After months of real-world validation, we’re promoting Rust support from Beta to General Availability. Since moving to Beta in September 2025, Socket has analyzed thousands of Rust projects and published detailed findings on supply chain threats targeting the Rust ecosystem.

We first introduced Rust support in July 2025 with crate search for everyone and experimental SBOM generation for enterprise customers. In September, we moved Rust support to Beta after validating it across complex Cargo workspaces and expanding coverage based on customer feedback.

During Beta, we added support for scanning Cargo.toml-only projects, improved Rust-aware detections, and stabilized analysis for larger dependency graphs. All users could scan Rust repositories, generate SBOMs, and review supply chain findings directly in Socket.

With GA, Rust support is no longer a preview feature. It is supported, maintained, and ready for routine use alongside Socket’s existing ecosystem coverage.

What’s included in GA#

Rust support in Socket includes:

• Rust crate search and package pages on socket.dev for crates.io
• Full dependency analysis and SBOM generation for Rust projects
• Support for single crates and full Cargo workspaces, including feature flags and workspace inheritance
• Scanning supports Cargo.toml-only projects, with Cargo.lock recommended for pinned, fully reproducible builds.
• Rust-aware supply chain checks that focus on behavior and ecosystem-specific risk

Git and local path dependencies are not yet supported and will appear as unresolved. That remains an area of active work.

Proven on real Rust supply chain threats#

Since launching Rust support, we’ve used the same analysis pipeline now in GA to publish multiple threat research reports on supply chain attacks targeting Rust developers. They involved malicious crates discovered and analyzed in the Rust ecosystem, including:

• Crates impersonating legitimate projects to steal Solana and Ethereum wallet keys
• A cross-platform loader that downloaded and silently executed OS-specific payloads
• A typosquat that exfiltrated credentials through a hidden, unpinned dependency

These findings reinforce a consistent pattern: supply chain risk in Rust is rarely about memory safety failures. It is about deception, hidden execution paths, and what dependencies actually do once they are pulled into a build or runtime environment.

Rust’s safety guarantees eliminate entire classes of bugs. They do not prevent malicious build scripts, suspicious network behavior, credential harvesting, or impersonation through typosquatting and transitive dependencies.

Socket’s Rust support is designed to surface those risks so teams can make informed dependency decisions earlier, before issues land in production.

How Socket Protects Rust Projects#

Our security tooling works across your development workflow:

• Socket GitHub App: Real-time scanning of pull requests catches suspicious packages before merge
• Socket CLI: Behavioral checks at install time surface red flags early
• Socket Firewall: Blocks known malicious packages, including transitive dependencies
• Socket Browser Extension: Warns about suspicious packages while browsing crates.io
• Socket MCP: Detects malicious or hallucinated packages in AI-assisted coding suggestions

Get Started#

Add or select a Rust repository in Socket, ensure Cargo.toml is present (include Cargo.lock for pinned analysis), and run a scan to generate an SBOM and review supply chain findings.

If you already use Socket for other ecosystems, Rust support is now part of the same workflow.

The Rust ecosystem continues to grow across security-critical domains, including systems programming, blockchain infrastructure, and embedded systems. As adoption increases, so does exposure to supply chain risk. Rust support in Socket is now generally available to help teams gain visibility into the dependencies they rely on.