Fast local security scanning in a single Rust binary.
scan · diff · secrets · post-quantum crypto audit · interactive TUI triage
170+ built-in rules across 10 languages · cross-file taint tracking · Semgrep-compatible YAML bridge
foxguard.dev · npm · crates.io
foxguard tui . — interactive triage with scan, diff, secrets, and PQ modes. Launch post.
foxguard is a security scanner you can run on every save. A single Rust binary with 170+ built-in rules across 10 languages, cross-file taint tracking, Semgrep-compatible YAML loading, and four top-level modes — general scan, diff-against-branch, secrets, and post-quantum crypto audit — all reachable from the same CLI or interactive TUI.
It is fast enough for pre-commit hooks and the --changed path runs in milliseconds on a real repo. Output formats: terminal, JSON, SARIF (for GitHub Code Scanning), and CycloneDX 1.6 CBOM.
npx foxguard . # scan the repo
npx foxguard pqc . # post-quantum crypto audit
npx foxguard --format cbom . # CycloneDX 1.6 CBOM for compliance
npx foxguard tui . # interactive triage (scan, diff, secrets, pqc)Other common flags:
npx foxguard --changed . # only modified files
npx foxguard diff main . # new findings vs target branch
npx foxguard --explain . # source-to-sink dataflow traces
npx foxguard --github-pr 42 . # post as PR review comments
npx foxguard secrets . # leaked credentials and private keys
npx foxguard init # install local pre-commit hook| Mode | Command | What it does |
|---|---|---|
| Scan | foxguard . |
General security scan. 170+ built-in rules across JavaScript/TypeScript, Python, Go, Ruby, Java, PHP, Rust, C#, Swift, Kotlin. Framework-aware checks for Express, Next.js, Django, Flask, FastAPI, Rails, Spring, Laravel, Gin, .NET, and iOS. Intraprocedural taint flow with cross-file summaries for Python, JS, Go, Kotlin. |
| Diff | foxguard diff main . |
Only findings that are new since a target branch. Pairs with --changed for staged/unstaged files only. |
| Secrets | foxguard secrets . |
AWS keys, GitHub/GitLab/Slack/Stripe tokens, private keys. Redacted output, baseline support. |
| PQC | foxguard pqc . |
Post-quantum crypto audit. PQ-vulnerable-crypto rules for 5 languages plus TLS/config files. Each finding annotated with its CNSA 2.0 migration deadline. FN-DSA (FIPS 206) and HQC awareness. |
All four are reachable from foxguard tui . — interactive triage with review, baseline, ignore, severity overrides, confidence filter, and a CNSA 2.0 compliance panel.
| Area | What you get |
|---|---|
| Outputs | Terminal, JSON, SARIF (GitHub Code Scanning), CycloneDX 1.6 CBOM (--format cbom). Each CBOM component links back to a source location and severity. |
| Semgrep compatibility | Loads a Semgrep/OpenGrep YAML subset via --rules. Parity-tested in CI against the real semgrep CLI. See COMPATIBILITY.md. |
| CI integration | Native GitHub Action (below), SARIF upload, --github-pr for PR review comments, exit code on findings. |
| Config | .foxguard.yml for per-rule enable/disable, severity overrides, entropy and taint-hop thresholds, per-rule options. |
NSA's CNSA 2.0 suite (CSI, Sept 2022; FAQ v2.1, Dec 2024) mandates exclusive use of ML-KEM and ML-DSA by specific deadlines. Software and firmware signing are the earliest class — exclusive use by 2030 — with traditional networking, operating systems, and web browsers trailing through 2033. Every finding foxguard produces for a PQ-vulnerable algorithm carries the matching deadline in the output.
foxguard pqc .src/tls/client.go
42:14 HIGH go/pq-vulnerable-crypto (CWE-327)
ECDH P-256 is not post-quantum safe. CNSA 2.0 mandates ML-KEM-1024
for NSS; ML-KEM-768 is the NIST default for commercial use.
CNSA 2.0 deadline: traditional networking equipment, 2030.
WARNING 1 PQ finding in 18 files (0.04s): 1 high, 0 medium, 0 low
CNSA 2.0 migration: at-risk (1 finding with an NSA transition deadline)
As far as we can tell, foxguard is the first OSS source-code scanner that annotates each PQ finding with its CNSA 2.0 migration deadline. Remediation guidance surfaces ML-KEM-1024 / ML-DSA-87 for NSS workloads and ML-KEM-768 / ML-DSA-65 for commercial use, per the CNSA 2.0 algorithm table.
