Contributions welcomed! Last updated: 2026-06-06
A curated list of awesome Rust analysis and verification tools, including linters, static analyzers, dynamic analyzers, formal verifiers, and security tooling.
- Linters
- Static Checkers
- Dynamic Checkers
- Verifiers
- Dependency & Supply Chain Security
- Academic Papers
| Name | Description | Working on | Bug Types | Technology | Last Commit Time |
|---|---|---|---|---|---|
| clippy | A bunch of lints to catch common mistakes and improve your Rust code. Paper: ICSE-Companion'24 | HIR | Versatile | Pattern matching | 2026-06-06 |
| dylint | Run Rust lints from dynamic libraries | HIR | Versatile | Pattern matching | 2026-06-02 |
| snarf | Cache-line false sharing linter for Rust structs — detects potential cache-line false sharing by finding cases where atomic or contended fields share a cache line | Source Code | Cache-line false sharing (performance) | Layout analysis | 2026-05-25 |
| redpen | A Rust code linter operating as rustc_driver; currently implements dont_panic and disallow lints with cross-crate panic reachability tracking |
HIR, MIR | Panic reachability, Type parameter restrictions | Pattern matching | 2024-06-10 |
| Name | Description | Working on | Bug Types | Technology | Last Commit Time |
|---|---|---|---|---|---|
| MIRAI | Rust mid-level IR Abstract Interpreter | MIR | Panic, Security bugs, Correctness | Abstract Interpretation | 2025-03-04 |
| lockbud | Statically detect common memory and concurrency bugs in Rust. Paper: Safety Issues in Rust, TSE'24 | MIR | Double-Lock, Conflicting-Lock-Order, Atomicity-Violation, Use-After-Free, Invalid-Free, Panic Locations | Data-flow Analysis | 2026-05-15 |
| RAPx | This is a static analysis project for analyzing Rust program. Paper: SafeDrop, TOSEM'22, RCanary, TSE'24 | HIR, MIR | Use-After-Free, Memory Leakage | Static Program Analysis, Model Checking | 2026-06-04 |
| safety-tags | Tag the safety properties of the Rust standard library. Paper: arxiv | Source Code | Unsafe | Annotation | 2026-04-24 |
| Rudra | Rust Memory Safety & Undefined Behavior Detection. Paper: Rudra, SOSP'21 | HIR, MIR | Memory safety when panicked, Higher Order Invariant, Send Sync Variance | Data-flow Analysis | 2026-04-02 |
| Yuga | Automatically Detecting Lifetime Annotation Bugs in the Rust Language. Paper: Yuga, ICSE'24 | HIR, MIR | Lifetime Annotation Bugs | Data-flow Analysis | 2024-04-01 |
| MirChecker | A Simple Static Analysis Tool for Rust. Paper: MirChecker, CCS'21 | MIR | Panic (including numerical), Lifetime Corruption (memory issues) | Abstract Interpretation | 2024-05-24 |
| FFIChecker | A Static Analysis Tool For Detecting Memory Management Bugs Between Rust and C/C++. Paper: FFIChecker, ESORICS'22 | LLVM IR | Memory issues across the Rust/C FFI | Abstract Interpretation | 2022-05-31 |
| RUPTA | Supports pointer/alias analysis for Rust, operating on Rust MIR. It currently offers callsite-based pointer analysis. Paper: RUPTA, CC'24, Stack Filtering, CGO'25 | MIR | Not bugs, for callgraph construction | Callsite-based pointer analysis | 2025-06-17 |
| Cocoon | Static Information Flow Control in Rust. Paper: Cocoon, OOPSLA'24 | Rust Source Code | Secrecy Leaks | Rust's type system and procedural macros | 2024-03-20 |
| rustsp_analyzer | Fearless Unsafe. A More User-friendly Document for Unsafe Rust Programming Base on Refined Safety Properties. Paper: Fearless Unsafe | HIR | Safety Properties | Summarization | 2025-01-01 |
| AtomVChecker | Statically detect memory ordering misuses for Rust. Paper: AtomVChecker, ISSRE'24 | MIR | Atomic concurrency bugs and performance loss due to memory ordering misuse | Data-flow Analysis | 2025-06-27 |
| rustowl | Visualize ownership and lifetimes in Rust for debugging and optimization | MIR | Lifetime Errors | Rust's borrow checker | 2026-06-02 |
