Install foxguard
on any GitHub repo

foxguard scans every pull request in seconds and posts any vulnerabilities, secrets, or quantum-weak crypto as comments. Free for open source.

Install on GitHub Self-host instead →

Click install

Pick your repos. There's no card and no signup. Private repos work too, since the App scans inside your tenancy.

Open a PR

foxguard scans the head ref, most repos in under a second. Findings post as one comment, grouped by severity.

Fix and merge

Each finding shows file, line, rule, and a fix. Push a change and the scan re-runs. A clean scan posts a clean comment.

What it flags on PRs

It runs the same engine as the local foxguard CLI, with 196 rules, 10 languages, and cross-file taint tracking.

Command injection

shelling out with concatenated user input

SQL injection

unparameterized queries via f-strings or concat

Path traversal

../ payloads landing on filesystem reads

SSRF

outbound fetches that hit private/loopback ranges

Hardcoded secrets

API tokens, AWS keys, Stripe keys, private keys

Weak crypto

MD5, SHA-1, DES, ECB, math/rand for tokens

Deserialization

pickle.load, yaml.load, unserialize on untrusted input

PQ-vulnerable crypto

RSA / ECDSA / ECDH usage with CNSA 2.0 deadlines

How your code is handled

→Webhooks are verified. Every GitHub delivery is HMAC-SHA256 checked before any code is fetched. Forged events get a 401.
→Code runs in a sandbox. The PR head ref is shallow-cloned to a temp dir, scanned, then deleted. Hard caps: 60s timeout, 1 GB repo.
→Nothing leaves your tenancy. It's the same Rust binary as npx foxguard. There are no model calls and no uploads. Findings stay in the comment.
→Dedicated infra. Single-tenant namespace on a Hetzner Xeon box in HEL1 (EU). Operated by 0sec Labs.
→Open source. Receiver, scanner, and Dockerfile all live in 0sec-labs/foxguard. Audit every line.

Self-host the receiver

Run your own instance for air-gapped CI or regulated workloads. The receiver ships as a Docker image, and the Dockerfile is in the repo. Register your own GitHub App, then point its webhook at your instance.

terminal

docker run --rm -p 8080:8080 \
  -e FOXGUARD_WEBHOOK_SECRET=$(openssl rand -hex 32) \
  ghcr.io/0sec-labs/foxguard-github-app:latest

See Dockerfile.github-app for the build details and issue #246 for the broader Phase 1/2 plan.

Try it locally first

It needs no App, install, or signup. See what it flags in your codebase.

npx foxguard .

← Back to foxguard.dev

Install foxguardon any GitHub repo