CBOM export. foxguard --format cbom . produces a CycloneDX 1.6 cryptographic bill of materials. Each component (algorithm, key, protocol) is linked back to the source location that emitted it and the severity of any finding on that site. IBM's CBOMkit, sonar-cryptography, and cdxgen all ship CBOM output; foxguard's contribution is that the scan and the inventory are one artifact, so crypto-agility scoring and CNSA 2.0 annotations travel with the BOM.
Rule coverage. PQ-vulnerable-crypto rules ship for Python, JavaScript/TypeScript, Go, Java, and Rust; TLS configuration files (OpenSSL, nginx, Apache) are also scanned for non-PQ cipher suites.
npx foxguard . # no install needed
curl -fsSL https://foxguard.dev/install.sh | sh # prebuilt binary (macOS/Linux)
cargo install foxguard # crates.ioEditor: VS Code extension scans on save and shows findings inline.
name: Security
on: [push, pull_request]
jobs:
foxguard:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: PwnKit-Labs/foxguard/[email protected]
with:
path: .
severity: medium
fail-on-findings: "true"
upload-sarif: "true"Findings land in Security → Code Scanning. On any other CI: npx foxguard@latest --format sarif . > out.sarif. For Claude Code and other editor hooks, see docs/claude-code-integration.md.
Pre-commit:
repos:
- repo: https://github.com/PwnKit-Labs/foxguard
rev: v0.7.1
hooks:
- id: foxguardReproducible via ./benchmarks/run.sh. Numbers below are from a local run on an Apple Silicon laptop with foxguard 0.6.2, semgrep 1.156.0, tokei 14.0.0. LoC is counted by tokei, scoped to the target language only (no vendored HTML/JSON).
| Repo | Files | LoC | foxguard | Semgrep | Speedup |
|---|---|---|---|---|---|
| express (framework) | 141 | 15,804 JS | 0.276s | 6.09s | 22x |
| flask (framework) | 83 | 14,029 Py | 0.333s | 6.51s | 20x |
| gin (framework) | 99 | 17,669 Go | 0.499s | 4.95s | 10x |
| sentry (production) | 8,539 | 1,291,606 Py | 35.4s | 194.0s | 5x |
Sentry is the stress target at ~1.3M Python LoC: foxguard scans the whole tree in ~35 seconds; Semgrep with --config auto takes ~3m14s. Run on one machine — reproduce locally with ./benchmarks/run.sh (add BENCH_SKIP_LARGE=1 to skip sentry). See benchmarks/README.md for the reproduction recipe.
170+ built-in rules across 10 languages, covering SQL injection, XSS, SSRF, command injection, hardcoded secrets, weak crypto, unsafe deserialization, log injection, PQ-vulnerable crypto, crypto-agility, and framework-specific checks. Full per-rule coverage, precision tiers, and false-positive methodology live in docs/precision.md and on the rules page at foxguard.dev.
foxguard auto-discovers .foxguard.yml from the scan path upward.
scan:
baseline: .foxguard/baseline.json
rules: ./semgrep-rules
enable_rules: [py/no-sql-injection, py/no-xss] # optional allowlist
disable_rules: [py/no-eval] # optional denylist
severity_overrides:
py/no-hardcoded-secret: medium
secrets:
baseline: .foxguard/secrets-baseline.json
exclude_paths: [fixtures, testdata]Inline suppressions work with // foxguard: ignore[rule-id] or # foxguard: ignore on the target line. Full configuration reference, rule options, and threshold tuning are documented at foxguard.dev/docs.
foxguard is not a full Semgrep or OpenGrep drop-in replacement. The intended model: foxguard built-ins for fast local feedback, a Semgrep/OpenGrep-compatible YAML subset as an adoption bridge, and Semgrep/OpenGrep themselves when you need the broadest external rule ecosystem. That boundary keeps local scans fast and compatibility claims testable.
Adding a rule is one struct implementing a trait. See CONTRIBUTING.md.
Open-source adversarial security for the agentic AI era. foxguard is one piece of the stack:
- pwnkit — AI agent pentester (detect)
- foxguard — Rust security scanner (prevent)
- opensoar — Python-native SOAR platform (respond)
MIT