diff --git a/Cargo.toml b/Cargo.toml
index f2fc58496c..0d00405ff7 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -87,5 +87,7 @@ lto = true
 [features]
 sqlite-rpmdb-default = []
 fedora-integration = []
+# ASAN+UBSAN
+sanitizers = []
 
 default = []
diff --git a/Makefile-rpm-ostree.am b/Makefile-rpm-ostree.am
index e47a10215b..0c07c0156d 100644
--- a/Makefile-rpm-ostree.am
+++ b/Makefile-rpm-ostree.am
@@ -86,7 +86,7 @@ rpmostree_common_libs = libglnx.la librpmostree-1.la librpmostreecxxrs.la
 
 rpmostree_bin_common_libs = librpmostreeinternals.la $(rpmostree_common_libs)
 librpmostreeinternals_la_CFLAGS = $(AM_CFLAGS) $(rpmostree_common_cflags)
-librpmostreeinternals_la_CXXFLAGS = $(AM_CXXFLAGS) $(rpmostree_common_cflags)
+librpmostreeinternals_la_CXXFLAGS = $(AM_CXXFLAGS) $(SANITIZER_FLAGS) $(rpmostree_common_cflags)
 librpmostreeinternals_la_LIBADD = $(rpmostree_common_libs)
 
 privdatadir=$(pkglibdir)
@@ -101,6 +101,9 @@ endif
 if BUILDOPT_ENABLE_SQLITE_RPMDB_DEFAULT
 cargo_build += --features sqlite-rpmdb-default
 endif
+if BUILDOPT_ASAN
+cargo_build += --features sanitizers
+endif
 
 if RUST_DEBUG
 cargo_target_dir=debug
@@ -136,7 +139,7 @@ endif
 noinst_LTLIBRARIES += librpmostreecxxrs.la
 librpmostreecxxrs_la_SOURCES = rpmostree-cxxrs.h rpmostree-cxxrs.cxx
 # Suppress missing-declarations because https://github.com/dtolnay/cxx/issues/590
-librpmostreecxxrs_la_CXXFLAGS = $(AM_CXXFLAGS) $(rpmostree_common_cflags) -Wno-missing-declarations
+librpmostreecxxrs_la_CXXFLAGS = $(AM_CXXFLAGS) $(SANITIZER_FLAGS) $(rpmostree_common_cflags) -Wno-missing-declarations
 librpmostreecxxrs_la_LIBADD = -lstdc++
 GITIGNOREFILES += $(binding_generated_sources)
 BUILT_SOURCES += $(binding_generated_sources)
diff --git a/build.rs b/build.rs
index 81ef9611fc..ced0c9527b 100644
--- a/build.rs
+++ b/build.rs
@@ -16,6 +16,11 @@ fn detect_fedora_feature() -> Result<()> {
 }
 
 fn main() -> Result<()> {
+    if std::env::var("CARGO_FEATURE_SANITIZERS").is_ok() {
+        // Force these on
+        println!("cargo:rustc-link-lib=ubsan");
+        println!("cargo:rustc-link-lib=asan");
+    }
     let cwd = std::env::current_dir()?;
     let cwd = cwd.to_str().expect("utf8 pwd");
     println!("cargo:rustc-link-search={}/.libs", cwd);
diff --git a/configure.ac b/configure.ac
index c159a77551..e05d753191 100644
--- a/configure.ac
+++ b/configure.ac
@@ -47,14 +47,15 @@ CC_CHECK_FLAGS_APPEND([WARN_CFLAGS], [CFLAGS], [\
 ])])
 AC_SUBST(WARN_CFLAGS)
 
-AC_MSG_CHECKING([for -fsanitize=address in CFLAGS])
-if echo $CFLAGS | grep -q -e -fsanitize=address; then
-AC_MSG_RESULT([yes])
-using_asan=yes
-else
-AC_MSG_RESULT([no])
-fi
-AM_CONDITIONAL(BUILDOPT_ASAN, [test x$using_asan = xyes])
+AC_ARG_ENABLE(sanitizers,
+              AS_HELP_STRING([--enable-sanitizers],
+                             [Enable ASAN and UBSAN (default: no)]),,
+              [enable_sanitizers=no])
+AM_CONDITIONAL(BUILDOPT_ASAN, [test x$enable_sanitizers != xno])
+AM_COND_IF([BUILDOPT_ASAN], [
+  SANITIZER_FLAGS="-fsanitize=address -fsanitize=undefined -fsanitize-undefined-trap-on-error"
+  AC_SUBST([SANITIZER_FLAGS])
+])
 
 # Initialize libtool
 LT_PREREQ([2.2.4])
@@ -164,6 +165,7 @@ echo "
 
     introspection:                           $found_introspection
     rojig:                                   ${enable_rojig:-no}
+    ASAN + UBSAN:                            ${enable_sanitizers:-no}
     gtk-doc:                                 $enable_gtk_doc
     rust:                                    $rust_debug_release
     cbindgen:                                ${cbindgen:-external}
diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in
index 0ea647bc39..f354764df5 100644
--- a/packaging/rpm-ostree.spec.in
+++ b/packaging/rpm-ostree.spec.in
@@ -22,6 +22,12 @@ BuildRequires: cargo
 BuildRequires: rust
 %endif
 
+# Enable ASAN + UBSAN
+%bcond_with sanitizers
+%if %{with sanitizers}
+%define sanitizer_flag "--enable-sanitizers"
+%endif
+
 # RHEL8 doesn't ship zchunk today.  See also the comments
 # in configure.ac around this as libdnf/librepo need to be in
 # sync, and today we bundle libdnf but not librepo.
@@ -131,7 +137,8 @@ env NOCONFIGURE=1 ./autogen.sh
 # the %%configure macro today assumes (reasonably) that one is building
 # C/C++ and sets C{,XX}FLAGS
 export RUSTFLAGS="%{build_rustflags}"
-%configure --disable-silent-rules --enable-gtk-doc %{?sqlite_rpmdb_default}
+%configure --disable-silent-rules --enable-gtk-doc %{?sqlite_rpmdb_default} %{?sanitizer_flag} 
+
 %make_build
 
 %install