Expand description
§cargo-capsec
Static capability audit for Rust — find out what your code can do to the outside world.
cargo-capsec scans Rust source code and produces a capability map: every function,
in every crate in your workspace, that exercises ambient authority over the filesystem,
network, environment, or process table. No annotations required. No code changes. Point
it at a repo and it tells you what’s happening.
§Architecture
The audit pipeline has five stages:
discovery— enumerate workspace crates viacargo metadataparser— parse.rsfiles into structured ASTs withsynauthorities— match calls against a registry of known ambient authority patternsdetector— orchestrate matching with import expansion and deduplicationreporter— format findings as text, JSON, or SARIF
Supporting modules:
config—.capsec.tomlparsing for custom authorities and allow rulesbaseline— diff findings against previous runs to detect new capabilities
§Programmatic usage
use cargo_capsec::parser::parse_source;
use cargo_capsec::detector::Detector;
let source = r#"
use std::fs;
fn load() { let _ = fs::read("data.bin"); }
"#;
let parsed = parse_source(source, "example.rs").unwrap();
let detector = Detector::new();
let findings = detector.analyse(&parsed, "my-crate", "0.1.0");
for f in &findings {
println!("[{}] {} in {}()", f.category.label(), f.call_text, f.function);
}Modules§
- authorities
- The authority registry — a structured catalogue of every standard library and common third-party function that exercises ambient authority.
- baseline
- Baseline diffing — track capability changes across runs.
- config
.capsec.tomlconfiguration parsing.- detector
- The detection engine — matches parsed call sites against the authority registry.
- discovery
- Workspace and source file discovery.
- parser
- Rust source file parser built on
syn. - reporter
- Output formatters — text, JSON, and SARIF.