| cargo-pinch(pinchecker) | Contract Violation detection tool for Rust crates. Paper: PinChecker, arxiv | MIR, PLIR | unsafe code that fails to uphold its safety requirements (Pin-related memory bugs for now) | - | 2025-03-04 |
| mirilli | A study of undefined behavior across foreign function boundaries in Rust libraries | MIR, LLVM IR | UB across FFI boundaries | - | 2025-02-13 |
| TypePulse | TypePulse: Detecting Type Confusion Bugs in Rust Programs. Paper: TypePulse, USENIX Security'25 | MIR | Type confusion | Type conversion & pointer alias analysis | 2025-12-13 |
| Rust-API-Bypass-Checker | A conservative MIR-based static analysis tool that identifies redundant safety checks in Rust programs to improve performance | MIR | Redundant safety checks | Interval analysis | 2026-05-22 |
| the-janitor | Rust static-analysis security research platform for IFDS, Z3/Kani proof obligations, exploit-witness generation | MIR, LLVM IR | Security vulnerabilities, Memory safety | Static Analysis, Symbolic Execution | 2026-06-02 |
| Crema | Static analysis tool for Rust-C FFI detecting memory leaks, double-free and use-after-free in pure unsafe Rust and Rust-C interaction. Paper: SEFM'25 | LLVM IR (SVF) | Memory leak, Double-free, Use-after-free (FFI) | Static Value-Flow Analysis | 2025-12-06 |
| Name | Description | Working on | Bug Types | Technology | Last Commit Time |
|---|---|---|---|---|---|
| miri | An interpreter for Rust's mid-level intermediate representation | MIR | Undefined Behavior | Abstract Interpretation | 2026-06-06 |
| cargo-careful | Execute Rust code carefully, with extra checking along the way | - | Undefined Behavior | Enable Debug Assertion in std | 2026-04-01 |
| cargo-fuzz | Command line helpers for fuzzing | Binary | Crashes, Panics, Memory errors | Fuzzing | 2026-05-26 |
| Loom | Concurrency permutation testing tool for Rust. | Source Code | Concurrency Bugs | Permutation testing | 2026-02-20 |
| Shuttle | A library for testing concurrent Rust code. Paper A Randomized Scheduler with Probabilistic Guarantees of Finding Bugs | Source Code | Concurrency Bugs | Randomized testing | 2026-05-22 |
| ERASAN | Efficient Rust Address Sanitizer. Paper: IEEES&P'24 | - | Memory Access Bugs | Fuzzing | 2025-06-30 |
| Automated-Fuzzer | Simple tool to create broken files and checking them with special apps | - | Panic | Fuzzing | 2026-05-19 |
| RULF | Fuzz Target Generator for Rust libraries. Paper: RULF, ASE'21 | - | Out-of-bound, Panic (including arithmetic) | Fuzzing | 2023-11-09 |
| RPG1 | RPG: Rust Library Fuzzing with Pool-based Fuzz Target. Paper: RPG, ICSE'24 | - | Out-of-bound, Panic (including arithmetic) | Fuzzing | 2022-10-09 |
| SyRust | Automatic Testing of Rust Libraries with Semantic-Aware Program Synthesis. Paper: SyRust, PLDI'21 | - | - | Program Synthesis | 2021-04-14 |
| NADER | Automatic Context-Aware Safety Enhancement for Rust. Paper: OOPSLA'21 | MIR, Source Code | Unchecked Indexing | API Replacing | 2021-07-13 |
| casr2 | collect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity. Paper: Casr-Cluster, ISPRAS'21, Ivannikov Memorial Workshop'24 | Crash Reports from ASan, UBSan, GDB | - | Analyze crashes | 2026-05-30 |
| rustsmith | A randomized program fuzzer for the Rust programming language. Paper: rustsmith, ISSTA'23 rustsmith, thesis | AST | Rust compiler bugs | Differential testing | 2023-07-21 |
| rustlantis | UB-free and deterministic rustc fuzzer. Paper: rustlantis, OOPSLA'24 | MIR | Rust compiler bugs | Differential testing | 2025-11-15 |
| RuMono | A fully automated Rust fuzz driver generator. Paper: RuMono, TOSEM'24 | - | Generic APIs | Fuzzing | 2023-11-09 |
| rtsan-standalone-rs | Standalone RealtimeSanitizer for Rust. Blogpost | Source Code | Real-time Violations | Instrumentation | 2025-09-27 |
