foxguard - Fast local security linting in Rust

Fast by default

Example local default-mode benchmark: foxguard built-ins vs Semgrep and OpenGrep auto. For same-rules engine comparisons, use BENCH_MODE=compat.

Repo

foxguard

Semgrep

OpenGrep

express

141 files

foxguard

0.079s

Semgrep

4.712s

OpenGrep

4.756s

flask

83 files

foxguard

0.049s

Semgrep

4.702s

OpenGrep

5.150s

gin

99 files

foxguard

0.065s

Semgrep

4.467s

OpenGrep

4.294s

DEFAULT MODE

Product comparison

Compare foxguard built-ins against Semgrep or OpenGrep auto rules to measure the tools the way users actually run them by default.

COMPAT MODE

Same-rules engine comparison

Run the same Semgrep-compatible YAML rules across foxguard, Semgrep, and OpenGrep with --no-builtins --rules for a narrower compatibility check.

edit

foxguard checks (local-first)

fix

commit

The default story is built-ins-first. The compatibility story is bring-your-own YAML when you need to align with existing Semgrep or OpenGrep workflows.

Run ./benchmarks/run.sh locally for current numbers and methodology.

Compatibility, not magic

foxguard can load a useful Semgrep-compatible subset today. The default product path is still built-in rules. External YAML is there to help teams adopt foxguard without starting from zero.

supported

Top-level rules

supported

pattern

supported

pattern-either

supported

pattern-not

supported

pattern-inside

supported

patterns

supported

JS/TS, Python, Go

partial

Full Semgrep syntax

If you need the full Semgrep or OpenGrep rule universe, use those tools directly. If you want fast local feedback with a compatibility bridge, that is where foxguard fits.

Features

Local-first security linting for the edit-save-commit loop.

< 60ms

Single binary, local-first

No JVM, no Python runtime, no network calls. Fast enough for edit-save-commit loops, hooks, and scripts.

.yaml

Bring your own rules

Built-ins are the default. Add a useful Semgrep-compatible YAML subset from a file or directory when needed.

Built-in coverage

Security checks for JS/TS, Python, and Go, including framework-specific rules.

SARIF

CI-friendly output

Use terminal output locally or JSON and SARIF in automation.

Where It Fits

foxguard is best positioned as a local-first complement, not a claim of full tool replacement.

SEMGREP / OPENGREP

Broad ecosystem coverage

Large existing rule ecosystems

Strong CI and platform fit

Broader language and analysis scope

FOXGUARD

Fast local feedback on a Rust engine

Useful built-in rules out of the box

Terminal, JSON, and SARIF output

Semgrep-compatible YAML subset loading with --rules

Install

Get started in seconds.

Rust / Cargo

cargo install foxguard

npm / npx

npx foxguard .

Rules

36 rules across 3 languages, each mapped to a CWE identifier

JavaScript / TypeScript 16 rules

js/no-eval critical CWE-95 Use of eval() allows arbitrary code execution

js/no-hardcoded-secret high CWE-798 Hardcoded secret or credential detected

js/no-sql-injection critical CWE-89 SQL injection via string concatenation or template literal

js/no-xss-innerhtml high CWE-79 Assignment to innerHTML may lead to XSS

js/no-command-injection critical CWE-78 Command injection via exec/spawn with dynamic input

js/no-document-write high CWE-79 document.write() with dynamic content enables XSS

js/no-open-redirect medium CWE-601 Open redirect via user-controlled URL

js/no-weak-crypto medium CWE-327 Use of weak cryptographic hash (MD5/SHA1)

js/no-path-traversal high CWE-22 Path traversal via unsanitized user input

js/no-prototype-pollution high CWE-1321 Prototype pollution via object merge

js/no-unsafe-regex medium CWE-1333 ReDoS-vulnerable regular expression

js/no-cors-star medium CWE-942 Permissive CORS policy (Access-Control-Allow-Origin: *)

js/express-no-hardcoded-session-secret high CWE-798 Hardcoded session secret in express-session config

js/express-cookie-no-secure medium CWE-614 Cookie config missing secure flag

js/express-cookie-no-httponly medium CWE-1004 Cookie config missing httpOnly flag

js/express-direct-response-write high CWE-79 XSS via res.send/res.write with user input

Python 13 rules

py/no-eval critical CWE-95 Use of eval()/exec() allows arbitrary code execution

py/no-hardcoded-secret high CWE-798 Hardcoded secret or credential detected

py/no-sql-injection critical CWE-89 SQL injection via string formatting

py/no-command-injection critical CWE-78 Command injection via os.system/subprocess

py/no-path-traversal high CWE-22 Path traversal via unsanitized user input

py/no-weak-crypto medium CWE-327 Use of weak cryptographic hash (MD5/SHA1)

py/no-pickle high CWE-502 Deserialization of untrusted data via pickle

py/no-yaml-load high CWE-502 Unsafe yaml.load() without SafeLoader

py/no-debug-true medium CWE-489 DEBUG=True left enabled in production config

py/no-open-redirect medium CWE-601 Open redirect via user-controlled URL

py/no-cors-star medium CWE-942 Permissive CORS policy (CORS_ALLOW_ALL_ORIGINS)

py/flask-debug-mode high CWE-489 Flask app.run(debug=True) exposes debugger in production

py/django-secret-key-hardcoded high CWE-798 Django SECRET_KEY hardcoded in source

Go 7 rules

go/no-sql-injection critical CWE-89 SQL injection via string concatenation or fmt.Sprintf

go/no-command-injection critical CWE-78 Command injection via exec.Command with dynamic input

go/no-hardcoded-secret high CWE-798 Hardcoded secret or credential detected

go/no-weak-crypto medium CWE-327 Use of weak cryptographic hash (MD5/SHA1)

go/no-ssrf high CWE-918 SSRF via http.Get/http.Post with variable URL

go/gin-no-trusted-proxies medium CWE-346 Gin engine without SetTrustedProxies

go/net-http-no-timeout medium CWE-400 http.ListenAndServe without timeout config

Open source. MIT licensed.

Star us on GitHub and help make codebases safer.

Star on GitHub