developer productivity. No spam, unsubscribe anytime.

Join developers getting weekly AI tool insights.

Related Articles