| RustSan | RustSan: Retrofitting AddressSanitizer for Efficient Sanitization of Rust. Paper: USENIX Security'24 | LLVM IR | Memory bugs | Instrumentation | 2024-10-11 |
| SafeFFI | Efficient Sanitization at the Boundary Between Safe and Unsafe Code in Rust and Mixed-Language Applications USENIX Security'26 NDSS'24 Poster | MIR, LLVM IR | Memory safety in C/C++ and Rust Mixed Code | Instrumentation | 2026-03-10 |
| Hopper | Hopper is a tool for generating fuzzing test cases for libraries automatically using interpretative fuzzing | Binary | Library API bugs | Fuzzing | 2026-05-16 |
| dhat-rs | Heap profiling and ad hoc profiling for Rust programs | - | Memory leaks, Heap allocation patterns | Instrumentation | 2025-02-20 |
| afl.rs | Fuzzing Rust code with American Fuzzy Lop | Binary | Memory corruption, Panics, Crashes | Fuzzing (AFL) | 2026-05-11 |
| LibAFL | Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines | Binary | Memory corruption, Panics, Crashes | Fuzzing Framework | 2026-05-19 |
| test-fuzz | To make fuzzing Rust easy - automated fuzz target generation | Source Code | Panics, Crashes | Fuzzing | 2026-06-04 |
| fuzzcheck-rs | Modular, structure-aware, and feedback-driven fuzzing engine for Rust functions | Source Code | Panics, Crashes | Fuzzing | 2026-01-22 |
| honggfuzz-rs | Fuzz your Rust code with Google-developed Honggfuzz | Binary | Memory corruption, Panics | Fuzzing (Honggfuzz) | 2026-03-28 |
- The link may be incorrect. See here.
- casr analyze the results of dynamic checkers instead of performing dynamic analysis itself. Thanks zjp-CN for recommending casr.
| Name | Description | Working on | Bug Types | Technology | Last Commit Time |
|---|---|---|---|---|---|
| kani | The Kani Rust Verifier is a bit-precise model checker for Rust. Paper: kani, ICSE-SEIP'22 | MIR | Memory safety, User-specified assertions, Panics, Unexpected behavior (e.g., arithmetic overflows) | Model Checking | 2026-06-03 |
| prusti | A static verifier for Rust, based on the Viper verification infrastructure. Paper: prusti, NFM'22 | Viper | Panic (including arithmetic), User-specified assertions | Symbolic Execution | 2024-03-26 |
| crux-mir | A static simulator for Rust programs. Paper: crux | - | - | Symbolic Testing | 2026-06-03 |
| verus | Verified Rust for low-level systems code. Paper: verus, OOPSLA'23, SOSP'24 | - | - | SMT-based Verification | 2026-06-05 |
| AutoVerus | Automated proof generation system for Rust/Verus code. Paper: autoverus, OOPSLA'25 | - | - | LLM, SMT-based Verification | 2026-06-02 |
| flux | flux is a refinement type checker for Rust. Paper: flux, PLDI'23 | - | - | - | 2026-06-05 |
| Aeneas | A verification toolchain for Rust programs. Paper: Aeneas, ICFP'22, ICFP'24 | LLBC (for safe Rust only) | - | - | 2026-06-05 |
| hax | A Rust verification tool. Publications | - | Panic, Properties, Data Invariants | Translation to F* or Rocq | 2026-06-04 |
| RustBelt | Formal (and machine-checked) safety proof for a language representing a realistic subset of Rust. Paper: RustBelt, POPL'18 | 𝜆Rust | - | - | 2024-12-13 |
| RustHorn | A CHC-based automated verifier for Rust RustHorn, TOPLAS'21 | MIR | - | - | 2024-08-27 |
| Creusot | A deductive verifier for Rust code. Creusot, ICFEM'22 | WhyML | Panics, overflows, Assertion failures | Deductive Verification | 2026-06-05 |
| RustHornBelt | A Semantic Foundation for Functional Verification of Rust Programs with Unsafe Code. Paper: RustHornBelt, PLDI'22 | 𝜆Rust | - | - | 2023-02-14 |
| RefinedRust1 | A Type System for High-Assurance Verification of Rust Programs. Paper: RefinedRust, PLDI'24 | Radium | - | - | 2025-01-03 |
| VeriFast2 | Research prototype tool for modular formal verification of C and Java programs. Paper: VeriFast, NFM'11 | - | - | Symbolic Execution | 2026-05-10 |
| mendel-verifier | Capability-based verifier for safe Rust clients of interior mutability. Paper: Poli, Thesis | Viper | Interior Mutability | Symbolic Execution | 2024-07-16 |
