How foxguard compares
How foxguard compares with Semgrep, OpenGrep, CodeQL, Snyk Code, and SonarQube on speed, taint analysis, post-quantum readiness, and price. Figures come from each vendor's docs.
01 Capability matrix
| Capability | foxguard Rust CLI | Semgrep OSS + SaaS | OpenGrep Semgrep fork | CodeQL GitHub | Snyk Code SaaS | SonarQube Server |
|---|---|---|---|---|---|---|
| Free, no account required Full local scan with no login, token, or paid tier? | ✓ | ✓ | ✓ | OSS / public | — | Community ed. |
| Single static binary | ✓ | — | Release binary | CLI bundle | — | — |
| Sub-second local scans On small-to-medium repos; measured numbers below. | ✓ | — | — | — | — | — |
| Runs fully offline Default scan, no data leaves the machine. SaaS tools upload code or require an account. | ✓ | ✓ | ✓ | ✓ | — | Self-host |
| Intra-file taint / dataflow | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cross-file taint on the free tier foxguard: Python, JS, Go. Semgrep needs Pro; SonarQube needs Developer ed.; OpenGrep is per-file today. | ✓ | Paid (Pro) | Per-file | ✓ | ✓ | Paid (Dev+) |
| Autofix / remediation | ✓ | ✓ | ✓ | Copilot | DeepCode AI | AI CodeFix |
| Custom rules foxguard runs Semgrep-style YAML today; a native DSL is on the roadmap. | Semgrep YAML | YAML DSL | YAML DSL | QL | — | Plugins / XPath |
| Loads Semgrep / OpenGrep YAML Ingests a parity-tested subset of Semgrep/OpenGrep YAML via --rules. | ✓ | ✓ | ✓ | — | — | — |
| Secrets detection | ✓ | Paid product | — | GitHub sep. | Limited | ✓ |
| Post-quantum crypto audit CNSA 2.0 readiness. Flags pre-quantum primitives: RSA, ECDSA, ECDH, DH, DSA. | ✓ | — | — | — | — | — |
| CBOM generation Cryptographic Bill of Materials. Lists every crypto primitive in the codebase. | ✓ | — | — | — | — | — |
| SARIF output | ✓ | ✓ | ✓ | ✓ | ✓ | Import |
| IDE extension | VS Code | ✓ | LSP | VS Code | ✓ | SonarLint |
| GitHub PR comments | ✓ | ✓ | CI-based | ✓ | ✓ | ✓ |
| Managed SaaS dashboard | — | ✓ | — | via GitHub | ✓ | SonarCloud |
✓ out of the box · — not available · text = caveat (paid tier / partial / different mechanism). Check each vendor for current details.
02 Core attributes
| Attribute | foxguard Rust CLI | Semgrep OSS + SaaS | OpenGrep Semgrep fork | CodeQL GitHub | Snyk Code SaaS | SonarQube Server |
|---|---|---|---|---|---|---|
| Written in | Rust | OCaml + Python | OCaml | Proprietary engine | Proprietary (DeepCode AI) | Java |
| License | MIT OR Apache-2.0 | LGPL-2.1 (engine) | LGPL-2.1 | MIT queries / proprietary CLI | Proprietary | LGPLv3 (Community) + commercial |
| Distribution | Single static binary | Python wheel + runtime | Signed release binaries | CLI bundle + DB build step | CLI + cloud | Server + scanner |
| Install | npx, curl, cargo, brew | pip, brew, Docker | install script | download / GitHub Action | CLI, IDE, SaaS | Docker / self-host |
| Languages foxguard: 10 programming languages plus config/infra. Counts vary by edition/version. | 10 + config | 30+ | 30+ | ~11 | ~10 | ~30 |
| Rule model | 196 built-in (CWE-mapped) + YAML | YAML registry + Pro packs | Semgrep-compatible YAML | QL query packs | Vendor-maintained | Built-in + plugins |
03 Performance
| Metric | foxguard | Semgrep |
|---|---|---|
| Typical scan time (medium repo) | < 1 second | 10-30 seconds |
| Cold start (no cache) | < 1 second | 5-15 seconds |
| Memory usage | ~50 MB | ~500 MB+ |
| Parallel execution | Rayon (work-stealing) | Multiprocess |
Same hardware and rulesets; reproduce with ./benchmarks/run.sh.
OpenGrep forks the Semgrep engine, so its numbers track Semgrep. CodeQL builds a database before it can query
and SonarQube runs as a server. Both are heavier by design and are not sub-second local tools.
04 Unique to foxguard
None of the other five ship these out of the box:
- ✓ Post-quantum crypto audit (CNSA 2.0)
foxguard pqc . flags RSA, ECDSA, ECDH, DH, and DSA against NSA CNSA 2.0 timelines.
- ✓ CBOM generation
foxguard pqc . --format cbom inventories every crypto primitive for compliance and supply-chain reports.
- ✓ TUI triage mode
foxguard tui . opens an interactive UI to review findings, read dataflow traces, and suppress inline.
- ✓ Sub-second scans from a single binary
One Rust binary that scans in milliseconds. It runs without a runtime, a database build, or a server.
05 Pricing & licensing
| Tool | License | Cost model |
|---|---|---|
| foxguard | MIT OR Apache-2.0 | Free, forever Open source. Every engine feature is free, with no accounts or token limits. |
| Semgrep | LGPL-2.1 (OSS engine) | Free OSS + Team ~$35/contributor/mo CLI engine is open source; cross-file (Pro), Secrets, and the AppSec Platform are paid. |
| OpenGrep | LGPL-2.1 (community fork) | Free Vendor-neutral fork of the Semgrep engine (2025); no paid tier or hosted platform. |
| CodeQL | MIT queries / proprietary CLI | Free for OSS; paid for private Free on public repos and for research; private use needs GitHub Advanced Security. |
| Snyk Code | Proprietary SaaS | Free tier + Team from ~$25/dev/mo Cloud-based; code is uploaded by default. Limited free tier, paid team/enterprise plans. |
| SonarQube | LGPLv3 (Community) + commercial | Community free; Developer/Enterprise by LOC Self-hosted Community Build is free; cross-file taint and many languages need Developer Edition+. |
Terms change; figures reflect each vendor's published model, not a quote.
When to pick foxguard
- ✓You want a fast, free scanner that runs without a login or token limits.
- ✓You need post-quantum crypto auditing (CNSA 2.0) or a CBOM.
- ✓You want a single static binary that runs without a runtime or database build.
- ✓You need cross-file taint for Python, JS, and Go without a paid license.
When another tool might fit better
- →Semgrep / OpenGrep for a native custom-rule DSL, or 30+ languages including Scala and Terraform.
- →CodeQL for GitHub Advanced Security with deep QL queries and in-platform code scanning.
- →Snyk Code / SonarQube for a managed SaaS or server with team dashboards, policy gates, and quality metrics.
Try foxguard on your codebase
Run one command to scan your code for free. No config or signup required.
npx foxguard .