diff --git a/docs/auth.md b/docs/auth.md index bf0a6deb..c60303f7 100644 --- a/docs/auth.md +++ b/docs/auth.md @@ -110,7 +110,7 @@ nyx scan . --severity ">=MEDIUM" --min-confidence medium Auth findings render alongside taint findings in the [browser UI](serve.md). The flow visualiser shows the sink call, the actor reference (when one was found), and any helper-summary path the engine traversed; the How to fix panel mirrors the rule's recommendation. -

Nyx finding detail: numbered source → call → sink walk with a How to fix panel and an inline evidence object

+

Nyx finding detail: numbered source → call → sink walk with a How to fix panel and an inline evidence object

## Benchmark corpus diff --git a/docs/cli.md b/docs/cli.md index 79936b42..3635a33f 100644 --- a/docs/cli.md +++ b/docs/cli.md @@ -95,11 +95,11 @@ nyx scan [PATH] [OPTIONS] `--fail-on` returns a non-zero exit code when the threshold trips, so CI jobs fail without further wiring: -

nyx scan with --fail-on HIGH against a small fixture: three HIGH taint findings printed, followed by exit=1 from the shell

+

nyx scan with --fail-on HIGH against a small fixture: three HIGH taint findings printed, followed by exit=1 from the shell

Quality-category and rollup-prone Low findings are filtered down by default. The footer tells you exactly what got dropped and which knob to turn: -

nyx scan tail: warning '*' generated 57 issues; Suppressed 92 LOW/Quality findings; Active filters max_low=20, max_low_per_file=1, max_low_per_rule=10; Use --include-quality, --max-low, or --all to adjust

+

nyx scan tail: warning '*' generated 57 issues; Suppressed 92 LOW/Quality findings; Active filters max_low=20, max_low_per_file=1, max_low_per_rule=10; Use --include-quality, --max-low, or --all to adjust

### Analysis Engine Toggles @@ -150,7 +150,7 @@ Individual flags override the profile. For example, `--engine-profile fast --ba nyx scan --engine-profile deep --no-smt --explain-engine ``` -

nyx scan --engine-profile deep --explain-engine output: resolved config showing every analysis pass, its current state, and the CLI flag/env var that controls it

+

nyx scan --engine-profile deep --explain-engine output: resolved config showing every analysis pass, its current state, and the CLI flag/env var that controls it

### Examples @@ -215,7 +215,7 @@ nyx index status [PATH] Display index statistics (file count, size, last modified) for the given path. -

nyx index status output: project name, index path under the platform config dir, exists/size/modified fields

+

nyx index status output: project name, index path under the platform config dir, exists/size/modified fields

--- @@ -256,7 +256,7 @@ Manage configuration. Print the effective merged configuration as TOML. Useful for sanity-checking what the scanner is actually using after `nyx.conf` and `nyx.local` merge: -

nyx config show output: TOML dump of the merged scanner config showing [scanner] mode/min_severity/excluded_extensions/excluded_directories, [database] settings, and resolved engine toggles

+

nyx config show output: TOML dump of the merged scanner config showing [scanner] mode/min_severity/excluded_extensions/excluded_directories, [database] settings, and resolved engine toggles

### `nyx config path` diff --git a/docs/configuration.md b/docs/configuration.md index 15d2b6f2..5704c66f 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -2,7 +2,7 @@ Nyx uses TOML configuration files. A default config is auto-generated on first run. If you'd rather edit settings and rules from the browser, the [Config page in `nyx serve`](serve.md#config) is a live editor that writes back to `nyx.local`: -

Nyx config page: General settings, Triage Sync toggle, Sources panel with language/matcher/capability dropdowns and a per-language matcher table

+

Nyx config page: General settings, Triage Sync toggle, Sources panel with language/matcher/capability dropdowns and a per-language matcher table

## File Locations diff --git a/docs/detectors/taint.md b/docs/detectors/taint.md index 4ada6baa..d8490eb2 100644 --- a/docs/detectors/taint.md +++ b/docs/detectors/taint.md @@ -92,7 +92,7 @@ AST-only mode gives you structural pattern matches without taint. In the browser UI, taint findings render as a numbered flow walk so you can see each hop the engine took: -

Nyx finding detail: HIGH taint-unsanitised-flow with numbered source → call → sink steps and How to fix guidance

+

Nyx finding detail: HIGH taint-unsanitised-flow with numbered source → call → sink steps and How to fix guidance

