Local security feedback you actually keep turned on.
120 built-in rules across 10 languages, plus a focused Semgrep-compatible YAML bridge when teams already have rule investments. Single Rust binary. No JVM. No network calls.
The point is not winning a benchmark chart. The point is keeping security checks inside the edit loop, where developers will actually run them.
foxguard built-in rules vs Semgrep auto. Run ./benchmarks/run.sh locally to reproduce.
Leave it on. Fix while context is still warm.
Not just generic AST patterns. The default ruleset is biased toward real framework mistakes teams actually ship: Express sessions, Django CSRF, Rails mass assignment, Spring XXE, iOS keychain, .NET LDAP, and more.
Session secrets, cookie flags, JWT hardening, reflected response writes.
Secret keys, debug mode, CSRF protection, session cookie flags, and Django host/redirect hardening.
Trusted proxies, missing timeouts, SSRF, TLS verification bypass.
Mass assignment, CSRF bypass, unsafe deserialization, XSS escaping.
SQL injection, XXE, deserialization, CSRF config, CORS policy.
Eval, file inclusion, unserialize, command injection, extract.
Unsafe blocks, transmute, command injection, TLS verification.
SQL injection, deserialization, XXE, LDAP injection, CORS.
Keychain security, transport security, JS injection, TLS.
Single Rust binary. No JVM, no Python runtime, no network calls. Built for local runs and pre-commit hooks.
Run foxguard init to install a repo-local hook and get a starter .foxguard.yml without wiring extra services.
Load a useful Semgrep/OpenGrep-compatible YAML subset on top of built-ins when you need it.
Accept existing findings once and keep the rollout focused on new issues with a baseline file.
Detect leaked credentials and private keys with redacted output and binary-safe handling in the same tool.
Terminal output locally, JSON and SARIF for automation, policy gates, and GitHub Code Scanning.
Load a focused Semgrep/OpenGrep-compatible YAML subset on top of built-ins with --rules. The supported surface is explicit, limited, and parity-tested in CI.
npx foxguard . brew install peaktwilight/tap/foxguard cargo install foxguard foxguard init pre-commit hook + config foxguard . scan everything foxguard --changed . scan only modified files foxguard secrets --changed . check for leaked credentials 120 built-in rules, each mapped to a CWE identifier.
js/no-eval critical CWE-95 js/no-hardcoded-secret high CWE-798 js/no-sql-injection critical CWE-89 js/no-xss-innerhtml high CWE-79 js/no-command-injection critical CWE-78 js/no-document-write high CWE-79 js/no-open-redirect medium CWE-601 js/no-weak-crypto medium CWE-327 js/no-path-traversal high CWE-22 js/no-ssrf high CWE-918 js/no-prototype-pollution high CWE-1321 js/no-unsafe-regex medium CWE-1333 js/no-cors-star medium CWE-942 js/express-no-hardcoded-session-secret high CWE-798 js/express-cookie-no-secure medium CWE-614 js/express-cookie-no-httponly medium CWE-1004 js/express-cookie-no-samesite medium CWE-352 js/express-session-saveuninitialized-true medium CWE-359 js/express-session-resave-true medium CWE-384 js/express-direct-response-write high CWE-79 js/jwt-hardcoded-secret high CWE-798 js/jwt-none-algorithm high CWE-347 js/jwt-ignore-expiration high CWE-613 js/jwt-decode-without-verify high CWE-347 js/jwt-verify-missing-algorithms high CWE-347 js/no-unsafe-format-string