Automic VaultAutomic Vault

brew

Install cargo-geiger with Homebrew, apk, Nix, pacman

Detects usage of unsafe Rust in a Rust crate and its dependencies. Version 0.13.0 via Homebrew; verified 2026-06-22.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install cargo-geiger

local Homebrew formula metadata

Linux

Alpine Linux apkverified · 92%
sudo apk add cargo-geiger

Alpine Linux edge package indexes · cargo-geiger · source: dl-cdn.alpinelinux.org

Nixverified · 92%
nix profile install nixpkgs#cargo-geiger

nixpkgs package indexes · pkgs/by-name/ca/cargo-geiger/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S cargo-geiger

Arch Linux sync databases · cargo-geiger · source: geo.mirror.pkgbuild.com

overview

Package summary

Detects usage of unsafe Rust in a Rust crate and its dependencies

Commands and aliases

  • cargo-geiger

history

Project history and usage

cargo-geiger is a Cargo subcommand that reports unsafe Rust usage in a crate and its dependency graph. Its name references a Geiger counter: unsafe code is treated as something worth detecting, measuring, and containing.

The project is intentionally framed as audit input, not an automatic security verdict. Its README warns that unsafe usage is nuanced and that reports should be handled carefully.

Project history

The cargo-geiger repository and crate were created in June 2018. The README says the tool was originally based on code from cargo-osha and cargo-tree, combining unsafe-code scanning with dependency-tree traversal.

Over time the project split reusable pieces into library crates, including `geiger` and `cargo-geiger-serde`. The changelog records substantial dependency-graph work in 0.11.0 using cargo_metadata and JSON/report serialization improvements.

Adoption history

cargo-geiger found a niche in Rust security review and supply-chain auditing, especially among developers interested in minimizing or documenting unsafe code in dependencies.

The README points users toward cargo-crev and safety-dance as audit contexts where cargo-geiger statistics can help. That positioning kept it from becoming a simplistic 'unsafe equals bad' badge while still making unsafe usage visible.

How it is used

Usage is intentionally simple: run `cargo geiger` from the directory containing the `Cargo.toml` to analyze. The tool reports unsafe-code statistics for the crate and dependencies.

The README documents installation with `cargo install --locked cargo-geiger`, an optional vendored OpenSSL build, and prebuilt GitHub releases.

Why package nerds care

cargo-geiger is package-nerd significant because it made unsafe-code exposure a transitive package property that could be inspected like licenses, advisories, or dependency trees.

It also shows Rust's audit culture maturing: package metadata alone is not enough, so tools emerged to summarize source-level risk signals across the dependency graph.

Timeline

  • 2018-06-20: GitHub repository created and cargo-geiger 0.1.0 published to crates.io.
  • 2018-2019: Project builds on cargo-osha and cargo-tree ideas to scan crates and dependencies for unsafe usage.
  • 2020: 0.11.0 changelog records dependency-graph exploration through cargo_metadata and adds JSON/report serialization pieces.
  • 2026: Project remains active under geiger-rs with more than 190,000 crates.io downloads.

Related projects

  • cargo-osha and cargo-tree are named by the README as original sources of code or ideas.
  • cargo-crev and safety-dance are named as audit workflows where cargo-geiger output can provide statistical input.
  • cargo_metadata became important to cargo-geiger's dependency-graph handling, according to the changelog.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 1 runtime dependencies.
  • Build metadata lists 2 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
cargo-geigercliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.13.0
manager updated2026-06-22
local dataok
upstreamcurrent
latest detectedcargo-geiger-0.13.0

https://github.com/geiger-rs/cargo-geiger

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:cargo-geiger
Version0.13.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/cargo-geiger
Homepagehttps://github.com/geiger-rs/cargo-geiger
Repositoryhttps://github.com/geiger-rs/cargo-geiger
Upstream docshttps://github.com/geiger-rs/cargo-geiger#readme
LicenseApache-2.0 OR MIT
Source archivehttps://github.com/geiger-rs/cargo-geiger/archive/refs/tags/cargo-geiger-0.13.0.tar.gz
Last updated2026-06-22T14:02:57-07:00
Pulseupdated
Dependenciesopenssl@3
Build dependenciespkgconf, rust
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecargo-geiger
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

cargo-geiger

nix profile install nixpkgs#cargo-geiger
  • normalized package name match
  • Matched by: Cargo Geiger
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ca/cargo-geiger/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

cargo-geiger 0.13.0-r0

Detects usage of unsafe Rust in a Rust crate and its dependencies.

https://github.com/geiger-rs/cargo-geiger

sudo apk add cargo-geiger
  • License: MIT OR Apache-2.0
  • Architecture: x86_64
  • Source Package: cargo-geiger
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cargo Geiger
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cargo-geiger from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz
apk95%

cargo-geiger-doc 0.13.0-r0

Detects usage of unsafe Rust in a Rust crate and its dependencies. (documentation)

https://github.com/geiger-rs/cargo-geiger

sudo apk add cargo-geiger-doc
  • License: MIT OR Apache-2.0
  • Architecture: x86_64
  • Source Package: cargo-geiger
  • normalized package name match
  • Matched by: Cargo Geiger
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cargo-geiger-doc from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz
pacman95%

cargo-geiger 0.13.0-1

Detects usage of unsafe Rust in a Rust crate and its dependencies

https://github.com/rust-secure-code/cargo-geiger

sudo pacman -S cargo-geiger
  • License: MIT AND Apache-2.0
  • Architecture: x86_64
  • 3 dependencies
  • normalized package name match
  • Matched by: Cargo Geiger
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: cargo-geiger from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment