# Install cargo-geiger with Homebrew, apk, Nix, pacman

Detects usage of unsafe Rust in a Rust crate and its dependencies. Version 0.13.0 via Homebrew; verified 2026-06-22.

## Install

```sh
sudo av install brew:cargo-geiger
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install cargo-geiger
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add cargo-geiger
```

  Evidence: Alpine Linux edge package indexes: cargo-geiger from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz

- Nix (92%):

```sh
nix profile install nixpkgs#cargo-geiger
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ca/cargo-geiger/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S cargo-geiger
```

  Evidence: Arch Linux sync databases: cargo-geiger from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

## Package facts

- **Package key:** brew:cargo-geiger
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/cargo-geiger>
- **Version:** 0.13.0
- **Source summary:** Detects usage of unsafe Rust in a Rust crate and its dependencies
- **Homepage:** <https://github.com/geiger-rs/cargo-geiger>
- **Repository:** <https://github.com/geiger-rs/cargo-geiger>
- **Upstream docs:** <https://github.com/geiger-rs/cargo-geiger#readme>
- **License:** Apache-2.0 OR MIT
- **Source archive:** <https://github.com/geiger-rs/cargo-geiger/archive/refs/tags/cargo-geiger-0.13.0.tar.gz>
- **Last updated:** 2026-06-22T14:02:57-07:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- cargo-geiger (cli)
- cargo-geiger (alias)

## Dependencies

- openssl@3

## Build dependencies

- pkgconf
- rust

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.13.0
- Package-manager updated: 2026-06-22
- Local data: ok
- Upstream repository: https://github.com/geiger-rs/cargo-geiger
- Upstream latest detected: cargo-geiger-0.13.0 (current)
## Project history and usage

cargo-geiger is a Cargo subcommand that reports unsafe Rust usage in a crate and its dependency graph. Its name references a Geiger counter: unsafe code is treated as something worth detecting, measuring, and containing.

The project is intentionally framed as audit input, not an automatic security verdict. Its README warns that unsafe usage is nuanced and that reports should be handled carefully.

### Project history

The cargo-geiger repository and crate were created in June 2018. The README says the tool was originally based on code from cargo-osha and cargo-tree, combining unsafe-code scanning with dependency-tree traversal.

Over time the project split reusable pieces into library crates, including `geiger` and `cargo-geiger-serde`. The changelog records substantial dependency-graph work in 0.11.0 using cargo_metadata and JSON/report serialization improvements.

### Adoption history

cargo-geiger found a niche in Rust security review and supply-chain auditing, especially among developers interested in minimizing or documenting unsafe code in dependencies.

The README points users toward cargo-crev and safety-dance as audit contexts where cargo-geiger statistics can help. That positioning kept it from becoming a simplistic 'unsafe equals bad' badge while still making unsafe usage visible.

### How it is used

Usage is intentionally simple: run `cargo geiger` from the directory containing the `Cargo.toml` to analyze. The tool reports unsafe-code statistics for the crate and dependencies.

The README documents installation with `cargo install --locked cargo-geiger`, an optional vendored OpenSSL build, and prebuilt GitHub releases.

### Why package nerds care

cargo-geiger is package-nerd significant because it made unsafe-code exposure a transitive package property that could be inspected like licenses, advisories, or dependency trees.

It also shows Rust's audit culture maturing: package metadata alone is not enough, so tools emerged to summarize source-level risk signals across the dependency graph.

### Timeline

- 2018-06-20: GitHub repository created and cargo-geiger 0.1.0 published to crates.io.
- 2018-2019: Project builds on cargo-osha and cargo-tree ideas to scan crates and dependencies for unsafe usage.
- 2020: 0.11.0 changelog records dependency-graph exploration through cargo_metadata and adds JSON/report serialization pieces.
- 2026: Project remains active under geiger-rs with more than 190,000 crates.io downloads.

### Related projects

- cargo-osha and cargo-tree are named by the README as original sources of code or ideas.
- cargo-crev and safety-dance are named as audit workflows where cargo-geiger output can provide statistical input.
- cargo_metadata became important to cargo-geiger's dependency-graph handling, according to the changelog.

### Sources

- <https://api.github.com/repos/geiger-rs/cargo-geiger>
- <https://crates.io/crates/cargo-geiger>
- <https://github.com/geiger-rs/cargo-geiger#readme>
- <https://github.com/geiger-rs/cargo-geiger/blob/master/CHANGELOG.md>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** cargo-geiger
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - cargo-geiger: normalized package name match | nixpkgs package indexes: pkgs/by-name/ca/cargo-geiger/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - cargo-geiger - 0.13.0-r0: normalized package name match | Alpine Linux edge package indexes: cargo-geiger from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | Detects usage of unsafe Rust in a Rust crate and its dependencies. | https://github.com/geiger-rs/cargo-geiger
- apk - cargo-geiger-doc - 0.13.0-r0: normalized package name match | Alpine Linux edge package indexes: cargo-geiger-doc from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | Detects usage of unsafe Rust in a Rust crate and its dependencies. (documentation) | https://github.com/geiger-rs/cargo-geiger
- pacman - cargo-geiger - 0.13.0-1: normalized package name match | Arch Linux sync databases: cargo-geiger from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Detects usage of unsafe Rust in a Rust crate and its dependencies | https://github.com/rust-secure-code/cargo-geiger


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Package publisher tools](https://www.automicvault.com/pkg/package-publishers/) - Belongs to a package publishing or registry command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [bandit](https://www.automicvault.com/pkg/brew/bandit/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [caracal](https://www.automicvault.com/pkg/brew/caracal/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [flawfinder](https://www.automicvault.com/pkg/brew/flawfinder/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [gosec](https://www.automicvault.com/pkg/brew/gosec/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [joern](https://www.automicvault.com/pkg/brew/joern/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [tfsec](https://www.automicvault.com/pkg/brew/tfsec/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [cargo-audit](https://www.automicvault.com/pkg/brew/cargo-audit/) - Shares av.db curated category or tags: cargo, cli, rust, security.
- [cargo-deny](https://www.automicvault.com/pkg/brew/cargo-deny/) - Shares av.db curated category or tags: cargo, cli, rust, security.
- [feluda](https://www.automicvault.com/pkg/brew/feluda/) - Both packages touch the same language runtime or ecosystem. Shared terms: cli, openssl, openssl-3, rust, security.

## Combined YAML source

View the package source record on GitHub. [combined/cargo-geiger.yml](https://github.com/automic-vault/db/blob/main/combined/cargo-geiger.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
