https://github.com/PwnKit-Labs/foxguard

A security scanner as fast as a linter, written in Rust. Live in the terminal? It also comes with a TUI triage for secrets, post-quantum audits, diff-scans and more 🦊
https://github.com/PwnKit-Labs/foxguard

cli code-security linter opengrep pre-commit rust sarif sast security semgrep static-analysis tree-sitter vulnerability-scanner

Last synced: 7 days ago
JSON representation

A security scanner as fast as a linter, written in Rust. Live in the terminal? It also comes with a TUI triage for secrets, post-quantum audits, diff-scans and more 🦊

• Host: GitHub
• URL: https://github.com/PwnKit-Labs/foxguard
• Owner: PwnKit-Labs
• License: mit
• Created: 2026-03-30T13:55:48.000Z (about 1 month ago)
• Default Branch: main
• Last Pushed: 2026-05-03T20:26:43.000Z (10 days ago)
• Last Synced: 2026-05-03T22:23:18.363Z (10 days ago)
• Topics: cli, code-security, linter, opengrep, pre-commit, rust, sarif, sast, security, semgrep, static-analysis, tree-sitter, vulnerability-scanner
• Language: Rust
• Homepage: https://foxguard.dev
• Size: 7.34 MB
• Stars: 235
• Watchers: 1
• Forks: 8
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Security: SECURITY.md

Awesome Lists containing this project

• awesome-starred - PwnKit-Labs/foxguard - A security scanner as fast as a linter, written in Rust. Live in the terminal? It also comes with a TUI triage for secrets, post-quantum audits, diff-scans and more 🦊 (Rust)

README

          


  



foxguard




  Fast local security scanning in a single Rust binary.

  


  scan · diff · secrets · post-quantum crypto audit · interactive TUI triage

  


  170+ built-in rules across 10 languages · cross-file taint tracking · Semgrep-compatible YAML bridge

  



  foxguard.dev · npm · crates.io





  

  

  

  

  



---



  





  

  
foxguard tui . — interactive triage with scan, diff, secrets, and PQ modes. Launch post.



foxguard is a security scanner you can run on every save. A single Rust binary with 170+ built-in rules across 10 languages, cross-file taint tracking, Semgrep-compatible YAML loading, and four top-level modes — general scan, diff-against-branch, secrets, and post-quantum crypto audit — all reachable from the same CLI or interactive TUI.

It is fast enough for pre-commit hooks and the `--changed` path runs in milliseconds on a real repo. Output formats: terminal, JSON, SARIF (for GitHub Code Scanning), and CycloneDX 1.6 CBOM.

## Quick start

```sh

npx foxguard .                        # scan the repo

npx foxguard pqc .                    # post-quantum crypto audit

npx foxguard --format cbom .          # CycloneDX 1.6 CBOM for compliance

npx foxguard tui .                    # interactive triage (scan, diff, secrets, pqc)

```

Other common flags:

```sh

npx foxguard --changed .              # only modified files

npx foxguard diff main .              # new findings vs target branch

npx foxguard --explain .              # source-to-sink dataflow traces

npx foxguard --github-pr 42 .         # post as PR review comments

npx foxguard secrets .                # leaked credentials and private keys

npx foxguard init                     # install local pre-commit hook

```

## The four modes

| Mode | Command | What it does |

|------|---------|--------------|

| **Scan** | `foxguard .` | General security scan. 170+ built-in rules across JavaScript/TypeScript, Python, Go, Ruby, Java, PHP, Rust, C#, Swift, Kotlin. Framework-aware checks for Express, Next.js, Django, Flask, FastAPI, Rails, Spring, Laravel, Gin, .NET, and iOS. Intraprocedural taint flow with cross-file summaries for Python, JS, Go, Kotlin. |

| **Diff** | `foxguard diff main .` | Only findings that are new since a target branch. Pairs with `--changed` for staged/unstaged files only. |

| **Secrets** | `foxguard secrets .` | AWS keys, GitHub/GitLab/Slack/Stripe tokens, private keys. Redacted output, baseline support. |

| **PQC** | `foxguard pqc .` | Post-quantum crypto audit. PQ-vulnerable-crypto rules for 5 languages plus TLS/config files. Each finding annotated with its CNSA 2.0 migration deadline. FN-DSA (FIPS 206) and HQC awareness. |

All four are reachable from `foxguard tui .` — interactive triage with review, baseline, ignore, severity overrides, confidence filter, and a CNSA 2.0 compliance panel.

