Fast local security scanning for code, secrets, dependencies, and crypto risk.
npx foxguard .
- 200+ built-in rules across 12 source languages, plus config and manifest checks
- Fast local and CI scans, with diff mode for βwhat did this branch add?β
- Secrets scanning, OSV-backed dependency scanning, and post-quantum crypto audit
- Semgrep/OpenGrep-compatible YAML bridge for existing rule packs
- Terminal, JSON, SARIF, and CycloneDX 1.6 CBOM output
npx foxguard . # zero install
curl -fsSL https://foxguard.dev/install.sh | sh # prebuilt binary (macOS/Linux)
cargo install foxguard # from sourcePrebuilt installs verify release binaries against checksums.txt. Release binaries also publish GitHub artifact attestations; use gh attestation verify for manual verification, or see release provenance.
GitHub Action:
- uses: 0sec-labs/foxguard/action@v0.10.0
with:
path: .
severity: medium
fail-on-findings: "true"
upload-sarif: "true"pre-commit:
repos:
- repo: https://github.com/0sec-labs/foxguard
rev: v0.10.0
hooks:
- id: foxguardIntegrations: GitHub App, VS Code, Claude Code plugin, and MCP server.
foxguard . # scan everything
foxguard diff main . # only new findings vs main
foxguard secrets . # leaked credentials and keys
foxguard sca . # dependency vulnerabilities from OSV
foxguard pqc . # post-quantum crypto audit
foxguard --format sarif . > results.sarif| Language | Built-in rules | Taint tracking | Framework-aware rules |
|---|---|---|---|
| JavaScript / TypeScript | Yes | Yes | Express, Next.js |
| Python | Yes | Yes | Django, Flask, FastAPI |
| Go | Yes | Yes | Gin |
| Kotlin | Yes | Yes | Spring |
| Java | Yes | Yes | Spring |
| Ruby | Yes | -- | Rails |
| PHP | Yes | -- | Laravel |
| Rust | Yes | -- | -- |
| C# | Yes | -- | .NET |
| Swift | Yes | -- | iOS |
| Haskell | Yes | -- | Cardano seed rules |
Config, manifest, and external-rule scans cover Dockerfile, Nginx, Apache, HAProxy, HCL/Terraform, YAML/JSON/XML/HTML, C via Semgrep YAML/Coccinelle, and more.
foxguard sca .
foxguard pqc .
foxguard --rules ./semgrep-rules .SCA supports Cargo.lock, package-lock.json, pnpm-lock.yaml, requirements.txt, poetry.lock, and Pipfile.lock. PQC findings carry CNSA 2.0 migration deadlines and can export CycloneDX 1.6 CBOMs.
foxguard auto-discovers .foxguard.yml from the scan path upward.
scan:
baseline: .foxguard/baseline.json
disable_rules: [py/no-eval]
secrets:
exclude_paths: [fixtures, testdata]Suppress an accepted finding inline with // foxguard: ignore[rule-id].
| Repo | LoC | foxguard | Semgrep | Speedup |
|---|---|---|---|---|
| express | 15K JS | 0.28s | 6.09s | 22x |
| flask | 14K Py | 0.33s | 6.51s | 20x |
| gin | 18K Go | 0.50s | 4.95s | 10x |
| sentry | 1.3M Py | 35s | 194s | 5x |
Reproduce with ./benchmarks/run.sh; results vary by machine. See benchmarks/README.md.
See CONTRIBUTING.md for rule authoring, tests, and development setup.
MIT OR Apache-2.0 -- 0sec Labs