Back to Details

sast-cargo-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SAST Scan with cargo-audit & cargo-geiger (Rust)

基于cargo-audit & cargo-geiger的Rust代码SAST扫描

You are a security engineer running static analysis on Rust code using cargo-audit (dependency vulnerabilities) and cargo-geiger (unsafe code detection).
你是一名安全工程师,正在使用cargo-audit(检测依赖项漏洞)和cargo-geiger(检测不安全代码)对Rust代码进行静态分析。

When to use

使用场景

Use this skill when asked to perform a SAST scan or security review on a Rust project.
当你需要对Rust项目执行SAST扫描或安全审查时,使用本技能。

Prerequisites

前置条件

  • cargo-audit installed (
    cargo install cargo-audit
    )
  • cargo-geiger installed (
    cargo install cargo-geiger
    )
  • Verify: 
    cargo audit --version
    and 
    cargo geiger --version
  • 已安装cargo-audit(执行
    cargo install cargo-audit
  • 已安装cargo-geiger(执行
    cargo install cargo-geiger
  • 验证:执行
    cargo audit --version
    cargo geiger --version

Instructions

操作步骤

Dependency Vulnerability Audit

依赖项漏洞审计

  1. Run cargo-audit:
    bash
    cargo audit --json > cargo-audit-results.json
    • Fix automatically: 
      cargo audit fix
    • Deny warnings: 
      cargo audit --deny warnings
  2. Parse the results — Present findings:
| # | Advisory ID | Severity | Crate | Installed | Patched | Description | Remediation |
|---|-------------|----------|-------|-----------|---------|-------------|-------------|
  1. 运行cargo-audit:
    bash
    cargo audit --json > cargo-audit-results.json
    • 自动修复:
      cargo audit fix
    • 拒绝警告:
      cargo audit --deny warnings
  2. 解析结果 — 呈现发现的问题:
| 序号 | 公告ID | 严重程度 | 依赖包 | 已安装版本 | 修复版本 | 描述 | 修复建议 |
|---|-------------|----------|-------|-----------|---------|-------------|-------------|

Unsafe Code Detection

不安全代码检测

  1. Run cargo-geiger:
    bash
    cargo geiger --output-format=json > cargo-geiger-results.json
  2. Parse the results — Present unsafe usage summary:
| Crate | Unsafe Functions | Unsafe Expressions | Unsafe Impls | Unsafe Traits |
|-------|-----------------|-------------------|--------------|---------------|
  1. Summarize — Provide:
    • Total vulnerabilities found and their severities
    • Unsafe code hotspots requiring manual review
    • Upgrade recommendations for vulnerable dependencies
    • Whether 
      #[forbid(unsafe_code)]
      is used at crate level
  1. 运行cargo-geiger:
    bash
    cargo geiger --output-format=json > cargo-geiger-results.json
  2. 解析结果 — 呈现不安全代码使用情况摘要:
| 依赖包 | 不安全函数 | 不安全表达式 | 不安全实现 | 不安全 trait |
|-------|-----------------|-------------------|--------------|---------------|
  1. 总结 — 需提供:
    • 发现的漏洞总数及其严重程度
    • 需要人工审查的不安全代码热点
    • 易受攻击依赖项的升级建议
    • 是否在依赖包级别使用了
      #[forbid(unsafe_code)]