## Also in the box

| Area | What you get |

|------|--------------|

| **Outputs** | Terminal, JSON, SARIF (GitHub Code Scanning), CycloneDX 1.6 CBOM (`--format cbom`). Each CBOM component links back to a source location and severity. |

| **Semgrep compatibility** | Loads a Semgrep/OpenGrep YAML subset via `--rules`. Parity-tested in CI against the real `semgrep` CLI. See [`COMPATIBILITY.md`](./COMPATIBILITY.md). |

| **CI integration** | Native GitHub Action (below), SARIF upload, `--github-pr` for PR review comments, exit code on findings. |

| **Config** | `.foxguard.yml` for per-rule enable/disable, severity overrides, entropy and taint-hop thresholds, per-rule options. |

## Post-quantum crypto audit

NSA's CNSA 2.0 suite ([CSI, Sept 2022; FAQ v2.1, Dec 2024](https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF)) mandates exclusive use of ML-KEM and ML-DSA by specific deadlines. Software and firmware signing are the earliest class — exclusive use by 2030 — with traditional networking, operating systems, and web browsers trailing through 2033. Every finding foxguard produces for a PQ-vulnerable algorithm carries the matching deadline in the output.

```sh

foxguard pqc .

```

```

src/tls/client.go

  42:14  HIGH      go/pq-vulnerable-crypto (CWE-327)

         ECDH P-256 is not post-quantum safe. CNSA 2.0 mandates ML-KEM-1024

         for NSS; ML-KEM-768 is the NIST default for commercial use.

         CNSA 2.0 deadline: traditional networking equipment, 2030.

WARNING 1 PQ finding in 18 files (0.04s): 1 high, 0 medium, 0 low

CNSA 2.0 migration: at-risk (1 finding with an NSA transition deadline)

```

As far as we can tell, foxguard is the first OSS source-code scanner that annotates each PQ finding with its CNSA 2.0 migration deadline. Remediation guidance surfaces ML-KEM-1024 / ML-DSA-87 for NSS workloads and ML-KEM-768 / ML-DSA-65 for commercial use, per the CNSA 2.0 algorithm table.

**CBOM export.** `foxguard --format cbom .` produces a CycloneDX 1.6 cryptographic bill of materials. Each component (algorithm, key, protocol) is linked back to the source location that emitted it and the severity of any finding on that site. IBM's [CBOMkit](https://github.com/IBM/cbomkit), [sonar-cryptography](https://github.com/IBM/sonar-cryptography), and [cdxgen](https://github.com/CycloneDX/cdxgen) all ship CBOM output; foxguard's contribution is that the scan and the inventory are one artifact, so `crypto-agility` scoring and CNSA 2.0 annotations travel with the BOM.

**Rule coverage.** PQ-vulnerable-crypto rules ship for Python, JavaScript/TypeScript, Go, Java, and Rust; TLS configuration files (OpenSSL, nginx, Apache) are also scanned for non-PQ cipher suites.

## Install

```sh

npx foxguard .                                           # no install needed

curl -fsSL https://foxguard.dev/install.sh | sh          # prebuilt binary (macOS/Linux)

cargo install foxguard                                   # crates.io

```

**Editors and agents:**

- [VS Code extension](https://marketplace.visualstudio.com/items?itemName=peaktwilight.foxguard) scans on save and shows findings inline.

- [Claude Code plugin](./plugins/claude-code) auto-scans files after Claude writes or edits them, adds `/foxguard:*` scan/triage/PQ/secrets skills, and injects secure-coding defaults into agent sessions.

```sh

claude --plugin-dir ./plugins/claude-code

```

Run `/foxguard:setup` inside Claude Code to verify the scanner is available. See [Claude Code integration](docs/claude-code-integration.md) for local plugin loading, hook behavior, and marketplace status.

