### Install FoxGuard via Script Source: https://foxguard.dev/blog/foxguard-0-8-0-pq-crypto-audit Install FoxGuard using the provided shell script for quick setup. ```bash curl -fsSL https://foxguard.dev/install.sh | sh ``` -------------------------------- ### foxguard Output Example for PQ Findings Source: https://foxguard.dev/blog/foxguard-0-8-0-pq-crypto-audit Example output from the `foxguard pqc .` command, showing a specific finding in `src/tls/client.go`. It details the severity, rule ID (CWE-327), vulnerability description, and the relevant CNSA 2.0 deadline. ```text src/tls/client.go 42:14 HIGH go/pq-vulnerable-crypto (CWE-327) ECDH P-256 is not post-quantum safe. CNSA 2.0 mandates ML-KEM-1024 for NSS; ML-KEM-768 is the NIST default for commercial use. CNSA 2.0 deadline: traditional networking equipment, 2030. WARNING 1 PQ finding in 18 files (0.04s): 1 high, 0 medium, 0 low CNSA 2.0 migration: at-risk (1 finding with an NSA transition deadline) ``` -------------------------------- ### Install FoxGuard with Cargo Source: https://foxguard.dev/blog/foxguard-0-8-0-pq-crypto-audit Install FoxGuard using the Rust package manager, Cargo. ```bash cargo install foxguard ``` -------------------------------- ### Initialize Foxguard Local Hook Source: https://foxguard.dev/blog/how-to-roll-out-foxguard-without-blowing-up-ci Install the local hook to add a pre-commit path for Foxguard. This provides a starter configuration without impacting CI. ```bash foxguard init ``` -------------------------------- ### Python Cross-File Taint Tracking Example Source: https://foxguard.dev/blog/taint-tracking-without-the-yaml This example demonstrates how FoxGuard traces taint across file boundaries. Taint from user input in `views.py` is tracked to a sink in `queries.py`. ```python # views.py from . import queries def search(request): name = request.GET["name"] return queries.run_query(name) # ← cross-file taint fires here # queries.py def run_query(name): cur.execute("SELECT * FROM users WHERE name = '" + name + "'") ``` -------------------------------- ### Flask False Positive: No Source Source: https://foxguard.dev/blog/taint-tracking-without-the-yaml In this Flask example, 'os.system' is called with a literal string, and there is no tainted input source within the function. Foxguard correctly reports no finding. ```python @app.route("/healthz") def healthz(): os.system("uptime") # literal, not tainted return "ok" ``` -------------------------------- ### Python Cross-File Taint Analysis Example Source: https://foxguard.dev/ Demonstrates how untrusted input flows across file boundaries in Python. This example shows a source in `views.py` and a sink in `queries.py`, highlighting Foxguard's ability to trace dataflow. ```python from . import queries def search(request): name = request.GET["name"] return queries.run_query(name) ``` ```python def run_query(name): cur = db.cursor() cur.execute( "SELECT * FROM users" " WHERE name = '" + name + "'" ) ``` -------------------------------- ### Express: Hardcoded Session Secrets in Examples Source: https://foxguard.dev/blog/scanning-top-frameworks These examples demonstrate hardcoded session secrets in Express. Developers often copy-paste examples, potentially introducing vulnerabilities into production. ```javascript secret: 'keyboard cat' ``` ```javascript app.use(cookieSession({ secret: 'manny is cool' })); ``` -------------------------------- ### Python single-file taint example: Source Source: https://foxguard.dev/blog/cross-file-taint-in-003-seconds Illustrates a source in a Python file where user input is obtained. ```python # views.py from . import queries def search(request): name = request.GET["name"] return queries.run_query(name) ``` -------------------------------- ### Foxguard Taint Analysis Example Source: https://foxguard.dev/blog/cross-file-taint-in-003-seconds Demonstrates a critical SQL injection finding identified by foxguard, including the source, sink, and suggested fix. This output is generated in