foxguard 0.8.1 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +5 -0
  2. package/bin/foxguard +41 -2
  3. package/package.json +2 -2
package/README.md CHANGED
@@ -21,6 +21,11 @@ It scans for SQL injection, XSS, SSRF, hardcoded secrets, command injection, wea
21
21
 
22
22
  This is the npm wrapper. It downloads the correct prebuilt Rust binary for your platform from GitHub Releases and caches it locally.
23
23
 
24
+ The wrapper verifies the downloaded binary against the release `checksums.txt`
25
+ before caching it. Release binaries also have GitHub artifact attestations for
26
+ manual or CI verification with `gh attestation verify`; see the repository's
27
+ release provenance documentation for the trust model and failure modes.
28
+
24
29
  ```sh
25
30
  npx foxguard . # scan everything
26
31
  npx foxguard --changed . # only modified files
package/bin/foxguard CHANGED
@@ -1,6 +1,7 @@
1
1
  #!/usr/bin/env node
2
2
 
3
3
  const { execFileSync } = require("child_process");
4
+ const crypto = require("crypto");
4
5
  const fs = require("fs");
5
6
  const path = require("path");
6
7
  const os = require("os");
@@ -72,6 +73,22 @@ function download(url) {
72
73
  });
73
74
  }
74
75
 
76
+ function parseChecksums(text) {
77
+ // Parse checksums.txt format: "<hash> <filename>" or "<hash> <filename>"
78
+ const map = {};
79
+ for (const line of text.split("\n")) {
80
+ const match = line.match(/^([0-9a-f]{64})\s+(.+)$/);
81
+ if (match) {
82
+ map[match[2]] = match[1];
83
+ }
84
+ }
85
+ return map;
86
+ }
87
+
88
+ function sha256(buffer) {
89
+ return crypto.createHash("sha256").update(buffer).digest("hex");
90
+ }
91
+
75
92
  async function downloadBinary() {
76
93
  const target = getPlatformKey();
77
94
  const cacheDir = getCacheDir();
@@ -97,12 +114,34 @@ async function downloadBinary() {
97
114
  } else {
98
115
  throw new Error(`unsupported release target: ${target}`);
99
116
  }
100
- const url = `https://github.com/${REPO}/releases/download/v${VERSION}/${assetName}`;
117
+ const baseUrl = `https://github.com/${REPO}/releases/download/v${VERSION}`;
118
+ const url = `${baseUrl}/${assetName}`;
101
119
 
102
120
  console.error(`foxguard: downloading v${VERSION} for ${target}...`);
103
121
 
104
122
  try {
105
- const data = await download(url);
123
+ // Download checksums and binary in parallel
124
+ const [checksumData, data] = await Promise.all([
125
+ download(`${baseUrl}/checksums.txt`),
126
+ download(url),
127
+ ]);
128
+
129
+ // Verify integrity
130
+ const checksums = parseChecksums(checksumData.toString("utf8"));
131
+ const expected = checksums[assetName];
132
+ if (!expected) {
133
+ console.error(`foxguard: integrity error — no checksum found for ${assetName} in checksums.txt`);
134
+ process.exit(1);
135
+ }
136
+
137
+ const actual = sha256(data);
138
+ if (actual !== expected) {
139
+ console.error(`foxguard: integrity error — SHA-256 mismatch for ${assetName}`);
140
+ console.error(` expected: ${expected}`);
141
+ console.error(` actual: ${actual}`);
142
+ process.exit(1);
143
+ }
144
+
106
145
  fs.writeFileSync(cachedBin, data);
107
146
 
108
147
  // Make executable
package/package.json CHANGED
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "name": "foxguard",
3
- "version": "0.8.1",
3
+ "version": "0.9.0",
4
4
  "description": "A security scanner as fast as a linter, written in Rust. 170+ built-in rules across 10 languages.",
5
- "license": "MIT",
5
+ "license": "MIT OR Apache-2.0",
6
6
  "repository": {
7
7
  "type": "git",
8
8
  "url": "https://github.com/0sec-labs/foxguard.git"