{"id":50108623,"url":"https://github.com/0sec-labs/foxguard","last_synced_at":"2026-06-02T20:00:36.079Z","repository":{"id":348084273,"uuid":"1196232857","full_name":"0sec-labs/foxguard","owner":"0sec-labs","description":"A security scanner as fast as a linter, written in Rust. Batteries included, TUI for triage, secrets, post-quantum audits, diff-aware scans and more 𓃥","archived":false,"fork":false,"pushed_at":"2026-05-23T11:26:28.000Z","size":10012,"stargazers_count":255,"open_issues_count":9,"forks_count":9,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-23T11:29:01.741Z","etag":null,"topics":["cli","code-security","linter","opengrep","pre-commit","rust","sarif","sast","security","semgrep","static-analysis","tree-sitter","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://foxguard.dev","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0sec-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-30T13:55:48.000Z","updated_at":"2026-05-23T11:26:31.000Z","dependencies_parsed_at":"2026-05-15T20:01:08.365Z","dependency_job_id":null,"html_url":"https://github.com/0sec-labs/foxguard","commit_stats":null,"previous_names":["peaktwilight/foxguard","pwnkit-labs/foxguard","0sec-labs/foxguard"],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/0sec-labs/foxguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0sec-labs%2Ffoxguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0sec-labs%2Ffoxguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0sec-labs%2Ffoxguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0sec-labs%2Ffoxguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0sec-labs","download_url":"https://codeload.github.com/0sec-labs/foxguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0sec-labs%2Ffoxguard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33834011,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-02T02:00:07.132Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","code-security","linter","opengrep","pre-commit","rust","sarif","sast","security","semgrep","static-analysis","tree-sitter","vulnerability-scanner"],"created_at":"2026-05-23T12:00:34.996Z","updated_at":"2026-06-02T20:00:36.044Z","avatar_url":"https://github.com/0sec-labs.png","language":"Rust","funding_links":[],"categories":["Rust"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/logo.png\" width=\"128\" alt=\"foxguard\" /\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003efoxguard\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eA fast security scanner. Completely free. 10+ languages supported.\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/0sec-labs/foxguard/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://github.com/0sec-labs/foxguard/actions/workflows/ci.yml/badge.svg\" alt=\"CI\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/0sec-labs/foxguard\"\u003e\u003cimg src=\"https://img.shields.io/badge/foxguard-clean-3fb950\" alt=\"foxguard: clean\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://crates.io/crates/foxguard\"\u003e\u003cimg src=\"https://img.shields.io/crates/v/foxguard?color=d97706\u0026label=crates.io\" alt=\"crates.io\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.com/package/foxguard\"\u003e\u003cimg src=\"https://img.shields.io/npm/v/foxguard?color=d97706\u0026label=npm\" alt=\"npm\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/apps/foxguard-app/installations/new\"\u003e\u003cimg src=\"https://img.shields.io/badge/GitHub_App-Install-2ea44f?logo=github\" alt=\"Install GitHub App\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n```sh\nnpx foxguard .\n```\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/demo.gif\" alt=\"foxguard scan demo\" width=\"640\" /\u003e\n\u003c/p\u003e\n\n## Features\n\n- **Sub-second scans** on real codebases -- fast enough for pre-commit hooks\n- **Completely free** -- local scans, CI usage, and GitHub PR checks without a paid tier\n- **10+ languages supported** -- JS/TS, Python, Go, Ruby, Java, PHP, Rust, C#, Swift, Kotlin, C\n- **Cross-file taint tracking** with intraprocedural dataflow and cross-file summaries\n- **Diff scans** -- only new findings since a target branch\n- **Secrets scanning** -- AWS keys, GitHub/GitLab/Slack/Stripe tokens, private keys\n- **Dependency vulnerability scanning** -- OSV-backed SCA for Cargo, npm, pnpm, pip, Poetry, and Pipenv lockfiles\n- **Post-quantum crypto audit** -- CNSA 2.0 migration deadlines on every finding\n- **Semgrep/OpenGrep-compatible YAML bridge** -- load external rule packs via `--rules`\n- **Interactive TUI** -- triage, baseline, ignore, severity overrides\n- **Output formats** -- terminal, JSON, SARIF, CycloneDX 1.6 CBOM\n- **GitHub App** -- auto-scans PRs, posts inline comments, check runs\n\n## Install\n\n```sh\nnpx foxguard .                                      # zero install\ncurl -fsSL https://foxguard.dev/install.sh | sh     # prebuilt binary (macOS/Linux)\ncargo install foxguard                              # from source\n```\n\nPrebuilt installs verify release SHA-256 checksums before using downloaded\nbinaries. Signed GitHub artifact attestations are published for release binaries;\nsee [release provenance](docs/release-provenance.md) for manual verification.\n\n**GitHub Action:**\n\n```yaml\n- uses: 0sec-labs/foxguard/action@v0.8.1\n  with:\n    path: .\n    severity: medium\n    fail-on-findings: \"true\"\n    upload-sarif: \"true\"\n```\n\nThe action verifies the downloaded binary against `checksums.txt`. Provenance\nverification is available as a separate `gh attestation verify` policy step.\n\n**pre-commit:**\n\n```yaml\nrepos:\n  - repo: https://github.com/0sec-labs/foxguard\n    rev: v0.8.1\n    hooks:\n      - id: foxguard\n```\n\n**VS Code:** [Install extension](https://marketplace.visualstudio.com/items?itemName=peaktwilight.foxguard) -- scans on save, inline findings.\n\n**Claude Code:** `claude --plugin-dir ./plugins/claude-code` -- see [docs](docs/claude-code-integration.md).\n\n**MCP server:** `foxguard-mcp` exposes scan, diff, secrets, PQC, SARIF/CBOM,\nrule, explanation, and suppression tools -- see [docs](docs/mcp-server.md).\n\n## Quick start\n\n```sh\nfoxguard .                    # scan everything\nfoxguard diff main .          # only new findings vs main\nfoxguard secrets .            # leaked credentials and keys\nfoxguard sca .                # dependency vulnerabilities from OSV\nfoxguard pqc .                # post-quantum crypto audit\nfoxguard tui .                # interactive triage UI\nfoxguard --format sarif . \u003e results.sarif   # SARIF for CI\n```\n\n## GitHub App\n\n[![Install foxguard on GitHub](https://img.shields.io/badge/Install_on_GitHub-foxguard--app-2ea44f?style=for-the-badge\u0026logo=github)](https://github.com/apps/foxguard-app/installations/new)\n\nScans every pull request automatically. Posts inline comments on new findings and reports check run status. Zero config -- install and it works.\n\n## Supported languages\n\n| Language | Taint tracking | Framework-aware |\n|----------|:-:|:-:|\n| JavaScript / TypeScript | Yes | Express, Next.js |\n| Python | Yes | Django, Flask, FastAPI |\n| Go | Yes | Gin |\n| Kotlin | Yes | Spring |\n| Java | -- | Spring |\n| Ruby | -- | Rails |\n| PHP | -- | Laravel |\n| Rust | -- | -- |\n| C# | -- | .NET |\n| Swift | -- | iOS |\n| C | -- | via Semgrep YAML / Coccinelle |\n\n## Post-quantum crypto audit\n\n```sh\nfoxguard pqc .\n```\n\n```\nsrc/tls/client.go\n  42:14  HIGH  go/pq-vulnerable-crypto (CWE-327)\n         ECDH P-256 is not post-quantum safe.\n         CNSA 2.0 deadline: traditional networking equipment, 2030.\n```\n\nEach finding carries its CNSA 2.0 migration deadline. Covers Python, JS/TS, Go, Java, Rust, and TLS config files. Export as CycloneDX 1.6 CBOM with `--format cbom`.\n\n## Dependency vulnerability scanning\n\n```sh\nfoxguard sca .\nfoxguard --sca . --format json\nfoxguard sca . --sca-offline --sca-db ./osv-advisories.json\n```\n\nSCA supports `Cargo.lock`, `package-lock.json`, `pnpm-lock.yaml`, `requirements.txt`, `poetry.lock`, and `Pipfile.lock`. Offline mode uses `--sca-db` or an existing `--sca-cache`; without either, OSV lookup is skipped and normal/PQ manifest rules still run. See [docs/dependency-scanning.md](docs/dependency-scanning.md).\n\n## Configuration\n\nfoxguard auto-discovers `.foxguard.yml` from the scan path upward.\n\n```yaml\nscan:\n  baseline: .foxguard/baseline.json\n  disable_rules: [py/no-eval]\n  severity_overrides:\n    py/no-hardcoded-secret: medium\n\nsecrets:\n  exclude_paths: [fixtures, testdata]\n```\n\nSuppress an accepted finding inline with `// foxguard: ignore[rule-id]`.\n\n## Benchmarks\n\n| Repo | LoC | foxguard | Semgrep | Speedup |\n|------|-----|----------|---------|---------|\n| express | 15K JS | 0.28s | 6.09s | **22x** |\n| flask | 14K Py | 0.33s | 6.51s | **20x** |\n| gin | 18K Go | 0.50s | 4.95s | **10x** |\n| sentry | 1.3M Py | 35s | 194s | **5x** |\n\nReproduce: `./benchmarks/run.sh`. See [`benchmarks/README.md`](./benchmarks/README.md).\n\n## Contributing\n\nAdding a rule is one struct implementing a trait. See [`CONTRIBUTING.md`](./CONTRIBUTING.md).\n\n## License\n\nMIT OR Apache-2.0 -- [0sec Labs](https://0sec.ai)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0sec-labs%2Ffoxguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0sec-labs%2Ffoxguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0sec-labs%2Ffoxguard/lists"}