Rust

Analyze Rust and Cargo projects with FOSSA through Quick Import or the FOSSA CLI, including private Cargo registries.

3 min readUpdated Jul 9, 2026

Overview

FOSSA supports Rust codebases through Cargo. You can analyze a project two ways: Quick Import in the web app, or the FOSSA CLI.

Tool support

ToolQuick Import (app.fossa.com)CLI (fossa-cli)
CargoCargo.toml or Cargo.lockCargo.toml

How Quick Import works

When Rust code is imported through the web app, FOSSA inspects any Cargo.toml or Cargo.lock files and downloads their dependencies for analysis.

Warning

  • Optional dependencies are currently handled like Java optional dependencies, rather than being enabled or disabled based on features.
  • FOSSA does not currently understand default or missing features.
  • FOSSA does not handle path dependencies that point above your repository root.

Analyzing with the CLI

The Rust build-tool ecosystem is nearly exclusive to cargo, the package manager that ships with Rust distributions. (Generic build tools like make, cmake, and ninja are occasionally used but are not handled here.)

Install the latest release of fossa-cli:

Shell
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

Then run fossa analyze from your repository's root directory. See the Cargo strategy reference for the full page.

Analysis strategies

StrategyDirect DepsTransitive DepsEdgesTagsContainer Scanning
cargoEnvironment

Project discovery

FOSSA finds every Cargo.toml whose parent directories do not also contain a Cargo.toml. For example, given the tree below, only root/Cargo.toml is examined:

root
├── src1
│   ├── subpackage
│   │   ├── Cargo.toml
│   │   └── ...
│   └── main.rs
└── Cargo.toml

In the next tree, both root/pkg1/Cargo.toml and root/pkg2/Cargo.toml are examined, since neither has a parent directory with a Cargo.toml:

root
├── pkg1
│   ├── Cargo.toml
│   └── main.rs
└── pkg2
    ├── Cargo.toml
    └── main.rs

Analysis

FOSSA first invokes cargo generate-lockfile to trigger the lockfile build; this downloads the dependency graph info and almost nothing else. It then reads the output of cargo metadata --format-version 1 (JSON) and interrogates it for direct and transitive dependency information: .workspace_members lists the local crates, .resolve gives each crate's direct dependencies, and .packages carries per-package version, platform, build category, and feature data.

Warning

If FOSSA does not regenerate the lockfile, it may try to download every dependency in the tree, which can take upwards of 10 minutes even for small projects. Regenerating first updates only the package index, which usually takes 2–10 seconds.

Authenticating to private registries

You can configure FOSSA to resolve dependencies from private Cargo registries, such as those hosted on Artifactory.

  1. 1

    Open Rust language settings

    Go to Account Settings → Languages → Rust (https://app.fossa.com/account/settings/languages/rust).

  2. 2

    Add your registry

    Enter the registry index URL and an authentication token. Cargo registries are reached with a bearer token sent as Authorization: Bearer <token>, which is the most common mechanism for Cargo registries.

Package data

Cargo packages are downloaded and extracted for full code auditing; metadata from the registry and the Cargo.toml manifest are parsed and extracted.

© 2026 FOSSA, Inc.support@fossa.com