foxguard 0.8.1 → 0.10.0

package/README.md

@@ -9,18 +9,23 @@ npx foxguard .
 ## Why people use it
 
 - Fast enough to run locally instead of waiting for CI
-- Useful built-in rules out of the box across 10 languages
+- Useful built-in rules out of the box across 12 source languages
 - Semgrep-compatible YAML subset when you already have existing rules
 - JSON and SARIF output for automation
 
 It scans for SQL injection, XSS, SSRF, hardcoded secrets, command injection, weak crypto, unsafe deserialization, and framework-specific mistakes.
 
-**Languages:** JavaScript, TypeScript, Python, Go, Ruby, Java, PHP, Rust, C#, Swift
+**Languages:** JavaScript, TypeScript, Python, Go, Ruby, Java, PHP, Rust, C#, Swift, Kotlin, Haskell
 
 ## How it works
 
 This is the npm wrapper. It downloads the correct prebuilt Rust binary for your platform from GitHub Releases and caches it locally.
 
+The wrapper verifies the downloaded binary against the release `checksums.txt`
+before caching it. Release binaries also have GitHub artifact attestations for
+manual or CI verification with `gh attestation verify`; see the repository's
+release provenance documentation for the trust model and failure modes.
+
 ```sh
 npx foxguard .                    # scan everything
 npx foxguard --changed .          # only modified files

package/bin/foxguard

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 
 const { execFileSync } = require("child_process");
+const crypto = require("crypto");
 const fs = require("fs");
 const path = require("path");
 const os = require("os");
@@ -72,6 +73,22 @@ function download(url) {
   });
 }
 
+function parseChecksums(text) {
+  // Parse checksums.txt format: "<hash>  <filename>" or "<hash> <filename>"
+  const map = {};
+  for (const line of text.split("\n")) {
+    const match = line.match(/^([0-9a-f]{64})\s+(.+)$/);
+    if (match) {
+      map[match[2]] = match[1];
+    }
+  }
+  return map;
+}
+
+function sha256(buffer) {
+  return crypto.createHash("sha256").update(buffer).digest("hex");
+}
+
 async function downloadBinary() {
   const target = getPlatformKey();
   const cacheDir = getCacheDir();
@@ -97,12 +114,34 @@ async function downloadBinary() {
   } else {
     throw new Error(`unsupported release target: ${target}`);
   }
-  const url = `https://github.com/${REPO}/releases/download/v${VERSION}/${assetName}`;
+  const baseUrl = `https://github.com/${REPO}/releases/download/v${VERSION}`;
+  const url = `${baseUrl}/${assetName}`;
 
   console.error(`foxguard: downloading v${VERSION} for ${target}...`);
 
   try {
-    const data = await download(url);
+    // Download checksums and binary in parallel
+    const [checksumData, data] = await Promise.all([
+      download(`${baseUrl}/checksums.txt`),
+      download(url),
+    ]);
+
+    // Verify integrity
+    const checksums = parseChecksums(checksumData.toString("utf8"));
+    const expected = checksums[assetName];
+    if (!expected) {
+      console.error(`foxguard: integrity error — no checksum found for ${assetName} in checksums.txt`);
+      process.exit(1);
+    }
+
+    const actual = sha256(data);
+    if (actual !== expected) {
+      console.error(`foxguard: integrity error — SHA-256 mismatch for ${assetName}`);
+      console.error(`  expected: ${expected}`);
+      console.error(`  actual:   ${actual}`);
+      process.exit(1);
+    }
+
     fs.writeFileSync(cachedBin, data);
 
     // Make executable

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "foxguard",
-  "version": "0.8.1",
-  "description": "A security scanner as fast as a linter, written in Rust. 170+ built-in rules across 10 languages.",
-  "license": "MIT",
+  "version": "0.10.0",
+  "description": "A security scanner as fast as a linter, written in Rust. 200+ built-in rules across 12 source languages.",
+  "license": "MIT OR Apache-2.0",
   "repository": {
     "type": "git",
     "url": "https://github.com/0sec-labs/foxguard.git"