Foxguard
A blazingly fast security scanner, written in Rust. Batteries included, TUI for triage, secrets, post-quantum audits, diff-aware scans and more ๐ฅ
A fast security scanner. Completely free. 10+ languages supported. The project is written primarily in Rust, distributed under the MIT License license, first published in 2026. Key topics include: cli, code-security, linter, opengrep, pre-commit.
<p align="center"> <img src="assets/demo.gif" alt="foxguard scan demo" width="640" /> </p>shnpx foxguard .
Features
- Sub-second scans on real codebases -- fast enough for pre-commit hooks
- Completely free -- local scans, CI usage, and GitHub PR checks without a paid tier
- 10+ languages supported -- JS/TS, Python, Go, Ruby, Java, PHP, Rust, C#, Swift, Kotlin, C
- Cross-file taint tracking with intraprocedural dataflow and cross-file summaries
- Diff scans -- only new findings since a target branch
- Secrets scanning -- AWS keys, GitHub/GitLab/Slack/Stripe tokens, private keys
- Dependency vulnerability scanning -- OSV-backed SCA for Cargo, npm, pnpm, pip, Poetry, and Pipenv lockfiles
- Post-quantum crypto audit -- CNSA 2.0 migration deadlines on every finding
- Semgrep/OpenGrep-compatible YAML bridge -- load external rule packs via
--rules - Interactive TUI -- triage, baseline, ignore, severity overrides
- Output formats -- terminal, JSON, SARIF, CycloneDX 1.6 CBOM
- GitHub App -- auto-scans PRs, posts inline comments, check runs
Install
shnpx foxguard . # zero install curl -fsSL https://foxguard.dev/install.sh | sh # prebuilt binary (macOS/Linux) cargo install foxguard # from source
Prebuilt installs verify release SHA-256 checksums before using downloaded
binaries. Signed GitHub artifact attestations are published for release binaries;
see release provenance for manual verification.
GitHub Action:
yaml- uses: 0sec-labs/foxguard/action@v0.9.0 with: path: . severity: medium fail-on-findings: "true" upload-sarif: "true"
The action verifies the downloaded binary against checksums.txt. Provenance
verification is available as a separate gh attestation verify policy step.
pre-commit:
yamlrepos: - repo: https://github.com/0sec-labs/foxguard rev: v0.9.0 hooks: - id: foxguard
VS Code: Install extension -- scans on save, inline findings.
Claude Code: claude --plugin-dir ./plugins/claude-code -- see docs.
MCP server: foxguard-mcp exposes scan, diff, secrets, PQC, SARIF/CBOM,
rule, explanation, and suppression tools -- see docs.
Quick start
shfoxguard . # scan everything foxguard diff main . # only new findings vs main foxguard secrets . # leaked credentials and keys foxguard sca . # dependency vulnerabilities from OSV foxguard pqc . # post-quantum crypto audit foxguard tui . # interactive triage UI foxguard --format sarif . > results.sarif # SARIF for CI
GitHub App
Scans every pull request automatically. Posts inline comments on new findings and reports check run status. Zero config -- install and it works.
Supported languages
| Language | Taint tracking | Framework-aware |
|---|---|---|
| JavaScript / TypeScript | Yes | Express, Next.js |
| Python | Yes | Django, Flask, FastAPI |
| Go | Yes | Gin |
| Kotlin | Yes | Spring |
| Java | -- | Spring |
| Ruby | -- | Rails |
| PHP | -- | Laravel |
| Rust | -- | -- |
| C# | -- | .NET |
| Swift | -- | iOS |
| C | -- | via Semgrep YAML / Coccinelle |
Post-quantum crypto audit
shfoxguard pqc .
src/tls/client.go
42:14 HIGH go/pq-vulnerable-crypto (CWE-327)
ECDH P-256 is not post-quantum safe.
CNSA 2.0 deadline: traditional networking equipment, 2030.
Each finding carries its CNSA 2.0 migration deadline. Covers Python, JS/TS, Go, Java, Rust, and TLS config files. Export as CycloneDX 1.6 CBOM with --format cbom.
Dependency vulnerability scanning
shfoxguard sca . foxguard --sca . --format json foxguard sca . --sca-offline --sca-db ./osv-advisories.json
SCA supports Cargo.lock, package-lock.json, pnpm-lock.yaml, requirements.txt, poetry.lock, and Pipfile.lock. Offline mode uses --sca-db or an existing --sca-cache; without either, OSV lookup is skipped and normal/PQ manifest rules still run. See docs/dependency-scanning.md.
Configuration
foxguard auto-discovers .foxguard.yml from the scan path upward.
yamlscan: baseline: .foxguard/baseline.json disable_rules: [py/no-eval] severity_overrides: py/no-hardcoded-secret: medium secrets: exclude_paths: [fixtures, testdata]
Suppress an accepted finding inline with // foxguard: ignore[rule-id].
Benchmarks
| Repo | LoC | foxguard | Semgrep | Speedup |
|---|---|---|---|---|
| express | 15K JS | 0.28s | 6.09s | 22x |
| flask | 14K Py | 0.33s | 6.51s | 20x |
| gin | 18K Go | 0.50s | 4.95s | 10x |
| sentry | 1.3M Py | 35s | 194s | 5x |
Reproduce: ./benchmarks/run.sh. See benchmarks/README.md.
Contributing
Adding a rule is one struct implementing a trait. See CONTRIBUTING.md.
License
MIT OR Apache-2.0 -- 0sec Labs
Contributors
Showing top 4 contributors by commit count.
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)
Related Repositories
n8n-io/n8n
Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.
ohmyzsh/ohmyzsh
๐ A delightful community-driven (with 2,500+ contributors) framework for managing your zsh configuration. Includes 300+ optional plugins (rails, git, macOS, hub, docker, homebrew, node, php, python, etc), 140+ themes to spice up your morning, and an auto-update tool that makes it easy to keep up with the latest updates from the community.
yt-dlp/yt-dlp
A feature-rich command-line audio/video downloader
google-gemini/gemini-cli
An open-source AI agent that brings the power of Gemini directly into your terminal.
sherlock-project/sherlock
Hunt down social media accounts by username across social networks
junegunn/fzf
:cherry_blossom: A command-line fuzzy finder