Fast local security guard.
Rust-native. 58 built-in code rules. Secrets mode with excludes. Repo config. Semgrep-compatible. Single binary. Hook-friendly.
Use the native rules for local feedback, then layer compatible YAML on top when you need alignment with an existing rule corpus.
Load focused Semgrep/OpenGrep rules with path filters, regex clauses, and structural matching without pretending to replace the full ecosystem.
Current local default-mode snapshot: foxguard built-ins vs Semgrep auto, with OpenGrep omitted here because it is not installed in this environment.
For same-rules engine comparisons, use BENCH_MODE=compat.
Run ./benchmarks/run.sh locally to refresh this snapshot. Missing competitor binaries show up as N/A instead of stale numbers.
Compare foxguard built-ins against Semgrep or OpenGrep auto rules to measure the tools the way users actually run them by default.
Run the same Semgrep-compatible YAML rules across foxguard, Semgrep, and OpenGrep with --no-builtins --rules for a narrower compatibility check.
Session secret handling, cookie flags, reflected response writes, and JWT hardening checks for common Node auth flows.
Secret key checks, debug mode, session cookie flags, CSRF cookie flags, and csrf_exempt coverage for common Python web apps.
Trusted proxy config, missing timeouts, outbound request misuse, and TLS verification bypass coverage for Go services.
The default story is built-ins-first. The compatibility story is bring-your-own YAML when you need to align with existing Semgrep or OpenGrep workflows.
Run ./benchmarks/run.sh locally for current numbers and methodology.
foxguard can load a useful Semgrep-compatible subset today. The default product path is still built-in rules. External YAML is there to help teams adopt foxguard without starting from zero.
If you need the full Semgrep or OpenGrep rule universe, use those tools directly. If you want fast local feedback with a compatibility bridge, that is where foxguard fits.
Local-first security checks for the edit-save-commit loop.
No JVM, no Python runtime, no network calls. Fast enough for edit-save-commit loops, hooks, and scripts.
Install a repo-local hook with foxguard init and get a starter .foxguard.yml for changed-file scans.
Built-ins are the default. Add a useful Semgrep-compatible YAML subset from a file or directory when needed.
Security checks for JS/TS, Python, and Go, including SSRF client variants, path traversal sinks, auth, session, CSRF, transport, and framework-specific rules.
Accept existing findings once and focus on new ones with a baseline file.
Scan for common leaked credentials and private key material with redacted output and binary-safe handling.
Use terminal output locally or JSON and SARIF in automation.
foxguard is best positioned as a local-first complement, not a claim of full tool replacement.
--rulesGet started in seconds.
cargo install foxguard npx foxguard . 58 rules across 3 languages, each mapped to a CWE identifier
js/no-eval critical CWE-95 js/no-hardcoded-secret high CWE-798 js/no-sql-injection critical CWE-89 js/no-xss-innerhtml high CWE-79 js/no-command-injection critical CWE-78 js/no-document-write high CWE-79 js/no-open-redirect medium CWE-601 js/no-weak-crypto medium CWE-327 js/no-path-traversal high CWE-22 js/no-ssrf high CWE-918 js/no-prototype-pollution high CWE-1321 js/no-unsafe-regex medium CWE-1333 js/no-cors-star medium CWE-942 js/express-no-hardcoded-session-secret high CWE-798 js/express-cookie-no-secure medium CWE-614 js/express-cookie-no-httponly medium CWE-1004 js/express-cookie-no-samesite medium CWE-352 js/express-session-saveuninitialized-true medium CWE-359 js/express-direct-response-write high CWE-79 js/jwt-hardcoded-secret high CWE-798 js/jwt-none-algorithm high CWE-347 js/jwt-ignore-expiration high CWE-613 js/jwt-decode-without-verify high CWE-347 js/jwt-verify-missing-algorithms high CWE-347 py/no-eval critical CWE-95 py/no-hardcoded-secret high CWE-798 py/no-sql-injection critical CWE-89 py/no-command-injection critical CWE-78 py/no-path-traversal high CWE-22 py/no-ssrf high CWE-918 py/no-weak-crypto medium CWE-327 py/no-pickle high CWE-502 py/no-yaml-load high CWE-502 py/no-debug-true medium CWE-489 py/no-open-redirect medium CWE-601 py/no-cors-star medium CWE-942 py/flask-debug-mode high CWE-489 py/django-secret-key-hardcoded high CWE-798 py/flask-secret-key-hardcoded high CWE-798 py/session-cookie-secure-disabled medium CWE-614 py/session-cookie-httponly-disabled medium CWE-1004 py/session-cookie-samesite-disabled medium CWE-352 py/csrf-cookie-secure-disabled medium CWE-614 py/csrf-cookie-httponly-disabled medium CWE-1004 py/csrf-cookie-samesite-disabled medium CWE-352 py/csrf-exempt high CWE-352 py/wtf-csrf-disabled high CWE-352 py/wtf-csrf-check-default-disabled high CWE-352 py/django-allowed-hosts-wildcard medium CWE-346 py/secure-ssl-redirect-disabled medium CWE-319 go/no-sql-injection critical CWE-89 go/no-command-injection critical CWE-78 go/no-hardcoded-secret high CWE-798 go/no-weak-crypto medium CWE-327 go/no-ssrf high CWE-918 go/insecure-tls-skip-verify high CWE-295 go/gin-no-trusted-proxies medium CWE-346 go/net-http-no-timeout medium CWE-400