Hi all! Not sure where to ask, so doing so here...
Those tools will go further than what clippy does. Instead of looking at "code quality" patterns they look for security issue. For example they contains lints for if your app listen on all interfaces, weak crypto usage or even committed credentials.
Since those tools are used as part of a process, I am sure the question of whether such a tool exists for rust will arise.
Does something like this already exists? I don't know the internals of clippy, but could a "security" lint category be possible?
Clippy has quite a few security lints, primarily focused around
There is a bunch of Clippy lints, mostly in
correctness category, that flag incorrect use of
unsafe. Last I checked Clippy developers were open to making a security category too: https://github.com/rust-secure-code/wg/issues/27#issuecomment-454477101
I don't think any checkers for committed credentials exist yet, but I expect Clippy is the easiest way to implement them.
Great, thanks both! Having this kind of security lint directly in clippy would be awesome. I'll take a look at the issue tracker.