Rust Scanner

Static analysis for Rust — locally, in 60 seconds.

Scan your Rust project for vulnerable crates, unmaintained or unsound dependencies, leaked secrets, churn hotspots, and copy-paste duplication — with the ik CLI. Pairs with cargo clippy (which catches lint-level issues); inkode catches the structural, historical, and security-data ones clippy doesn't see.

Install the CLI Wire up GitHub Action
What it looks like

Running on a typical Cargo workspace

$ ik run inkode · axum-service Running 20 checks... Complexity 5 findings 190ms (chamele, in-process) Dependency Audit 1 finding 2.1s (cargo-audit) Hotspot 8 findings 35ms Coupling 3 findings 22ms Secret Scanning no issues 1.2s (gitleaks) Duplication 4 findings 2.8s (jscpd) Semantic Duplication 2 findings 7.4s (embedded LLM) Test Presence no issues 9ms (cargo-test) Line Count 2 findings 15ms Score 71 / 100 grade C Report .ik/brief.html Share https://api.inkode.co/r/a8K2vP9LmqRn
Rust coverage

What we check, and how.

CheckToolWhat it catches in Rust
Complexitychamele (in-process)Functions and methods exceeding the cyclomatic-complexity threshold (default 10), via the in-process chamele library — no extra install, never skipped.
Dependency Auditcargo-auditRUSTSEC advisories against Cargo.lock. Reports vulnerable crates as Errors, unmaintained / unsound / yanked crates as Warnings — the latter category matters more in Rust than in most ecosystems.
Test Presencefs walk + contentDetects integration tests in tests/, benchmarks in benches/, and inline #[test] / #[tokio::test] / #[cfg(test)] modules. Without the content check, Rust repos look test-less because there's no _test.rs convention.
Hotspotsgit logFiles ranked by commit frequency. Useful in Rust where one lib.rs can grow into a god module for years before anyone notices.
Couplinggit logFile pairs that always change together — surfaces the hidden module boundaries that the Cargo build graph doesn't.
DuplicationjscpdCopy-pasted token blocks across the workspace. jscpd handles .rs natively.
Semantic Duplicationembedded LLMRust functions are extracted via the in-process chamele library, embedded via Qwen2.5-Coder-0.5B, and paired by cosine similarity — catches helpers regenerated in different modules. (Requires the embedded model; run ik init --download-deps.)
Secrets, Line Count, Infra, Scripts, TODO Density, AI Stacklanguage-agnosticSame as every other language — gitleaks for secrets, fs walks for oversized files, file-pattern detection for Dockerfiles / K8s / Terraform / shell scripts, AI-tool config detection.
Where inkode adds signal beyond clippy

Use both.

CVE data from RUSTSEC

clippy is a linter, not a security tool. inkode's dep-audit shells out to cargo-audit to surface RUSTSEC advisories against your locked dependencies — including unmaintained crates that aren't outright vulnerable but worth replacing.

Historical churn

clippy sees one snapshot. inkode reads git log to rank files by change frequency and surface co-change pairs that imply hidden coupling. Static analysis can't see what your team has been editing for a year.

Secret leakage

gitleaks sweeps the whole repository for API keys, tokens, and credentials hardcoded in source, tests, or CI configs — including older commits the AI might have generated and you forgot to rotate.

Cross-file duplication

Rust's module system encourages copying small utilities into multiple crates. jscpd finds the duplicated blocks at token level; the embedded-LLM semdup check catches them at the intent level too — Rust function extraction runs in-process via chamele.

Run it on your Rust workspace.

Install in one line, scan in under a minute. No account required.

$ curl -fsSL https://inkode.co/install.sh | sh $ cargo install cargo-audit # one-time, for dep-audit $ cd your-rust-project && ik init && ik run
Book an Expert Review
More scanners

Scan another language

C# Go Java Python TypeScript All scanners

Cross-cutting checks: secret scanning · dependency vulnerability scanning · AI code review