foxguard 0.8.0 → 0.9.0

package/README.md

@@ -21,6 +21,11 @@ It scans for SQL injection, XSS, SSRF, hardcoded secrets, command injection, wea
 
 This is the npm wrapper. It downloads the correct prebuilt Rust binary for your platform from GitHub Releases and caches it locally.
 
+The wrapper verifies the downloaded binary against the release `checksums.txt`
+before caching it. Release binaries also have GitHub artifact attestations for
+manual or CI verification with `gh attestation verify`; see the repository's
+release provenance documentation for the trust model and failure modes.
+
 ```sh
 npx foxguard .                    # scan everything
 npx foxguard --changed .          # only modified files
@@ -45,6 +50,6 @@ foxguard is built around fast local feedback.
 
 ## More
 
-- [GitHub](https://github.com/PwnKit-Labs/foxguard)
+- [GitHub](https://github.com/0sec-labs/foxguard)
 - [VS Code Extension](https://marketplace.visualstudio.com/items?itemName=peaktwilight.foxguard)
 - [foxguard.dev](https://foxguard.dev)

package/bin/foxguard

@@ -1,13 +1,14 @@
 #!/usr/bin/env node
 
 const { execFileSync } = require("child_process");
+const crypto = require("crypto");
 const fs = require("fs");
 const path = require("path");
 const os = require("os");
 const https = require("https");
 
 const VERSION = require("../package.json").version;
-const REPO = "PwnKit-Labs/foxguard";
+const REPO = "0sec-labs/foxguard";
 
 // Platform mapping: [node os, node arch] -> GitHub release asset suffix
 const PLATFORM_MAP = {
@@ -72,6 +73,22 @@ function download(url) {
   });
 }
 
+function parseChecksums(text) {
+  // Parse checksums.txt format: "<hash>  <filename>" or "<hash> <filename>"
+  const map = {};
+  for (const line of text.split("\n")) {
+    const match = line.match(/^([0-9a-f]{64})\s+(.+)$/);
+    if (match) {
+      map[match[2]] = match[1];
+    }
+  }
+  return map;
+}
+
+function sha256(buffer) {
+  return crypto.createHash("sha256").update(buffer).digest("hex");
+}
+
 async function downloadBinary() {
   const target = getPlatformKey();
   const cacheDir = getCacheDir();
@@ -97,12 +114,34 @@ async function downloadBinary() {
   } else {
     throw new Error(`unsupported release target: ${target}`);
   }
-  const url = `https://github.com/${REPO}/releases/download/v${VERSION}/${assetName}`;
+  const baseUrl = `https://github.com/${REPO}/releases/download/v${VERSION}`;
+  const url = `${baseUrl}/${assetName}`;
 
   console.error(`foxguard: downloading v${VERSION} for ${target}...`);
 
   try {
-    const data = await download(url);
+    // Download checksums and binary in parallel
+    const [checksumData, data] = await Promise.all([
+      download(`${baseUrl}/checksums.txt`),
+      download(url),
+    ]);
+
+    // Verify integrity
+    const checksums = parseChecksums(checksumData.toString("utf8"));
+    const expected = checksums[assetName];
+    if (!expected) {
+      console.error(`foxguard: integrity error — no checksum found for ${assetName} in checksums.txt`);
+      process.exit(1);
+    }
+
+    const actual = sha256(data);
+    if (actual !== expected) {
+      console.error(`foxguard: integrity error — SHA-256 mismatch for ${assetName}`);
+      console.error(`  expected: ${expected}`);
+      console.error(`  actual:   ${actual}`);
+      process.exit(1);
+    }
+
     fs.writeFileSync(cachedBin, data);
 
     // Make executable

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "foxguard",
-  "version": "0.8.0",
+  "version": "0.9.0",
   "description": "A security scanner as fast as a linter, written in Rust. 170+ built-in rules across 10 languages.",
-  "license": "MIT",
+  "license": "MIT OR Apache-2.0",
   "repository": {
     "type": "git",
-    "url": "https://github.com/PwnKit-Labs/foxguard.git"
+    "url": "https://github.com/0sec-labs/foxguard.git"
   },
   "homepage": "https://foxguard.dev",
   "keywords": [