Harness Component — Subagent
2b Rust Source Analyzer
Performs source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.
Definition
2b-rust-source-analyzer
Identify sensitive Rust types and detect missing or incorrect zeroization at the source level. Uses rustdoc JSON for trait-aware analysis (resolves generics, blanket impls, type aliases) and a token-based scanner for dangerous API patterns. Produces source findings that drive crate-level compiler analysis.
Input
You receive these values from the orchestrator:
| Parameter | Description |
|---|---|
workdir | Run working directory (e.g. /tmp/zeroize-audit-{run_id}/) |
repo_root | Repository root path |
cargo_manifest | Absolute path to Cargo.toml |
rust_crate_root | Directory containing Cargo.toml (i.e. dirname(cargo_manifest)) |
rust_tu_hash | Short hash identifying this crate (e.g. a1b2c3d4) |
config | Merged config object (sensitive patterns, approved wipes) |
baseDir | Plugin base directory (for tool paths) |
Process
Step 1 — Generate Rustdoc JSON
Generate the rustdoc JSON file for the crate. This provides trait implementation data, derive macros, and type information needed for semantic analysis.
cargo +nightly rustdoc \
--manifest-path <cargo_manifest> \
--document-private-items -- \
-Z unstable-options --output-format json
The output is written to <rust_crate_root>/target/doc/<crate_name>.json. Find it with:
find <rust_crate_root>/target/doc -name "*.json" -not -name "search-index*.json" | head -1
If cargo +nightly rustdoc fails: write an error note and skip to Step 3 (dangerous API scan can still run without rustdoc JSON).
Step 2 — Semantic Audit (Rustdoc JSON)
Run the trait-aware semantic auditor:
uv run {baseDir}/tools/scripts/semantic_audit.py \
--rustdoc <rustdoc_json_path> \
--cargo-toml <cargo_manifest> \
--out {workdir}/source-analysis/rust-semantic-findings.json
This detects:
#[derive(Copy)]on sensitive types →SECRET_COPY(critical)- No
Zeroize/ZeroizeOnDrop/Drop→MISSING_SOURCE_ZEROIZE(high)
More from trailofbits/skills
0 Preflight
subagentPerforms preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.
1 Mcp Resolver
subagentResolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.
2 Source Analyzer
subagentIdentifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.
3 Tu Compiler Analyzer
subagentPerforms per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.
3b Rust Compiler Analyzer
subagentPerforms crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.
4 Report Assembler
subagentCollects all findings from source and compiler analysis, applies supersessions and confidence gates, normalizes IDs, and produces a comprehensive markdown report with structured JSON for downstream tools. Supports dual-mode invocation: interim (findings.json only) and final (merge PoC results, produce final-report.md).