https://github.com/0sec-labs/foxguard

A security scanner as fast as a linter, written in Rust. Batteries included, TUI for triage, secrets, post-quantum audits, diff-aware scans and more 𓃥
https://github.com/0sec-labs/foxguard

cli code-security linter opengrep pre-commit rust sarif sast security semgrep static-analysis tree-sitter vulnerability-scanner

Last synced: 10 days ago
JSON representation

A security scanner as fast as a linter, written in Rust. Batteries included, TUI for triage, secrets, post-quantum audits, diff-aware scans and more 𓃥

• Host: GitHub
• URL: https://github.com/0sec-labs/foxguard
• Owner: 0sec-labs
• License: mit
• Created: 2026-03-30T13:55:48.000Z (2 months ago)
• Default Branch: main
• Last Pushed: 2026-05-23T11:26:28.000Z (20 days ago)
• Last Synced: 2026-05-23T11:29:01.741Z (20 days ago)
• Topics: cli, code-security, linter, opengrep, pre-commit, rust, sarif, sast, security, semgrep, static-analysis, tree-sitter, vulnerability-scanner
• Language: Rust
• Homepage: https://foxguard.dev
• Size: 9.55 MB
• Stars: 255
• Watchers: 1
• Forks: 9
• Open Issues: 9
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Security: SECURITY.md

Awesome Lists containing this project

• awesome-starred - 0sec-labs/foxguard - A blazingly fast security scanner, written in Rust. Batteries included, TUI for triage, secrets, post-quantum audits, diff-aware scans and more 𓃥 (Rust)

README

          


  



foxguard




  A fast security scanner. Completely free. 10+ languages supported.





  

  

  

  

  



```sh

npx foxguard .

```



  



## Features

- **Sub-second scans** on real codebases -- fast enough for pre-commit hooks

- **Completely free** -- local scans, CI usage, and GitHub PR checks without a paid tier

- **10+ languages supported** -- JS/TS, Python, Go, Ruby, Java, PHP, Rust, C#, Swift, Kotlin, C

- **Cross-file taint tracking** with intraprocedural dataflow and cross-file summaries

- **Diff scans** -- only new findings since a target branch

- **Secrets scanning** -- AWS keys, GitHub/GitLab/Slack/Stripe tokens, private keys

- **Dependency vulnerability scanning** -- OSV-backed SCA for Cargo, npm, pnpm, pip, Poetry, and Pipenv lockfiles

- **Post-quantum crypto audit** -- CNSA 2.0 migration deadlines on every finding

- **Semgrep/OpenGrep-compatible YAML bridge** -- load external rule packs via `--rules`

- **Interactive TUI** -- triage, baseline, ignore, severity overrides

- **Output formats** -- terminal, JSON, SARIF, CycloneDX 1.6 CBOM

- **GitHub App** -- auto-scans PRs, posts inline comments, check runs

## Install

```sh

npx foxguard .                                      # zero install

curl -fsSL https://foxguard.dev/install.sh | sh     # prebuilt binary (macOS/Linux)

cargo install foxguard                              # from source

```

Prebuilt installs verify release SHA-256 checksums before using downloaded

binaries. Signed GitHub artifact attestations are published for release binaries;

see [release provenance](docs/release-provenance.md) for manual verification.

**GitHub Action:**

```yaml

- uses: 0sec-labs/foxguard/action@v0.8.1

  with:

    path: .

    severity: medium

    fail-on-findings: "true"

    upload-sarif: "true"

```

The action verifies the downloaded binary against `checksums.txt`. Provenance

verification is available as a separate `gh attestation verify` policy step.

**pre-commit:**

```yaml

repos:

  - repo: https://github.com/0sec-labs/foxguard

    rev: v0.8.1

    hooks:

      - id: foxguard

```

**VS Code:** [Install extension](https://marketplace.visualstudio.com/items?itemName=peaktwilight.foxguard) -- scans on save, inline findings.

**Claude Code:** `claude --plugin-dir ./plugins/claude-code` -- see [docs](docs/claude-code-integration.md).

**MCP server:** `foxguard-mcp` exposes scan, diff, secrets, PQC, SARIF/CBOM,

rule, explanation, and suppression tools -- see [docs](docs/mcp-server.md).

## Quick start

```sh

foxguard .                    # scan everything

foxguard diff main .          # only new findings vs main

foxguard secrets .            # leaked credentials and keys

foxguard sca .                # dependency vulnerabilities from OSV

foxguard pqc .                # post-quantum crypto audit

foxguard tui .                # interactive triage UI

foxguard --format sarif . > results.sarif   # SARIF for CI

```

## GitHub App

[![Install foxguard on GitHub](https://img.shields.io/badge/Install_on_GitHub-foxguard--app-2ea44f?style=for-the-badge&logo=github)](https://github.com/apps/foxguard-app/installations/new)

Scans every pull request automatically. Posts inline comments on new findings and reports check run status. Zero config -- install and it works.

## Supported languages

| Language | Taint tracking | Framework-aware |

|----------|:-:|:-:|

| JavaScript / TypeScript | Yes | Express, Next.js |

| Python | Yes | Django, Flask, FastAPI |

| Go | Yes | Gin |

| Kotlin | Yes | Spring |

| Java | -- | Spring |

| Ruby | -- | Rails |

| PHP | -- | Laravel |

| Rust | -- | -- |

| C# | -- | .NET |

| Swift | -- | iOS |

| C | -- | via Semgrep YAML / Coccinelle |

## Post-quantum crypto audit

```sh

foxguard pqc .

```

```

src/tls/client.go

  42:14  HIGH  go/pq-vulnerable-crypto (CWE-327)

         ECDH P-256 is not post-quantum safe.

         CNSA 2.0 deadline: traditional networking equipment, 2030.

```

Each finding carries its CNSA 2.0 migration deadline. Covers Python, JS/TS, Go, Java, Rust, and TLS config files. Export as CycloneDX 1.6 CBOM with `--format cbom`.

## Dependency vulnerability scanning

```sh

foxguard sca .

foxguard --sca . --format json

foxguard sca . --sca-offline --sca-db ./osv-advisories.json

```

SCA supports `Cargo.lock`, `package-lock.json`, `pnpm-lock.yaml`, `requirements.txt`, `poetry.lock`, and `Pipfile.lock`. Offline mode uses `--sca-db` or an existing `--sca-cache`; without either, OSV lookup is skipped and normal/PQ manifest rules still run. See [docs/dependency-scanning.md](docs/dependency-scanning.md).

## Configuration

foxguard auto-discovers `.foxguard.yml` from the scan path upward.

```yaml

scan:

  baseline: .foxguard/baseline.json

  disable_rules: [py/no-eval]

  severity_overrides:

    py/no-hardcoded-secret: medium

secrets:

  exclude_paths: [fixtures, testdata]

```

Suppress an accepted finding inline with `// foxguard: ignore[rule-id]`.

## Benchmarks

| Repo | LoC | foxguard | Semgrep | Speedup |

|------|-----|----------|---------|---------|

| express | 15K JS | 0.28s | 6.09s | **22x** |

| flask | 14K Py | 0.33s | 6.51s | **20x** |

| gin | 18K Go | 0.50s | 4.95s | **10x** |

| sentry | 1.3M Py | 35s | 194s | **5x** |

Reproduce: `./benchmarks/run.sh`. See [`benchmarks/README.md`](./benchmarks/README.md).

## Contributing

Adding a rule is one struct implementing a trait. See [`CONTRIBUTING.md`](./CONTRIBUTING.md).

## License

MIT OR Apache-2.0 -- [0sec Labs](https://0sec.ai)