vastlint

# VASTlint

**Website & web validator:** [VAST tag validator](https://vastlint.org) Paste a VAST tag and get results in your browser, no install required.

A high-performance VAST XML validator built on a zero-dependency Rust core. Checks ad tags against the IAB Tech Lab VAST specification so you don't have to read it. Over $30 billion in annual CTV and video ad spend flows through VAST XML, and malformed tags are one of the most common causes of lost impressions, broken tracking, and revenue discrepancies between platforms. There is no widely adopted open-source tool that validates VAST XML against the full IAB specification across all published versions.

VASTlint ships a native **MCP server** - making VAST validation available as a callable tool from Claude, Cursor, the [AAMP Buyer Agent SDK](https://github.com/IABTechLab/buyer-agent), or any MCP-compatible client. Connect to `vastlint.org/mcp` and call `validate_vast`, `validate_vast_url`, `inspect_vast`, `list_rules`, `explain_rule`, or `fix_vast`. Each tool returns structured JSON with rule IDs, XPath locations, and spec references.

Native bindings for realtime ad pipelines: [`vastlint-go`](https://github.com/aleksUIX/vastlint-go) (CGo, prebuilt static libs — no Rust toolchain needed), [`vastlint-erlang`](https://github.com/aleksUIX/vastlint-erlang) (Elixir/Erlang — OTP port mode for production ad delivery, DirtyCpu NIF for non-critical paths), and a WASM npm package for Node.js and browsers. All bindings share the same compiled Rust core — consistent results everywhere, sub-millisecond latency at scale.

Need a copy-paste frontend starting point? See the React drop-in example in [`npm/examples`](npm/examples/README.md).

[![crates.io](https://img.shields.io/crates/v/vastlint-cli.svg?label=crates.io)](https://crates.io/crates/vastlint-cli)
[![vastlint-core](https://img.shields.io/crates/v/vastlint-core.svg?label=vastlint-core)](https://crates.io/crates/vastlint-core)
[![npm](https://img.shields.io/npm/v/vastlint.svg?label=npm)](https://www.npmjs.com/package/vastlint)
[![go](https://img.shields.io/github/v/tag/aleksUIX/vastlint-go?label=go&color=00ADD8)](https://github.com/aleksUIX/vastlint-go)
[![license](https://img.shields.io/crates/l/vastlint-cli.svg)](LICENSE)

[![VS Code](https://img.shields.io/visual-studio-marketplace/v/aleksuix.vastlint?label=vs%20code&color=007ACC)](https://marketplace.visualstudio.com/items?itemName=aleksuix.vastlint)
[![docs.rs](https://docs.rs/vastlint-core/badge.svg)](https://docs.rs/vastlint-core)
[![vastlint.org](https://img.shields.io/badge/vastlint.org-docs%20%26%20validator-blue)](https://vastlint.org)

[![smithery badge](https://smithery.ai/badge/aleksander/vastlint)](https://smithery.ai/servers/aleksander/vastlint)
[![SLSA 2](https://slsa.dev/images/gh-badge-level2.svg)](https://slsa.dev)
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/aleksUIX/vastlint/badge)](https://scorecard.dev/viewer/?uri=github.com/aleksUIX/vastlint)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/10788/badge)](https://bestpractices.coreinfrastructure.org/projects/10788)

Validates VAST documents against:

- [IAB Tech Lab VAST](https://iabtechlab.com/standards/vast/) 2.0, 3.0, 4.0, 4.1, 4.2, and 4.3 — structural rules derived from the published XSD schemas ([W3C REC-xmlschema-1](https://www.w3.org/TR/xmlschema-1/)) and spec prose (RFC 2119 normative key words)
- [W3C XML 1.0](https://www.w3.org/TR/xml/) well-formedness — malformed documents are rejected before any spec rule runs
- [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986) URI syntax — all URL fields
- [IANA Media Types](https://www.iana.org/assignments/media-types/) — MIME types on MediaFile, InteractiveCreativeFile, Mezzanine, and ClosedCaptionFile
- [ISO 4217](https://www.iso.org/iso-4217-currency-codes.html) currency codes — Pricing elements
- [Ad-ID](https://www.ad-id.org/) registry format — UniversalAdId
- [IAB Tech Lab SIMID](https://iabtechlab.com/simid/) 1.0, 1.0.1, 1.1, 1.2 — interactive creative validation for `<InteractiveCreativeFile apiFramework="SIMID">` and nonlinear `<IFrameResource>` (the IAB-sanctioned VPAID replacement)
- [IAB Tech Lab OMID / Open Measurement](https://iabtechlab.com/standards/open-measurement-sdk/) compatibility in VAST `<AdVerifications>` — vendor format, duplicate vendor detection, OMID resource semantics, verification tracking validation, and pre-4.1 extension-carried compatibility blocks

182 rules across required fields, schema validation, structural correctness, security, consistency, deprecated features, ambiguous usage, value formats, SIMID validation, OMID validation, VMAP 1.0, and DAAST 1.0. Rules marked with `$` have direct revenue impact - use `vastlint check --fail-on-warning` in CI to catch them before they reach production. See [common errors](docs/common-errors.md) for the ones that cost real money. New to VASTlint? Start with the [tutorial](docs/tutorial.md).

