foxguard - Fast security linting for modern codebases

Fast enough for local workflows

Checked-in benchmark suite: express repository, 141 files

foxguard

0.077s

Semgrep

4.902s

edit

foxguard checks (77ms)

fix

commit

Semgrep / OpenGrep: broad rule ecosystems. foxguard: fast local feedback on a Rust engine.

Features

Security linting built for local feedback and existing workflows.

< 60ms

Local-first speed

Fast enough for edit-save-commit loops, hooks, and scripts.

.yaml

Custom rules

Load a useful Semgrep-compatible YAML subset from a file or directory.

36

Built-in coverage

Security checks for JS/TS, Python, and Go, including framework-specific rules.

SARIF

CI-friendly output

Use terminal output locally or JSON and SARIF in automation.

Where It Fits

foxguard is best positioned as a local-first complement, not a claim of full tool replacement.

SEMGREP / OPENGREP

Broad ecosystem coverage

Large existing rule ecosystems

Strong CI and platform fit

Broader language and analysis scope

FOXGUARD

Fast local feedback on a Rust engine

Useful built-in rules out of the box

Terminal, JSON, and SARIF output

Semgrep-compatible YAML subset loading with --rules

Install

Get started in seconds.

Rust / Cargo

cargo install foxguard

npm / npx

npx foxguard .

Rules

36 rules across 3 languages, each mapped to a CWE identifier

JavaScript / TypeScript 16 rules

js/no-eval critical CWE-95 Use of eval() allows arbitrary code execution

js/no-hardcoded-secret high CWE-798 Hardcoded secret or credential detected

js/no-sql-injection critical CWE-89 SQL injection via string concatenation or template literal

js/no-xss-innerhtml high CWE-79 Assignment to innerHTML may lead to XSS

js/no-command-injection critical CWE-78 Command injection via exec/spawn with dynamic input

js/no-document-write high CWE-79 document.write() with dynamic content enables XSS

js/no-open-redirect medium CWE-601 Open redirect via user-controlled URL

js/no-weak-crypto medium CWE-327 Use of weak cryptographic hash (MD5/SHA1)

js/no-path-traversal high CWE-22 Path traversal via unsanitized user input

js/no-prototype-pollution high CWE-1321 Prototype pollution via object merge

js/no-unsafe-regex medium CWE-1333 ReDoS-vulnerable regular expression

js/no-cors-star medium CWE-942 Permissive CORS policy (Access-Control-Allow-Origin: *)

js/express-no-hardcoded-session-secret high CWE-798 Hardcoded session secret in express-session config

js/express-cookie-no-secure medium CWE-614 Cookie config missing secure flag

js/express-cookie-no-httponly medium CWE-1004 Cookie config missing httpOnly flag

js/express-direct-response-write high CWE-79 XSS via res.send/res.write with user input

Python 13 rules

py/no-eval critical CWE-95 Use of eval()/exec() allows arbitrary code execution

py/no-hardcoded-secret high CWE-798 Hardcoded secret or credential detected

py/no-sql-injection critical CWE-89 SQL injection via string formatting

py/no-command-injection critical CWE-78 Command injection via os.system/subprocess

py/no-path-traversal high CWE-22 Path traversal via unsanitized user input

py/no-weak-crypto medium CWE-327 Use of weak cryptographic hash (MD5/SHA1)

py/no-pickle high CWE-502 Deserialization of untrusted data via pickle

py/no-yaml-load high CWE-502 Unsafe yaml.load() without SafeLoader

py/no-debug-true medium CWE-489 DEBUG=True left enabled in production config

py/no-open-redirect medium CWE-601 Open redirect via user-controlled URL

py/no-cors-star medium CWE-942 Permissive CORS policy (CORS_ALLOW_ALL_ORIGINS)

py/flask-debug-mode high CWE-489 Flask app.run(debug=True) exposes debugger in production

py/django-secret-key-hardcoded high CWE-798 Django SECRET_KEY hardcoded in source

Go 7 rules

go/no-sql-injection critical CWE-89 SQL injection via string concatenation or fmt.Sprintf

go/no-command-injection critical CWE-78 Command injection via exec.Command with dynamic input

go/no-hardcoded-secret high CWE-798 Hardcoded secret or credential detected

go/no-weak-crypto medium CWE-327 Use of weak cryptographic hash (MD5/SHA1)

go/no-ssrf high CWE-918 SSRF via http.Get/http.Post with variable URL

go/gin-no-trusted-proxies medium CWE-346 Gin engine without SetTrustedProxies

go/net-http-no-timeout medium CWE-400 http.ListenAndServe without timeout config

Open source. MIT licensed.

Star us on GitHub and help make codebases safer.

Star on GitHub