Fast local security scanner written in Rust.
58 built-in rules for JS/TS, Python, and Go. Secrets scanning. Baselines. Semgrep-compatible YAML. Single binary. No network calls.
Rust-native engine with tree-sitter parsing. No JVM startup, no Python interpreter, no network round-trips.
foxguard built-in rules vs Semgrep auto. Run ./benchmarks/run.sh locally to reproduce.
Framework-aware rules that understand Express sessions, Django CSRF, Gin proxies, JWT flows, and more.
Session secrets, cookie flags, JWT hardening, reflected response writes.
Secret keys, debug mode, CSRF protection, session cookie flags.
Trusted proxies, missing timeouts, SSRF, TLS verification bypass.
No JVM, no Python runtime, no network calls. Rust-native and fast enough for pre-commit hooks.
Run foxguard init to install a repo-local hook and get a starter .foxguard.yml.
Load a useful Semgrep-compatible YAML subset on top of built-ins when you need it.
Accept existing findings once and focus only on new ones with a baseline file.
Detect leaked credentials and private keys with redacted output and binary-safe handling.
Terminal output locally, JSON and SARIF for automation and GitHub Code Scanning.
Load Semgrep-compatible YAML on top of built-ins with --rules. Supports the structural matching subset most teams actually use.
npx foxguard . cargo install foxguard foxguard init pre-commit hook + config foxguard . scan everything foxguard --changed . scan only modified files foxguard secrets --changed . check for leaked credentials 58 built-in rules, each mapped to a CWE identifier.
js/no-eval critical CWE-95 js/no-hardcoded-secret high CWE-798 js/no-sql-injection critical CWE-89 js/no-xss-innerhtml high CWE-79 js/no-command-injection critical CWE-78 js/no-document-write high CWE-79 js/no-open-redirect medium CWE-601 js/no-weak-crypto medium CWE-327 js/no-path-traversal high CWE-22 js/no-ssrf high CWE-918 js/no-prototype-pollution high CWE-1321 js/no-unsafe-regex medium CWE-1333 js/no-cors-star medium CWE-942 js/express-no-hardcoded-session-secret high CWE-798 js/express-cookie-no-secure medium CWE-614 js/express-cookie-no-httponly medium CWE-1004 js/express-cookie-no-samesite medium CWE-352 js/express-session-saveuninitialized-true medium CWE-359 js/express-direct-response-write high CWE-79 js/jwt-hardcoded-secret high CWE-798 js/jwt-none-algorithm high CWE-347 js/jwt-ignore-expiration high CWE-613 js/jwt-decode-without-verify high CWE-347 js/jwt-verify-missing-algorithms high CWE-347 py/no-eval critical CWE-95 py/no-hardcoded-secret high CWE-798 py/no-sql-injection critical CWE-89 py/no-command-injection critical CWE-78 py/no-path-traversal high CWE-22 py/no-ssrf high CWE-918 py/no-weak-crypto medium CWE-327 py/no-pickle high CWE-502 py/no-yaml-load high CWE-502 py/no-debug-true medium CWE-489 py/no-open-redirect medium CWE-601 py/no-cors-star medium CWE-942 py/flask-debug-mode high CWE-489 py/django-secret-key-hardcoded high CWE-798 py/flask-secret-key-hardcoded high CWE-798 py/session-cookie-secure-disabled medium CWE-614 py/session-cookie-httponly-disabled medium CWE-1004 py/session-cookie-samesite-disabled medium CWE-352 py/csrf-cookie-secure-disabled medium CWE-614 py/csrf-cookie-httponly-disabled medium CWE-1004 py/csrf-cookie-samesite-disabled medium CWE-352 py/csrf-exempt high CWE-352 py/wtf-csrf-disabled high CWE-352 py/wtf-csrf-check-default-disabled high CWE-352 py/django-allowed-hosts-wildcard medium CWE-346 py/secure-ssl-redirect-disabled medium CWE-319 go/no-sql-injection critical CWE-89 go/no-command-injection critical CWE-78 go/no-hardcoded-secret high CWE-798 go/no-weak-crypto medium CWE-327 go/no-ssrf high CWE-918 go/insecure-tls-skip-verify high CWE-295 go/gin-no-trusted-proxies medium CWE-346 go/net-http-no-timeout medium CWE-400