Blog

Notes on security scanning and how the rules work.

May 8, 2026
The CNSA 2.0 deadlines we got wrong (and what we did about it)

Compliance tooling that prints dates without citations is just a different kind of vibes. Here is how we noticed our PQ scanner was doing exactly that, and how we fixed it.
May 8, 2026
Dirty Frag is a bug class — here's the foxguard rule pack

We shipped C language support and three structural rules for the Dirty Frag class on the day the advisory landed. They're regex-shaped triage funnels, not proofs — but they catch the calibration sites and they're already in the npm release.
April 21, 2026
foxguard 0.8 — post-quantum crypto audit in your terminal

foxguard v0.8.0 bakes PQ-vulnerable-crypto rules and CNSA 2.0 migration deadlines into the default scan, and emits a CycloneDX 1.6 CBOM where each entry ties back to a source location and severity.
April 17, 2026
Making foxguard taint tracking 2× faster in v0.7.1

foxguard v0.7.1 closes a 3× performance regression across the Go, Python, and JavaScript taint engines. Here is how we diagnosed it and what the fix looks like.
April 16, 2026
Introducing foxguard TUI in v0.7.0

foxguard v0.7.0 adds a full interactive terminal UI for local security triage, with scan/diff/secrets modes, in-app triage actions, and source-to-sink context.
April 12, 2026
Cross-file taint in 0.03 seconds

foxguard 0.6.0 traces taint across file boundaries for Python, JavaScript, and Go. Here is how the two-pass architecture works, and why it is fast.
April 11, 2026
Taint tracking, without the YAML

foxguard ships intraprocedural taint tracking for Python, JavaScript, and Go — built into the scanner, not bolted on as YAML rules. Here is what that gets you and where it stops.
April 8, 2026
Use Semgrep in CI. Use foxguard on save.

Most teams do not have a security-tooling problem. They have a loop problem. Heavy scanners belong in CI. Local scanners need to be fast enough to stay on.
April 7, 2026
How to roll out foxguard without blowing up CI

The fastest way to get developers to hate a security tool is to drop it into CI with no rollout plan. Here is the boring rollout path that actually works.
April 6, 2026
Fast is not enough: how we keep local scans useful

A local security scanner does not win just by being fast. It wins when developers trust the findings enough to keep it enabled.
April 4, 2026
I scanned Express, Flask, Rails, Gin, and Laravel for security issues

What happens when you point a fast security scanner at the most popular web frameworks? 369 findings across 799 files in under a second.