A fast security scanner. Completely free. 10+ languages supported.

npx foxguard .

• Sub-second scans on real codebases -- fast enough for pre-commit hooks
• Completely free -- local scans, CI usage, and GitHub PR checks without a paid tier
• 10+ languages supported -- JS/TS, Python, Go, Ruby, Java, PHP, Rust, C#, Swift, Kotlin, C
• Cross-file taint tracking with intraprocedural dataflow and cross-file summaries
• Diff scans -- only new findings since a target branch
• Secrets scanning -- AWS keys, GitHub/GitLab/Slack/Stripe tokens, private keys
• Dependency vulnerability scanning -- OSV-backed SCA for Cargo, npm, pnpm, pip, Poetry, and Pipenv lockfiles
• Post-quantum crypto audit -- CNSA 2.0 migration deadlines on every finding
• Semgrep/OpenGrep-compatible YAML bridge -- load external rule packs via --rules
• Interactive TUI -- triage, baseline, ignore, severity overrides
• Output formats -- terminal, JSON, SARIF, CycloneDX 1.6 CBOM
• GitHub App -- auto-scans PRs, posts inline comments, check runs

npx foxguard .                                      # zero install
curl -fsSL https://foxguard.dev/install.sh | sh     # prebuilt binary (macOS/Linux)
cargo install foxguard                              # from source

Prebuilt installs verify release SHA-256 checksums before using downloaded binaries. Signed GitHub artifact attestations are published for release binaries; see release provenance for manual verification.

GitHub Action:

- uses: 0sec-labs/foxguard/action@v0.8.1
  with:
    path: .
    severity: medium
    fail-on-findings: "true"
    upload-sarif: "true"

The action verifies the downloaded binary against checksums.txt. Provenance verification is available as a separate gh attestation verify policy step.

pre-commit:

repos:
  - repo: https://github.com/0sec-labs/foxguard
    rev: v0.8.1
    hooks:
      - id: foxguard

VS Code: Install extension -- scans on save, inline findings.

Claude Code: claude --plugin-dir ./plugins/claude-code -- see docs.

MCP server: foxguard-mcp exposes scan, diff, secrets, PQC, SARIF/CBOM, rule, explanation, and suppression tools -- see docs.

foxguard .                    # scan everything
foxguard diff main .          # only new findings vs main
foxguard secrets .            # leaked credentials and keys
foxguard sca .                # dependency vulnerabilities from OSV
foxguard pqc .                # post-quantum crypto audit
foxguard tui .                # interactive triage UI
foxguard --format sarif . > results.sarif   # SARIF for CI

Scans every pull request automatically. Posts inline comments on new findings and reports check run status. Zero config -- install and it works.

foxguard pqc .

src/tls/client.go
  42:14  HIGH  go/pq-vulnerable-crypto (CWE-327)
         ECDH P-256 is not post-quantum safe.
         CNSA 2.0 deadline: traditional networking equipment, 2030.

Each finding carries its CNSA 2.0 migration deadline. Covers Python, JS/TS, Go, Java, Rust, and TLS config files. Export as CycloneDX 1.6 CBOM with --format cbom.

foxguard sca .
foxguard --sca . --format json
foxguard sca . --sca-offline --sca-db ./osv-advisories.json

SCA supports Cargo.lock, package-lock.json, pnpm-lock.yaml, requirements.txt, poetry.lock, and Pipfile.lock. Offline mode uses --sca-db or an existing --sca-cache; without either, OSV lookup is skipped and normal/PQ manifest rules still run. See docs/dependency-scanning.md.

foxguard auto-discovers .foxguard.yml from the scan path upward.

scan:
  baseline: .foxguard/baseline.json
  disable_rules: [py/no-eval]
  severity_overrides:
    py/no-hardcoded-secret: medium

secrets:
  exclude_paths: [fixtures, testdata]

Suppress an accepted finding inline with // foxguard: ignore[rule-id].

Reproduce: ./benchmarks/run.sh. See benchmarks/README.md.

Adding a rule is one struct implementing a trait. See CONTRIBUTING.md.

MIT OR Apache-2.0 -- 0sec Labs