milliseconds. ```text $ foxguard tests/fixtures/realistic/django_shop/ --explain views.py 52:12 CRITICAL py/taint-sql-injection (CWE-89) django.request.GET reaches cursor.execute (via cross-file call to run_query) source → views.py:51 django.request.GET sink → views.py:52 cursor.execute (via cross-file call to run_query) Fix: Use parameterized queries: cur.execute("SELECT * FROM users WHERE name = ?", (name,)) ``` -------------------------------- ### Launch foxguard TUI in Secrets Mode Source: https://foxguard.dev/blog/foxguard-0-7-0-tui-launch Starts the foxguard TUI focused on scanning for secrets within the codebase. ```bash npx foxguard tui --secrets . ``` -------------------------------- ### Clone Linux Kernel and Run Dirty Frag Rule Pack Source: https://foxguard.dev/blog/dirty-frag-rule-pack Clone the Linux kernel repository and execute the foxguard scanner with the dirty-frag-class rules. Ensure you have the latest foxguard CLI installed. ```bash git clone --depth=1 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git npx foxguard@latest --no-builtins \ --rules rules/kernel/dirty-frag-class/ \ linux/ ``` -------------------------------- ### Python single-file taint example: Sink Source: https://foxguard.dev/blog/cross-file-taint-in-003-seconds Illustrates a sink in a Python file where tainted data could lead to a vulnerability. ```python # queries.py def run_query(name): cur.execute("SELECT * FROM users WHERE name = '" + name + "'") ``` -------------------------------- ### Run Foxguard Locally on Changed Files Source: https://foxguard.dev/blog/how-to-roll-out-foxguard-without-blowing-up-ci Use this command to get fast, relevant feedback scoped to the files a developer is currently modifying. This helps developers learn the tool's signal before any enforcement. ```bash npx foxguard --changed . ``` -------------------------------- ### Flask False Positive: Discarded Taint Source: https://foxguard.dev/blog/taint-tracking-without-the-yaml This Flask example shows user input being read but not used in a dangerous sink ('eval'). Foxguard correctly identifies no taint propagation and thus no finding. ```python @app.route("/static-eval") def static_eval(): _ignored = request.args["expr"] # read, but discarded return str(eval("1 + 1")) # sink receives a literal ``` -------------------------------- ### Try Foxguard Source: https://foxguard.dev/blog/how-to-roll-out-foxguard-without-blowing-up-ci A simple command to run Foxguard on the current directory, useful for initial testing or quick scans. ```bash npx foxguard . ``` -------------------------------- ### Explain Dataflow Traces with Foxguard Source: https://foxguard.dev/ Generate detailed explanations of dataflow traces from source to sink, including file and line references, using the `--explain` flag. This aids in understanding the full path of tainted data. ```bash --explain ``` -------------------------------- ### Run FoxGuard 0.7.1 Source: https://foxguard.dev/blog/foxguard-0-7-1-faster-taint Execute FoxGuard version 0.7.1 using npx to scan the current directory. This command is a drop-in replacement for previous versions and offers faster performance. ```bash npx foxguard@0.7.1 . ``` -------------------------------- ### Load Semgrep Rules with Foxguard Source: https://foxguard.dev/ Utilize existing Semgrep or OpenGrep rules within Foxguard by specifying them with the `--rules` flag. This allows for leveraging established rule sets. ```bash --rules ``` -------------------------------- ### Run PQ-vulnerable-crypto Rules with foxguard Source: https://foxguard.dev/blog/foxguard-0-8-0-pq-crypto-audit Execute the PQ-vulnerable-crypto rules across a repository to identify cryptographic weaknesses and display migration deadlines. This command is useful for assessing compliance with NSA's CNSA 2.0 standards. ```bash foxguard pqc . ``` -------------------------------- ### Generate Foxguard Baseline Source: https://foxguard.dev/blog/how-to-roll-out-foxguard-without-blowing-up-ci Create a baseline