Full rule reference with examples and fix instructions: [VAST error rule reference](https://vastlint.org/docs/rules) · [RULES.md](RULES.md)

How rules are derived: [Rule derivation methodology](https://vastlint.org/docs/methodology/) · [METHODOLOGY.md](METHODOLOGY.md)

## Enterprise readiness

**Zero runtime dependencies in the core.** `vastlint-core` has three compile-time dependencies (`quick-xml`, `url`, `phf`) and no runtime dependencies whatsoever — no async runtime, no regex engine, no schema interpreter. Rules are compiled Rust functions. There is no transitive dependency graph to audit, no CVE surface to track, and no supply chain to compromise at runtime.

**Verifiable build provenance.** All release artifacts are signed with [SLSA Build Level 2](https://slsa.dev/spec/v1.0/levels#build-l2) provenance via GitHub's native attestation store. Every binary, library, `.vsix`, and npm package can be verified cryptographically against the exact source commit that produced it. No developer machine is ever involved in producing release artifacts. SLSA L3 (hermetic, isolated signing) is in progress.

**No data retention — and full self-hosting available.** VAST XML submitted to the hosted API or MCP server is validated ephemerally in a Cloudflare Worker and never stored, logged, or transmitted to third parties. The VS Code extension and Chrome extension process all XML locally — nothing leaves the editor. See [PRIVACY.md](PRIVACY.md) for the full policy.

For teams that require on-premise processing or air-gapped deployments, VASTlint runs entirely self-hosted: the [Docker image](https://hub.docker.com/r/aleksuix/vastlint) (`FROM scratch`, under 5 MB, cold-start under 10 ms) or the pre-built static musl binary can be dropped into any pipeline without external network access. The Rust core has no network code — no callbacks, no telemetry, no license checks.

**Apache 2.0 licensed.** No CLA, no dual-license commercial upsell, no usage-based restrictions. Fork it, vendor it, embed it, redistribute it.

**Dependency update automation.** Dependabot monitors Cargo, npm, and GitHub Actions dependencies weekly and opens PRs automatically. Combined with `cargo audit` on every CI push and CodeQL static analysis on every push and PR, the dependency surface stays current without manual tracking.

**Auditable.** [OpenSSF Scorecard](https://scorecard.dev/viewer/?uri=github.com/aleksUIX/vastlint) runs weekly and publishes a public score. [CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/10788) badge covers vulnerability reporting, CI, fuzzing, and code review requirements. The [Security Advisory](https://github.com/aleksUIX/vastlint/security/advisories/new) channel provides a private disclosure path with a 48-hour acknowledgement SLA.

**Fuzz-tested continuously.** Three libFuzzer targets run on every CI push against the core validator and auto-fix engine. See the [Fuzzing](#fuzzing) section below.

## Performance

Benchmarked on Apple M4 (10-core), production-realistic VAST tags (17–44 KB):

| Metric | 17 KB tag | 44 KB tag |
|---|---|---|
| Single-thread throughput | 2,747 tags/sec | 475 tags/sec |
| Single-thread latency | 363 µs | 2,104 µs |
| 10-core throughput | 15,760 tags/sec | 2,635 tags/sec |

A typical OpenRTB bid cycle takes 100–300 ms; validation adds less than 2.1% of that budget even on the heaviest tags. An SSAI pipeline doing 1,000 stitches/sec spends more time on DNS than on validating the VAST response.

No async runtime, no regex engine, no schema interpreter. Rules are compiled Rust functions. Three dependencies: `quick-xml`, `url`, and `phf` (compile-time hash maps).

## Install

```
cargo install vastlint
```

CLI crate on crates.io: [crates.io/crates/vastlint](https://crates.io/crates/vastlint)

Or download a pre-built binary from the [releases page](https://github.com/aleksUIX/vastlint/releases).

## Docker

Pull the image from Docker Hub:

```sh
docker pull aleksuix/vastlint
```

**Validate a file:**

```sh
docker run --rm -v "$(pwd)":/data aleksuix/vastlint check /data/tag.xml
```

**Pipe from stdin:**

```sh
cat tag.xml | docker run --rm -i aleksuix/vastlint check -
```

**JSON output:**

```sh
docker run --rm -v "$(pwd)":/data aleksuix/vastlint check /data/tag.xml --format json
```

**Validate a whole directory:**

```sh
docker run --rm -v "$(pwd)/tags":/data aleksuix/vastlint check /data/*.xml
```

The image is built `FROM scratch` - a fully-static musl binary with no OS layer.
Compressed size is under 5 MB. Cold-start to first result is under 10 ms.

## Usage

```
# validate a file
vastlint check tag.xml

# validate multiple files
vastlint check *.xml

# read from stdin
cat tag.xml | vastlint check -

# JSON output (one object per file, newline-delimited)
vastlint check tag.xml --format json

# suppress colours
vastlint check tag.xml --no-color

# exit 0 even on errors (useful in some CI setups)
vastlint check tag.xml --no-fail

# opt in to anonymous usage telemetry (see Telemetry section