medium CWE-134 py/no-eval critical CWE-95 py/no-hardcoded-secret high CWE-798 py/no-sql-injection critical CWE-89 py/no-command-injection critical CWE-78 py/no-path-traversal high CWE-22 py/no-ssrf high CWE-918 py/no-weak-crypto medium CWE-327 py/no-pickle high CWE-502 py/no-yaml-load high CWE-502 py/no-debug-true medium CWE-489 py/no-open-redirect medium CWE-601 py/no-cors-star medium CWE-942 py/flask-debug-mode high CWE-489 py/django-secret-key-hardcoded high CWE-798 py/flask-secret-key-hardcoded high CWE-798 py/session-cookie-secure-disabled medium CWE-614 py/session-cookie-httponly-disabled medium CWE-1004 py/session-cookie-samesite-disabled medium CWE-352 py/csrf-cookie-secure-disabled medium CWE-614 py/csrf-cookie-httponly-disabled medium CWE-1004 py/csrf-cookie-samesite-disabled medium CWE-352 py/csrf-exempt high CWE-352 py/wtf-csrf-disabled high CWE-352 py/wtf-csrf-check-default-disabled high CWE-352 py/django-allowed-hosts-wildcard medium CWE-346 py/secure-ssl-redirect-disabled medium CWE-319 go/no-sql-injection critical CWE-89 go/no-command-injection critical CWE-78 go/no-hardcoded-secret high CWE-798 go/no-weak-crypto medium CWE-327 go/no-ssrf high CWE-918 go/insecure-tls-skip-verify high CWE-295 go/gin-no-trusted-proxies medium CWE-346 go/net-http-no-timeout medium CWE-400 rb/no-eval critical CWE-94 rb/no-command-injection critical CWE-78 rb/no-sql-injection critical CWE-89 rb/no-mass-assignment high CWE-915 rb/no-unsafe-deserialization critical CWE-502 rb/no-open-redirect high CWE-601 rb/no-csrf-skip high CWE-352 rb/no-html-safe high CWE-79 rb/no-hardcoded-secret high CWE-798 rb/no-weak-crypto medium CWE-327 java/no-sql-injection critical CWE-89 java/no-command-injection critical CWE-78 java/no-unsafe-deserialization critical CWE-502 java/no-ssrf high CWE-918 java/no-path-traversal high CWE-22 java/no-weak-crypto medium CWE-327 java/no-hardcoded-secret high CWE-798 java/no-xxe high CWE-611 java/spring-csrf-disabled high CWE-352 java/spring-cors-permissive medium CWE-942 php/no-eval critical CWE-95 php/no-command-injection critical CWE-78 php/no-sql-injection critical CWE-89 php/no-unserialize critical CWE-502 php/no-file-inclusion critical CWE-98 php/no-weak-crypto medium CWE-327 php/no-hardcoded-secret high CWE-798 php/no-ssrf high CWE-918 php/no-extract high CWE-621 php/no-preg-eval critical CWE-95 rs/unsafe-block medium CWE-676 rs/transmute-usage high CWE-843 rs/no-command-injection critical CWE-78 rs/no-sql-injection critical CWE-89 rs/no-weak-hash medium CWE-328 rs/no-hardcoded-secret high CWE-798 rs/tls-verify-disabled high CWE-295 rs/no-ssrf high CWE-918 rs/no-path-traversal high CWE-22 rs/no-unwrap-in-lib medium CWE-248 cs/no-sql-injection critical CWE-89 cs/no-command-injection critical CWE-78 cs/no-unsafe-deserialization critical CWE-502 cs/no-ssrf high CWE-918 cs/no-path-traversal high CWE-22 cs/no-weak-crypto medium CWE-327 cs/no-hardcoded-secret high CWE-798 cs/no-xxe high CWE-611 cs/no-ldap-injection high CWE-90 cs/no-cors-star medium CWE-942 swift/no-hardcoded-secret high CWE-798 swift/no-command-injection critical CWE-78 swift/no-weak-crypto medium CWE-327 swift/no-insecure-transport high CWE-319 swift/no-eval-js critical CWE-95 swift/no-sql-injection critical CWE-89 swift/no-insecure-keychain high CWE-311 swift/no-tls-disabled high CWE-295 swift/no-path-traversal high CWE-22 swift/no-ssrf high CWE-918