cargo_capsec/lib.rs
1//! # cargo-capsec
2//!
3//! Static capability audit for Rust — find out what your code can do to the outside world.
4//!
5//! `cargo-capsec` scans Rust source code and produces a **capability map**: every function,
6//! in every crate in your workspace, that exercises ambient authority over the filesystem,
7//! network, environment, or process table. No annotations required. No code changes. Point
8//! it at a repo and it tells you what's happening.
9//!
10//! ## Architecture
11//!
12//! The audit pipeline has five stages:
13//!
14//! 1. **[`discovery`]** — enumerate workspace crates via `cargo metadata`
15//! 2. **[`parser`]** — parse `.rs` files into structured ASTs with [`syn`]
16//! 3. **[`authorities`]** — match calls against a registry of known ambient authority patterns
17//! 4. **[`detector`]** — orchestrate matching with import expansion and deduplication
18//! 5. **[`reporter`]** — format findings as text, JSON, or SARIF
19//!
20//! Supporting modules:
21//!
22//! - **[`config`]** — `.capsec.toml` parsing for custom authorities and allow rules
23//! - **[`baseline`]** — diff findings against previous runs to detect new capabilities
24//!
25//! ## Programmatic usage
26//!
27//! ```no_run
28//! use cargo_capsec::parser::parse_source;
29//! use cargo_capsec::detector::Detector;
30//!
31//! let source = r#"
32//! use std::fs;
33//! fn load() { let _ = fs::read("data.bin"); }
34//! "#;
35//!
36//! let parsed = parse_source(source, "example.rs").unwrap();
37//! let detector = Detector::new();
38//! let findings = detector.analyse(&parsed, "my-crate", "0.1.0");
39//!
40//! for f in &findings {
41//! println!("[{}] {} in {}()", f.category.label(), f.call_text, f.function);
42//! }
43//! ```
44
45pub mod authorities;
46pub mod baseline;
47pub mod config;
48pub mod detector;
49pub mod discovery;
50pub mod parser;
51pub mod reporter;