| silver-sif-extension | Extension of the Viper language with modular product programs and information flow specifications. Paper: Thesis | Viper | Differential Privacy | Symbolic Execution | 2026-01-23 |
| soteria-rust | Soteria is a library for writing efficient symbolic interpreters directly in OCaml. The core library is just a small toolbox that we use for writing a set of analyses, currently for C and Rust | ULLBC (gen by Obol or Charon) | Memory safety, Panic, Aliasing & UB | Symbolic Execution | 2026-06-05 |
| mir-semantics | A model of the semantics of Rust's Stable MIR in K to enable symbolic execution of Rust programs and proofs of program properties | StableMIR, K | - | Symbolic Execution | 2026-05-28 |
| cuq | Cuq: A MIR-to-Coq Framework Targeting PTX for Formal Semantics and Verified Translation of Rust GPU Kernels | MIR, Coq | GPU kernel-level bugs | Translate MIR to Coq for PTX semantics | 2026-05-04 |
| chronicle | MIR-based formal model extraction for Rust concurrent systems — TLA+ codegen & model checking | MIR | Concurrency bugs | Model extraction + TLA+ | 2026-03-18 |
| seer | Symbolic execution engine for Rust | MIR | Panics, unreachable!(), assertion failures | Symbolic Execution | 2018-07-17 |
| haybale | Symbolic execution of LLVM IR with an engine written in Rust | LLVM IR | Memory errors, UB | Symbolic Execution | 2023-10-27 |
| rure | Reliable Unsafe Rust Engine — POC symbolic execution over unsafe Rust | MIR | Unsafe code bugs | Symbolic Execution | 2019-04-26 |
- Thanks to jedbrown for recommending RefinedRust and other Rust-related verification tools.
- Rust support is WIP in VeriFast. Thanks zjp-CN for recommending VeriFast.
| Name | Description | Working on | Bug Types | Technology | Last Commit Time |
|---|---|---|---|---|---|
| cargo-deny | Cargo plugin for linting your dependencies. Checks for security advisories, licenses, and banned crates | Cargo.lock, Source | Dependency vulnerabilities, License violations, Banned crates | Dependency Analysis | 2026-06-05 |
| cargo-audit | Audit Cargo.lock files for crates with security vulnerabilities reported to the RustSec Advisory Database | Cargo.lock | Known vulnerabilities in dependencies | Advisory Database Lookup | 2026-06-05 |
| cargo-geiger | Detects usage of unsafe Rust in a Rust crate and its dependencies | Source Code | Unsafe code usage | Static Analysis | 2025-08-31 |
| cargo-vet | Supply-chain security for Rust - audit your dependencies for trustworthiness | Cargo.lock, Source | Untrusted dependencies | Supply Chain Auditing | 2026-04-19 |
| cargo-auditable | Make production Rust binaries auditable - embed dependency info into binaries | Binary | Dependency vulnerabilities in production binaries | Binary Auditing | 2026-05-28 |
| cargo-scan | A tool for auditing Rust crates - scans for unsafe patterns and security-sensitive operations | Source Code, MIR | Unsafe patterns, Security-sensitive operations | Static Analysis | 2026-06-05 |
| cargo-udeps | Find unused dependencies in Cargo.toml | Cargo.toml | Unused dependencies | Dependency Analysis | 2026-04-29 |
| cargo-semver-checks | Scan your Rust crate for semver violations | Rust ABI | Semver violations | Static Analysis | 2026-05-31 |
| cargo-safety | Provides safety checks for Rust projects by finding all uses of unsafe code in dependencies | Source Code | Unsafe code usage | Static Analysis | 2018-01-07 |
| Name | Description | Working on | Bug Types | Technology |
|---|---|---|---|---|
| Rupair | Rupair: Towards Automatic Buffer Overflow Detection and Rectification for Rust. Rupair, ACSAC'21 | AST, MIR | Buffer Overflow | Data-flow Analysis |
