Rules
Security Rules
Rules for detecting security vulnerabilities in Rust code.
hardcoded-secrets
Severity: Error
Detects hardcoded secrets in connection strings, API keys, passwords, and tokens. Secrets should be loaded from environment variables or a secrets manager.
// Bad
let db_url = "postgres://admin:s3cret@localhost/mydb";
// Good
let db_url = std::env::var("DATABASE_URL")?;unsafe-block-audit
Severity: Warning
Flags unsafe blocks for manual review. While unsafe is sometimes necessary, each block should be documented with a safety comment explaining the invariants.
// Bad
unsafe { ptr::read(addr) }
// Good
// SAFETY: `addr` is guaranteed valid and aligned by the caller contract
unsafe { ptr::read(addr) }sql-injection-risk
Severity: Error
Detects string interpolation or concatenation used to build SQL queries. Use parameterized queries instead.
// Bad
let query = format!("SELECT * FROM users WHERE id = {}", user_id);
// Good
sqlx::query("SELECT * FROM users WHERE id = $1")
.bind(user_id)
.fetch_one(&pool)
.await?;