diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4c3d46ba802ed..79664f6715640 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -181,3 +181,19 @@ jobs:
     - name: Run cli build (x86_64, aarch64)
       working-directory: cli
       run: make
+
+  rust-unsafe-analysis:
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Install dependencies
+      run: ./scripts/init-unsafe-analysis.sh
+
+    - name: Run unsafe analyzer
+      run: ./scripts/analyze-unsafe.sh
+
+    - uses: actions/upload-artifact@v3
+      with:
+        name: tools
+        path: out/unsafe-analysis.log
diff --git a/.gitmodules b/.gitmodules
index df8dd35139d92..a1f9cffa87503 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -60,3 +60,6 @@
 [submodule "third-party/certifier"]
 	path = third-party/certifier
 	url = https://github.com/vmware-research/certifier-framework-for-confidential-computing
+[submodule "third-party/cargo-geiger"]
+	path = third-party/cargo-geiger
+	url = https://github.com/bitboom/cargo-geiger
diff --git a/scripts/analyze-unsafe.sh b/scripts/analyze-unsafe.sh
new file mode 100755
index 0000000000000..5275341c1e095
--- /dev/null
+++ b/scripts/analyze-unsafe.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+ROOT=$(git rev-parse --show-toplevel)
+TOOL=$ROOT/third-party/cargo-geiger
+OUT=$ROOT/out
+
+mkdir -p $OUT
+
+cd $ROOT/plat/fvp
+cargo geiger --output-format Ratio | tee $OUT/unsafe-analysis.log
diff --git a/scripts/init-unsafe-analysis.sh b/scripts/init-unsafe-analysis.sh
new file mode 100755
index 0000000000000..3921db65e6caf
--- /dev/null
+++ b/scripts/init-unsafe-analysis.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+ROOT=$(git rev-parse --show-toplevel)
+HERE=$ROOT/scripts
+TOOL=$ROOT/third-party/cargo-geiger
+
+$HERE/deps/rust.sh
+
+git submodule update --init $TOOL
+cargo +stable install cargo-geiger --force --locked \
+	--path $TOOL/cargo-geiger \
+	--target x86_64-unknown-linux-gnu
diff --git a/third-party/cargo-geiger b/third-party/cargo-geiger
new file mode 160000
index 0000000000000..053fb370e7574
--- /dev/null
+++ b/third-party/cargo-geiger
@@ -0,0 +1 @@
+Subproject commit 053fb370e7574a31880b3f622221aabc8a286a80