MCPcopy Index your code
hub / github.com/0sec-labs/foxguard

github.com/0sec-labs/foxguard @v0.10.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.10.0 ↗ · + Follow
4,191 symbols 11,811 edges 230 files 709 documented · 17%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

foxguard

foxguard

Fast local security scanning for code, secrets, dependencies, and crypto risk.

CI foxguard: clean crates.io npm Install GitHub App

npx foxguard .

foxguard scan demo

Why

  • 200+ built-in rules across 12 source languages, plus config and manifest checks
  • Fast local and CI scans, with diff mode for “what did this branch add?”
  • Secrets scanning, OSV-backed dependency scanning, and post-quantum crypto audit
  • Semgrep/OpenGrep-compatible YAML bridge for existing rule packs
  • Terminal, JSON, SARIF, and CycloneDX 1.6 CBOM output

Install

npx foxguard .                                      # zero install
curl -fsSL https://foxguard.dev/install.sh | sh     # prebuilt binary (macOS/Linux)
cargo install foxguard                              # from source

Prebuilt installs verify release binaries against checksums.txt. Release binaries also publish GitHub artifact attestations; use gh attestation verify for manual verification, or see release provenance.

GitHub Action:

- uses: 0sec-labs/foxguard/action@v0.10.0
  with:
    path: .
    severity: medium
    fail-on-findings: "true"
    upload-sarif: "true"

pre-commit:

repos:
  - repo: https://github.com/0sec-labs/foxguard
    rev: v0.10.0
    hooks:
      - id: foxguard

Integrations: GitHub App, VS Code, Claude Code plugin, and MCP server.

Quick Start

foxguard .                              # scan everything
foxguard diff main .                    # only new findings vs main
foxguard secrets .                      # leaked credentials and keys
foxguard sca .                          # dependency vulnerabilities from OSV
foxguard pqc .                          # post-quantum crypto audit
foxguard --format sarif . > results.sarif

Language Coverage

Language Built-in rules Taint tracking Framework-aware rules
JavaScript / TypeScript Yes Yes Express, Next.js
Python Yes Yes Django, Flask, FastAPI
Go Yes Yes Gin
Kotlin Yes Yes Spring
Java Yes Yes Spring
Ruby Yes -- Rails
PHP Yes -- Laravel
Rust Yes -- --
C# Yes -- .NET
Swift Yes -- iOS
Haskell Yes -- Cardano seed rules

Config, manifest, and external-rule scans cover Dockerfile, Nginx, Apache, HAProxy, HCL/Terraform, YAML/JSON/XML/HTML, C via Semgrep YAML/Coccinelle, and more.

Security Modes

foxguard sca .
foxguard pqc .
foxguard --rules ./semgrep-rules .

SCA supports Cargo.lock, package-lock.json, pnpm-lock.yaml, requirements.txt, poetry.lock, and Pipfile.lock. PQC findings carry CNSA 2.0 migration deadlines and can export CycloneDX 1.6 CBOMs.

Configuration

foxguard auto-discovers .foxguard.yml from the scan path upward.

scan:
  baseline: .foxguard/baseline.json
  disable_rules: [py/no-eval]

secrets:
  exclude_paths: [fixtures, testdata]

Suppress an accepted finding inline with // foxguard: ignore[rule-id].

Benchmarks

Repo LoC foxguard Semgrep Speedup
express 15K JS 0.28s 6.09s 22x
flask 14K Py 0.33s 6.51s 20x
gin 18K Go 0.50s 4.95s 10x
sentry 1.3M Py 35s 194s 5x

Reproduce with ./benchmarks/run.sh; results vary by machine. See benchmarks/README.md.

Contributing

See CONTRIBUTING.md for rule authoring, tests, and development setup.

License

MIT OR Apache-2.0 -- 0sec Labs

Extension points exported contracts — how you extend this code

Rule (Interface)
A security rule that checks parsed source code for vulnerabilities. [8 implementers]
src/rules/mod.rs
Finding (Interface)
Mirrors the JSON output of `foxguard --format json`.
vscode-extension/src/extension.ts
ToolResult (Interface)
(no doc)
www/src/data/benchmarks.ts
RenderRequest (Interface)
(no doc)
tests/fixtures/vulnerable_typescript.ts
TaintLanguageAdapter (Interface)
Trait implemented by each language-specific taint engine. Generic over `CF`, the language-specific cross-file info type [5 …
src/rules/taint_engine.rs
ReportEnvelope (Interface)
Versioned envelope emitted by the CLI JSON reporter (v1.0.0+).
vscode-extension/src/extension.ts
BenchmarkRow (Interface)
(no doc)
www/src/data/benchmarks.ts
CoalesceExt (Interface)
(no doc) [1 implementers]
src/rules/generic_mode.rs

Core symbols most depended-on inside this repo

get
called by 325
src/rules/common.rs
is_empty
called by 289
src/engine/scanner.rs
as_str
called by 258
src/rules/semgrep_compat.rs
parse_file
called by 187
src/engine/parser.rs
node_text
called by 178
src/rules/taint_engine.rs
insert
called by 150
src/rules/common.rs
scan_json_findings_from_slice
called by 101
tests/integration.rs
compiled
called by 90
src/rules/semgrep_taint.rs

Shape

Function 3,193
Class 500
Method 389
Enum 59
Interface 28
Route 21
Struct 1

Languages

Rust84%
Python7%
TypeScript3%
C2%
Go1%
Java1%

Modules by API surface

src/rules/semgrep_taint.rs241 symbols
src/rules/semgrep_compat.rs193 symbols
tests/integration.rs167 symbols
src/rules/python_taint.rs112 symbols
src/rules/javascript_taint.rs105 symbols
src/config.rs83 symbols
src/rules/generic_mode.rs79 symbols
src/deps.rs78 symbols
src/rules/kotlin.rs76 symbols
src/tui/tests.rs75 symbols
src/engine/scanner.rs74 symbols
src/rules/go.rs72 symbols

For agents

$ claude mcp add foxguard \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact