Use cargo-geiger to scan your project's dependency tree for unsafe blocks, generating a report that identifies which crates contain unsafe code and how many times it appears. This tool helps you audit third-party libraries for potential safety risks without manually inspecting their source code.
First, install the tool via cargo install:
cargo install cargo-geiger
Once installed, run it in your project root to generate a summary of unsafe usage across all dependencies:
cargo geiger
This command outputs a table listing each dependency, the number of unsafe blocks found, and the specific files involved. For a more detailed, machine-readable report suitable for CI/CD pipelines, use the --json flag:
cargo geiger --json > unsafe_report.json
You can then parse this JSON to fail builds if unsafe code exceeds a certain threshold or to generate documentation for your team. Note that cargo-geiger only reports on the unsafe keyword; it does not analyze whether the usage is actually safe or if the code is sound. It is a static analysis tool designed for visibility, not a proof of correctness.
If you need to exclude specific crates from the scan (for example, if you accept the risk in a known dependency), you can use the --exclude flag:
cargo geiger --exclude=openssl --exclude=ring
This approach allows you to focus on new or unknown dependencies while acknowledging that some established, widely-audited crates may inherently use unsafe for performance or low-level system interaction. Always review the output manually to understand the context of the flagged code before making architectural decisions.