## CI integration

```yaml

name: Security

on: [push, pull_request]

jobs:

  foxguard:

    runs-on: ubuntu-latest

    permissions:

      security-events: write

    steps:

      - uses: actions/checkout@v4

      - uses: PwnKit-Labs/foxguard/action@v0.7.1

        with:

          path: .

          severity: medium

          fail-on-findings: "true"

          upload-sarif: "true"

```

Findings land in **Security → Code Scanning**. On any other CI: `npx foxguard@latest --format sarif . > out.sarif`. For Claude Code and other agent/editor hooks, see [docs/claude-code-integration.md](docs/claude-code-integration.md).

**Pre-commit:**

```yaml

repos:

  - repo: https://github.com/PwnKit-Labs/foxguard

    rev: v0.7.1

    hooks:

      - id: foxguard

```

## Benchmarks

Reproducible via `./benchmarks/run.sh`. Numbers below are from a local run on an Apple Silicon laptop with `foxguard 0.6.2`, `semgrep 1.156.0`, `tokei 14.0.0`. LoC is counted by tokei, scoped to the target language only (no vendored HTML/JSON).

| Repo | Files | LoC | foxguard | Semgrep | Speedup |

|------|-------|-----|----------|---------|---------|

| express (framework) | 141 | 15,804 JS | **0.276s** | 6.09s | **22x** |

| flask (framework) | 83 | 14,029 Py | **0.333s** | 6.51s | **20x** |

| gin (framework) | 99 | 17,669 Go | **0.499s** | 4.95s | **10x** |

| **sentry (production)** | **8,539** | **1,291,606 Py** | **35.4s** | 194.0s | **5x** |

Sentry is the stress target at ~1.3M Python LoC: foxguard scans the whole tree in ~35 seconds; Semgrep with `--config auto` takes ~3m14s. Run on one machine — reproduce locally with `./benchmarks/run.sh` (add `BENCH_SKIP_LARGE=1` to skip sentry). See [`benchmarks/README.md`](./benchmarks/README.md) for the reproduction recipe.

## Rules

170+ built-in rules across 10 languages, covering SQL injection, XSS, SSRF, command injection, hardcoded secrets, weak crypto, unsafe deserialization, log injection, PQ-vulnerable crypto, crypto-agility, and framework-specific checks. Full per-rule coverage, precision tiers, and false-positive methodology live in [docs/precision.md](docs/precision.md) and on the [rules page at foxguard.dev](https://foxguard.dev/rules).

## Configuration

foxguard auto-discovers `.foxguard.yml` from the scan path upward.

```yaml

scan:

  baseline: .foxguard/baseline.json

  rules: ./semgrep-rules

  enable_rules: [py/no-sql-injection, py/no-xss]   # optional allowlist

  disable_rules: [py/no-eval]                      # optional denylist

  severity_overrides:

    py/no-hardcoded-secret: medium

secrets:

  baseline: .foxguard/secrets-baseline.json

  exclude_paths: [fixtures, testdata]

```

Inline suppressions work with `// foxguard: ignore[rule-id]` or `# foxguard: ignore` on the target line. Full configuration reference, rule options, and threshold tuning are documented at [foxguard.dev/docs](https://foxguard.dev/docs).

## What it is not

foxguard is not a full Semgrep or OpenGrep drop-in replacement. The intended model: foxguard built-ins for fast local feedback, a Semgrep/OpenGrep-compatible YAML subset as an adoption bridge, and Semgrep/OpenGrep themselves when you need the broadest external rule ecosystem. That boundary keeps local scans fast and compatibility claims testable.

## Contributing

Adding a rule is one struct implementing a trait. See [`CONTRIBUTING.md`](./CONTRIBUTING.md).

## Part of PwnKit Labs

**Open-source adversarial security for the agentic AI era.** foxguard is one piece of the stack:

- **[pwnkit](https://github.com/PwnKit-Labs/pwnkit)** — AI agent pentester (detect)

- **[foxguard](https://github.com/PwnKit-Labs/foxguard)** — Rust security scanner (prevent)

- **[opensoar](https://github.com/opensoar-hq/opensoar-core)** — Python-native SOAR platform (respond)

## License

MIT