| CRUST | CRUST: Towards a Unified Cross-Language Program Analysis Framework for Rust. CRUST, QRS'22 | CRustIR based on MIR | Security (CFI vilation, Meta Data Leaking, Format String Attack), Memory issues(Out-of-bounds, Use-after-Free, Double-Free, Stack-Overflow, Buffer-Overflow), Arithmetic (Divide-by-zero, Integer-Overflow) | Program Analysis Framework |
| ACORN | ACORN: Towards a Holistic Cross-Language Program Analysis for Rust. ACORN | Wasm | Security (Tainted Variable, Dangerous Function, Format String Attack), Memory issues (Out-of-bounds, Use-after-Free, Double-Free, Stack-Overflow, Buffer-Overflow), Arithmetic (Divide-by-zero, Integer-Overflow) | Program Analysis Framework |
| Yu Zhang | Static Deadlock Detection for Rust Programs. Yu Zhang | MIR | Deadlock | Data-flow Analysis |
| Kaiwen Zhang | Automatically Transform Rust Source to Petri Nets for Checking Deadlocks. Kaiwen Zhang | MIR | Deadlock | Petri Nets |
| RustC4 | Leveraging Large Language Model to Assist Detecting Rust Code Comment Inconsistency. ASE'24 | AST | Code Comment Inconsistency | LLM |
| craft | Automated Fault Tree Generation for Rust Programs. EDCC'24 | - | Fault Tree | Static Program Analysis |
| PanicFI | An Infrastructure for Fixing Panic Bugs in Real-World Rust Programs. PanicFI | HIR, AST | Fixing Panic Bugs | Pattern Matching |
| rustc++ | rustc++: Facilitating Advanced Analysis of Rust Code. rustc++ | MIR, LLVM IR | Enhance MIR & pass metadata for analysis | Metadata |
| Name | Description | Working on | Bug Types | Technology |
|---|---|---|---|---|
| CrabSandwich | CrabSandwich: Fuzzing Rust with Rust. CrabSandwich, Fuzzing'23 | LLVM IR | Out-of-bounds, Panic | Fuzzing |
| Zhiyong Ren | Detect Stack Overflow Bugs in Rust via Improved Fuzzing Technique. Zhiyong Ren, SEKE'21 | AST, HIR, MIR, LLVM IR | Stack Overflow | Fuzzing |
| Rustcheck | Safety Enhancement of Unsafe Rust via Dynamic Program Analysis. Rustcheck, QRS-C'23 | MIR | Memory vulnerabilities | Static Program Analysis, Instrumentation |
| RUSTY | A Fuzzing Tool for Rust. Poster@ACSAC'20 | - | Vulnerabilities | Fuzzing, Concolic Testing, Property-based Testing |
| Rust-twins | Automatic Rust Compiler Testing through Program Mutation and Dual Macros Generation. ASE'24 | AST, HIR | Rust compiler crashes and differences | Differential testing, mutation, macroize components, LLM |
| LiteRSan | LiteRSan: Lightweight Memory Safety Via Rust-specific Program Analysis and Selective Instrumentation. arxiv | MIR, LLVM IR | Memory access bugs | Fuzzing |
| FRIES | Fuzzing Rust Library Interactions via Efficient Ecosystem-Guided Target Generation. FRIES, ISSTA'24 | MIR | Rust API interactions | Fuzzing |
| Name | Description | Working on | Bug Types | Technology |
|---|---|---|---|---|
| GillianRust | A hybrid approach to semi-automated Rust verification. GillianRust | Unsafe Code Supported | - | Separation Logic based Hybrid Verification |
| UnsafeCop | Towards Memory Safety for Real-World Unsafe Rust Code with Practical Bounded Model checking. UnsafeCop, FM'24 | - | Memory safety issues | Bounded Model Checking |
| SAFE | Automated Proof Generation for Rust Code via Self-Evolution. SAFE | Rust Code With Docstring, Verus | - | Verus Verifier, LLM |
| PanicCheck | Broadly Enabling KLEE to Effortlessly Find Unrecoverable Errors. PanicCheck, ICSE-SEIP'24 | LLVM IR | Panic | KLEE |
| Converos | Converos: Practical Model Checking for Verifying Rust OS Kernel Concurrency. ATC'25 | PlusCal/TLA+ | Concurrency | Conformance Checking |
Thanks to the following awesome works:
- https://github.com/analysis-tools-dev/static-analysis?tab=readme-ov-file#rust
- https://github.com/analysis-tools-dev/dynamic-analysis?tab=readme-ov-file#rust
- A Survey of Rust Language Security Research
- RefinedRust: A Type System for High-Assurance Verification of Rust Programs
- Verifying the Rust Standard Library
To the extent possible under law, the contributors have waived all copyright and related or neighboring rights to this work.