Sub-second local security scanning for real codebases.
100+ built-in rules · 10 languages · single Rust binary · Semgrep-compatible YAML bridge
foxguard.dev · npm · crates.io
A PwnKit Labs product.
Security scanners are slow. 10 seconds, 30 seconds, sometimes a minute. So developers don't run them locally — they get pushed to CI, findings pile up in PRs, and nobody looks at them.
foxguard fixes this by being fast enough that you never notice it's there. Same scan, 0.03 seconds instead of 10. You can run it on every save, every commit, every push. Security feedback becomes instant.
src/auth/login.js
14:5 CRITICAL js/no-sql-injection (CWE-89)
SQL query built with template literal interpolation
src/utils/config.py
7:1 HIGH py/no-hardcoded-secret (CWE-798)
Hardcoded secret in 'api_key'
WARNING 2 issues in 5 files (0.03s): 1 critical, 1 high, 0 medium, 0 low
- Fast enough to leave on. foxguard is built for local runs, pre-commit hooks, and changed-file scans instead of “security later in CI”.
- Useful before you tune anything. The default value is built-in framework-aware rules for common real-world mistakes across JavaScript, Python, Go, Ruby, Java, PHP, Rust, C#, and Swift.
- Adoption-friendly. If you already have Semgrep/OpenGrep YAML, foxguard can load a focused compatible subset on top of built-ins so migration is incremental instead of all-or-nothing.
npx foxguard . # scan the repo
npx foxguard --changed . # only modified files
npx foxguard secrets . # leaked credentials and private keys
npx foxguard init # install a local pre-commit hookRust + tree-sitter for AST parsing + rayon for parallelism. No JVM startup, no Python interpreter, no network calls, no rule download step. Just a native binary that reads your files and reports findings.
100+ built-in rules across 10 languages. SQL injection, XSS, SSRF, command injection, hardcoded secrets, weak crypto, unsafe deserialization, log injection, and framework-specific checks for Express, Django, Rails, Spring, Laravel, Gin, .NET, and iOS.
Also scans for leaked credentials (AWS keys, GitHub/GitLab/Slack/Stripe tokens, private keys) with redacted output. Loads Semgrep-compatible YAML rules with --rules if you have existing ones. Outputs terminal, JSON, or SARIF for GitHub Code Scanning.
foxguard dogfoods itself — it scans its own Rust source in CI on every push.
foxguard is not trying to be a full Semgrep or OpenGrep drop-in replacement.
The intended model is:
- foxguard built-ins for fast local feedback
- Semgrep/OpenGrep-compatible YAML subset as an adoption bridge
- Semgrep/OpenGrep themselves when you need the broadest external rule ecosystem
That boundary is deliberate. It keeps local scans fast, rule support understandable, and compatibility claims testable.
npx foxguard . # no install needed
brew install peaktwilight/tap/foxguard # Homebrew (macOS/Linux)
cargo install foxguard # crates.ioEditor: Install the VS Code extension — scans on save, shows findings as underlines.
Real-world benchmarks on local codebases:
| Repo | Files | foxguard | Semgrep (cached) | Speedup |
|---|---|---|---|---|
| youtube-reader (Next.js) | 41 | 0.03s | 4.6s | 153x |
| doruk.ch (Astro) | 28 | 0.04s | 5.4s | 134x |
| SwissPriceScraper (Python) | 17 | 0.01s | 4.8s | 482x |
| express (framework) | 141 | 0.28s | 17.4s | 61x |
| flask (framework) | 83 | 0.08s | 7.3s | 87x |
Semgrep times measured with cached rules (second run). foxguard has no cache — it's just fast.
| Language | Rules | Frameworks |
|---|---|---|
| JavaScript/TypeScript | 25 | Express, JWT, cookies, XSS, log injection |
| Python | 26 | Flask, Django, CSRF, session |
| Go | 8 | Gin, net/http, TLS |
| Ruby | 10 | Rails, mass assignment, CSRF |
| Java | 10 | Spring, XXE, deserialization |
| PHP | 10 | Laravel, file inclusion, unserialize |
| Rust | 10 | unsafe, transmute, TLS |
| C# | 10 | .NET, LDAP, XXE, CORS |
| Swift | 10 | iOS keychain, transport, WebView |
- Changed-file scans for tight local loops
- Repo-local baselines so legacy findings stop blocking adoption
- Secrets scanning alongside code scanning
- JSON and SARIF output for CI and GitHub Code Scanning
- Semgrep/OpenGrep YAML subset when teams already have rule investments
Load existing Semgrep/OpenGrep YAML rules with --rules. Supports pattern, pattern-regex, pattern-either, pattern-not, pattern-inside, pattern-not-inside, metavariable-regex, and paths.include/exclude. This supported subset is parity-tested in CI against the real semgrep CLI. See COMPATIBILITY.md.
foxguard does not currently aim to support multiple unrelated external rule formats. The compatibility target is the focused Semgrep/OpenGrep YAML subset above.
name: Security
on: [push, pull_request]
jobs:
foxguard:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: PwnKit-Labs/foxguard/[email protected]
with:
path: .
severity: medium
fail-on-findings: "true"
upload-sarif: "true"Findings show up in Security → Code Scanning.
npx foxguard@latest . # scan
npx foxguard@latest --format sarif . > out.sarif # SARIF output
npx foxguard@latest secrets . # secrets[](https://github.com/PwnKit-Labs/foxguard)repos:
- repo: https://github.com/PwnKit-Labs/foxguard
rev: v0.3.2
hooks:
- id: foxguard
- id: foxguard-secretsOr run foxguard init to install a git hook directly.
foxguard auto-discovers .foxguard.yml from the scan path upward.
scan:
baseline: .foxguard/baseline.json
rules: ./semgrep-rules
secrets:
baseline: .foxguard/secrets-baseline.json
exclude_paths:
- fixtures
- testdata
ignore_rules:
- secret/github-tokenAdding a rule is one struct implementing a trait. See CONTRIBUTING.md.
Built by PwnKit Labs and Doruk Tan Ozturk
foxguard is one piece of a three-part open-source security stack:
- pwnkit — AI agent pentester (detect)
- foxguard — Rust security scanner (prevent)
- opensoar — Python-native SOAR platform (respond)
MIT