Rust
Rust for Snyk Code
Supported frameworks and libraries
For Rust with Snyk Code, the following frameworks and libraries are supported:
actix_files
actix_identity
actix_multipart
actix_session
actix_web
age
ammonia
async_graphql
axum
diesel
handlebars
hyper
iron
orion
postgres
reqwest
ring
rustcrypto
sqlx
tera
tokio
tokio_dbs
tonic
uuid
warp
For an overview of the supported security rules, visit Rust rules.
Supported file formats
For Rust with Snyk Code, the following file formats are supported: .rs.
Available features
Support for Interfile analysis
Reports
Rust for Snyk Open Source
Supported package managers and registries
For Rust with Snyk Open Source, the following are supported:
Supported package registry: crates.io
Supported files: CycloneDX and SPDX SBOMs
Available features
Test your SBOM containing
cargoPURLs using the SBOM test command or API.Test your individual Rust packages using the List issues for a package API.
SCM import and the standard CLI commands snyk test, snyk monitor are not available.
Open Source scanning of Rust manifests and dependencies is limited to testing using the CLI command snyk sbom test, or through the Snyk API, using either SBOM testing or individual package testing. API access is available only with Ignite or Enterprise plans.
Scan Rust dependencies in bulk using the CLI
To do this:
Use a third party tool to create a SBOM document from the
Cargo.tomlandcargo.lockfile, in one of the supported SBOM formats.Use
snyk sbom test --file=<path to your SBOM>to scan the SBOM document.
Alternatively, you can use the REST API, as follows:
Use the REST API to
POSTthe SBOM document to thesbom_testsendpoint.Retrieve the results by calling the
sbom_tests/{job_id}endpoint. For more information, visit SBOM and Test an SBOM document for vulnerabilities.
Scan Rust dependencies individually using the API
To test your individual Rust packages from the Cargo package manager, you can use the List issues for a package API. You can obtain the PURL from the metadata section of the package on crates.io and it must adhere to the purl specification.
Before using it in the API, ensure you URL encode it. For example, pkg:cargo/[email protected] becomes pkg%3Acargo%2Fsd%400.1.0
This reports only the direct vulnerabilities for that package. For more information, visit List issues for a package.
Gating commits and PRs
To avoid introducing vulnerabilities on commits and PRs, Snyk recommends incorporating the above testing into your CI/CD pipeline.
Last updated
Was this helpful?