file to capture existing issues in the repository. This separates historical noise from new findings. ```bash foxguard baseline --output .foxguard/baseline.json . ``` -------------------------------- ### Run Foxguard with Baseline Source: https://foxguard.dev/blog/how-to-roll-out-foxguard-without-blowing-up-ci Apply the generated baseline in normal scans. This shifts the focus to new issues introduced by a pull request. ```bash foxguard --baseline .foxguard/baseline.json . ``` -------------------------------- ### Run FoxGuard PQ Audit Source: https://foxguard.dev/blog/foxguard-0-8-0-pq-crypto-audit Execute a post-quantum cryptography audit on the current directory using the latest FoxGuard version. ```bash npx foxguard@latest pqc . ``` -------------------------------- ### Refactoring Go Taint Analysis for Performance Source: https://foxguard.dev/blog/foxguard-0-7-1-faster-taint Compares the 'before' and 'after' approaches to analyzing Go taint rules. The original method performed a separate AST walk for each rule, while the optimized version groups rules by sanitizer fingerprint for batched analysis, significantly reducing redundant work. ```rust // Before: 9 walks per file (one per rule) for rule in go_taint_rules { analyze_tree_with_cross_file(tree, &rule.spec); // Pass 1 + Pass 2 } // After: 2 walks per file (one per sanitizer group) let groups = group_by_sanitizer_fingerprint(go_taint_rules); for group in groups { analyze_tree_batched(tree, &group); // shared Pass 1, batched sinks } ``` -------------------------------- ### Flask: Using exec() for Configuration Loading Source: https://foxguard.dev/blog/scanning-top-frameworks Flask's Config.from_pyfile() uses exec() to load Python configuration files, which is a security risk if an attacker can write to the config path, leading to code execution. ```python exec(compile(config_file.read(), filename, "exec"), d.__dict__) ``` -------------------------------- ### Go SQL Injection Taint Tracking Source: https://foxguard.dev/blog/taint-tracking-without-the-yaml Illustrates a Go HTTP handler where query parameter 'q' from 'r.URL.Query().Get' is used in a SQL query via 'db.Exec', resulting in SQL injection. Foxguard detects this as 'go/taint-sql-injection'. ```go func search(w http.ResponseWriter, r *http.Request) { q := r.URL.Query().Get("q") db.Exec("SELECT * FROM items WHERE name = '" + q + "'") } ``` -------------------------------- ### Try the latest foxguard TUI Source: https://foxguard.dev/blog/foxguard-0-7-0-tui-launch This command ensures you are using the most recent version of the foxguard TUI for local scans, recommended for CI hooks and editor tasks. ```bash npx foxguard@latest tui . ``` -------------------------------- ### Initial CNSA 2.0 Deadline Logic Source: https://foxguard.dev/blog/cnsa2-deadlines-we-got-wrong This Rust code snippet demonstrates the initial approach to determining CNSA 2.0 deadlines based on rule ID substrings. It was found to be problematic due to unsourced dates and a fragile heuristic. ```rust // roughly what the first pass looked like fn deadline_for(rule_id: &str) -> Option<&'static str> { if rule_id.contains("signing") { Some("2030") } else if rule_id.contains("tls") || rule_id.contains("crypto") { Some("2033") } else { None } } ``` -------------------------------- ### Add Baseline-Backed CI Scan Source: https://foxguard.dev/blog/how-to-roll-out-foxguard-without-blowing-up-ci Integrate Foxguard into CI using the baseline. This ensures CI checks for new security issues introduced by changes. ```bash npx foxguard@latest --baseline .foxguard/baseline.json . ``` -------------------------------- ### Run FoxGuard Scan for Dirty Frag Rules Source: https://foxguard.dev/blog/dirty-frag-rule-pack Execute the FoxGuard scanner with specific rules targeting the Dirty Frag vulnerability class on a set of C test fixtures. This command demonstrates how to apply custom rules and analyze the output. ```bash $ npx foxguard@latest --no-builtins \ --rules rules/kernel/dirty-frag-class/ \ tests/fixtures/kernel/dirty-frag/ foxguard v0.8.0 · scanning... .../aead_no_cow_vulnerable.c · 1 issue █ CRITICAL In-place AEAD decrypt on skb without a dominating cow/unshare gate (Dirty Frag class). … █ semgrep/kernel/dirty-frag/skb-inplace-aead-no-cow (CWE-787) line 27:1 █ aead_request_set_crypt(req, sg, sg, len, iv); .../scatterwalk_store_vulnerable.c · 1 issue .../skcipher_no_cow_vulnerable.c · 1 issue 3 issues 6 files · 0.01s ``` -------------------------------- ### Gin: Default Engine Without Trusted Proxies Source: https://foxguard.dev/blog/scanning-top-frameworks The convenience package `ginS` in Gin creates a default engine without calling `SetTrustedProxies()`, potentially allowing IP spoofing via X-Forwarded-For. ```go return gin.Default() ``` -------------------------------- ### Launch foxguard TUI in Diff Mode Source: https://foxguard.dev/blog/foxguard-0-7-0-tui-launch Initiates the foxguard TUI specifically for diff mode, allowing comparison of code changes. ```bash npx foxguard tui --diff main . ``` -------------------------------- ### Launch foxguard TUI Source: https://foxguard.dev/blog/foxguard-0-7-0-tui-launch Use this command to launch the interactive terminal UI for foxguard. It opens to a launch picker with scan, diff, and secrets modes. ```bash npx foxguard tui . ``` -------------------------------- ### Flask Command Injection Taint Tracking Source: https://foxguard.dev/blog/taint-tracking-without-the-yaml Demonstrates a Flask route where user input from 'request.args' can lead to command injection via 'os.system'. Foxguard identifies this as 'py/taint-command-injection'. ```python app.route("/ping") def ping(): host = request.args.get("host", "localhost") os.system("ping -c 1 " + host) return "ok" ``` -------------------------------- ### Perform Branch Diffing with Foxguard Source: https://foxguard.dev/ Show only the new findings introduced in the current branch compared to a specified base branch (e.g., `main`). This helps in focusing on recent changes and avoiding noise from existing code. ```bash foxguard diff main ``` -------------------------------- ### Define CNSA 2.0 Deadline Constants with Citations Source: https://foxguard.dev/blog/cnsa2-deadlines-we-got-wrong Use `pub const` with doc comments to define deadline constants, including inline NSA citations and source references. This ensures clarity and traceability for each deadline. ```rust /// Software & firmware signing — exclusive use of CNSA 2.0 by end of 2030. /// /// Source: NSA CNSA 2.0 FAQ (Dec 2024, v2.1), transition-timeline table: /// *"Software and firmware signing: Support and prefer by 2025; /// exclusive use by 2030."* This is the earliest per-class deadline in /// CNSA 2.0 because hash-based signatures (LMS/XMSS) and ML-DSA are /// already standardized and fieldable. pub const SOFTWARE_FIRMWARE_SIGNING: &str = "2030"; /// Web browsers / servers / cloud services — exclusive use by end of 2033. /// /// Source: NSA CNSA 2.0 FAQ (Dec 2024, v2.1), transition-timeline table: /// *"Cloud services and web browsers/servers: Support and prefer by /// 2025; exclusive use by 2033."* pub const WEB_AND_CLOUD: &str = "2033"; ``` -------------------------------- ### FoxGuard Rule for In-place AEAD Decrypt (Dirty Frag) Source: https://foxguard.dev/blog/dirty-frag-rule-pack This YAML configuration defines a FoxGuard rule to detect potential Dirty Frag vulnerabilities. It uses regex patterns to identify in-place AEAD decryption calls without proper copy-on-write or unsharing gates. ```yaml rules: - id: kernel/dirty-frag/skb-inplace-aead-no-cow pattern-regex: '(?ms)^\s*aead_request_set_crypt\s*\([^}]*?crypto_aead_decrypt\s*\(' pattern-not-regex: '(?s)\b(?:skb_cow_data|skb_copy|skb_unshare|skb_make_writable|pskb_expand_head)\s*\([^}]*?aead_request_set_crypt\s*\([^}]*?crypto_aead_decrypt\s*\(' message: | In-place AEAD decrypt on skb without a dominating cow/unshare gate (Dirty Frag class). Verify skb_cow_data / skb_unshare / skb_make_writable / pskb_expand_head is reached on the unsafe path before aead_request_set_crypt(req, sg, sg, ...) + crypto_aead_decrypt(req). See oss-security 2026-05-07 advisory and pwnkit issue #263. severity: ERROR languages: [c] metadata: cwe: "CWE-787" ``` -------------------------------- ### Generate CycloneDX 1.6 CBOM with foxguard Source: https://foxguard.dev/blog/foxguard-0-8-0-pq-crypto-audit Emit a CycloneDX 1.6 cryptographic bill of materials (CBOM) where each component is linked to its source file, line number, and severity. This command helps in inventorying cryptographic components and their associated risks. ```bash foxguard --format cbom . ``` -------------------------------- ### Post Findings as GitHub PR Review Comments Source: https://foxguard.dev/ Directly post Foxguard findings as inline review comments on GitHub pull requests using the `--github-pr` flag. This integrates security feedback directly into the code review process. ```bash --github-pr ``` -------------------------------- ### Rails: Marshal.load for Cookie Deserialization Source: https://foxguard.dev/blog/scanning-top-frameworks Rails uses Marshal.load for cookie deserialization, which can lead to remote code execution if cookie data is tampered with. Rails mitigates this with signed/encrypted cookies, but the underlying primitive is inherently dangerous. ```ruby Marshal.load ``` -------------------------------- ### Flask: SHA-1 Fallback for Session Cookie Signing Source: https://foxguard.dev/blog/scanning-top-frameworks Flask uses SHA-1 in its session cookie signing fallback. SHA-1 is cryptographically broken and may be rejected by FIPS-compliant environments. ```python return hashlib.sha1(string) ``` -------------------------------- ### Annotate CNSA 2.0 Deadlines from Rule Registry Source: https://foxguard.dev/blog/cnsa2-deadlines-we-got-wrong This function iterates through all rules in the registry, collects their CNSA 2.0 deadlines, and annotates findings with the corresponding deadline. It avoids string matching by directly using the rule ID to look up the deadline. ```rust pub fn annotate_cnsa2_deadlines(findings: &mut [Finding], registry: &RuleRegistry) { let map: HashMap<&str, &'static str> = registry .all_rules() .iter() .filter_map(|r| r.cnsa2_deadline().map(|d| (r.id(), d))) .collect(); for f in findings.iter_mut() { if let Some(deadline) = map.get(f.rule_id.as_str()) { f.cnsa2_deadline = Some((*deadline).to_string()); } } } ``` -------------------------------- ### JavaScript SSRF Taint Tracking Source: https://foxguard.dev/blog/taint-tracking-without-the-yaml Shows an Express.js route where user-provided URL from 'req.query' can be used in 'fetch', leading to Server-Side Request Forgery (SSRF). Foxguard flags this as 'js/taint-ssrf'. ```javascript app.get("/fetch", (req, res) => { const url = req.query.url; fetch(url).then(r => r.text()).then(body => res.send(body)); }); ``` -------------------------------- ### Laravel: Variable Path Require in Maintenance Mode Source: https://foxguard.dev/blog/scanning-top-frameworks A finding in Laravel's maintenance mode entry point involves a `require` statement with a variable path. This is considered low risk as the base path is hardcoded. ```php require $path; ``` -------------------------------- ### Module Doc Comment Prohibiting Substring Matching Source: https://foxguard.dev/blog/cnsa2-deadlines-we-got-wrong Include a module-level doc comment that explicitly forbids substring matching on rule IDs to prevent accidental misinterpretation or loss of annotations. ```rust //! ## Design notes (addresses PR #231 review) //! //! - **No substring matching on rule IDs.** The deadline is a property of the //! rule itself (declared in `impl_rule!`), so this module simply consults //! the registry. Renaming or adding a rule cannot silently drop its //! annotation. //! - **No hardcoded dates without citations.** Every year used below is tied //! to a specific NSA document URL and quoted language. ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.