## Example diff --git a/docs/quickstart.md b/docs/quickstart.md index 1cdfbe3f..442eb813 100644 --- a/docs/quickstart.md +++ b/docs/quickstart.md @@ -10,7 +10,7 @@ First run builds a SQLite index under `.nyx/`; later runs skip files whose conte ## What a finding looks like -

nyx scan output: HIGH taint flows from req.params.user, req.query.url, and req.query.path into exec/fetch/fs.readFileSync, framed by the brand mint-cyan gradient

+

nyx scan output: HIGH taint flows from req.params.user, req.query.url, and req.query.path into exec/fetch/fs.readFileSync, framed by the brand mint-cyan gradient

The same scan in console form: diff --git a/docs/rules.md b/docs/rules.md index 94482051..22ca8f2b 100644 --- a/docs/rules.md +++ b/docs/rules.md @@ -6,7 +6,7 @@ Every finding Nyx emits has a rule ID. This page enumerates the IDs that ship wi If you'd rather browse rules interactively, [`nyx serve`](serve.md) ships a Rules page that lists every loaded matcher with its language, kind, and capability: -

Nyx Rules page: filterable list of 218 rules with language, kind (SOURCE/SANITIZER/SINK), capability, and finding count columns

+

Nyx Rules page: filterable list of 218 rules with language, kind (SOURCE/SANITIZER/SINK), capability, and finding count columns

## ID format diff --git a/docs/serve.md b/docs/serve.md index 648ce2ab..72316375 100644 --- a/docs/serve.md +++ b/docs/serve.md @@ -11,7 +11,7 @@ nyx serve --no-browser # don't auto-open Persistent settings live under `[server]` in `nyx.conf` / `nyx.local`. -

Nyx UI overview: total findings, severity breakdown, language and category distribution, top affected files

+

Nyx UI overview: total findings, severity breakdown, language and category distribution, top affected files

## What it serves, and what it doesn't @@ -88,11 +88,11 @@ Ceilings are calibrated for the current scanner false-positive rates. As symex c The findings list is filterable by severity, confidence, category, language, rule ID, and triage state. -

Nyx findings list: 13 findings filtered by severity/confidence/rule, with status badges, file paths, and language tags

+

Nyx findings list: 13 findings filtered by severity/confidence/rule, with status badges, file paths, and language tags

Clicking through opens the **flow visualiser**: a numbered walk from source to sink with the snippet at each step, cross-file markers when the path leaves the current file, the rule's "How to fix" guidance, and the engine's evidence object inline. -

Nyx finding detail: HIGH taint-unsanitised-flow showing source → call → sink steps, How to fix guidance, and evidence panel

+

Nyx finding detail: HIGH taint-unsanitised-flow showing source → call → sink steps, How to fix guidance, and evidence panel

Engine notes call out when precision was bounded for that finding (`OriginsTruncated`, `PointsToTruncated`, `PathWidened`, `ForwardBailed`, etc.). Anything tagged `under-report` means the emitted flow is real and the result set is a lower bound; `over-report` means widening or bail. `--require-converged` in the CLI drops the over-report ones for strict gates. @@ -100,7 +100,7 @@ Engine notes call out when precision was bounded for that finding (`OriginsTrunc Each finding carries a triage state: `open`, `investigating`, `false_positive`, `accepted_risk`, `suppressed`, or `fixed`. The triage page bulk-updates them and shows the audit trail. -

Nyx triage page: 13 findings need attention, severity breakdown, Findings/Suppression rules/Audit log tabs, rule chips, Investigate buttons

+

Nyx triage page: 13 findings need attention, severity breakdown, Findings/Suppression rules/Audit log tabs, rule chips, Investigate buttons

State writes are persisted to SQLite immediately, and (when `[server].triage_sync = true`, default on) mirrored to `.nyx/triage.json` in the project root. Commit that file: @@ -114,7 +114,7 @@ It carries decisions across machines so a teammate's local scan reflects yours. A file tree with per-file finding counts, syntax-highlighted source, and a right rail with the file's symbols and findings. Useful for "what's wrong with this module" rather than "what's wrong with this finding". -

Nyx explorer: file tree with per-file finding counts, syntax-highlighted Python source with red sink marker on the os.system line, file-summary right rail with findings

+

Nyx explorer: file tree with per-file finding counts, syntax-highlighted Python source with red sink marker on the os.system line, file-summary right rail with findings

The path query string preselects a file: `/explorer?file=src/handler.rs`. @@ -122,11 +122,11 @@ The path query string preselects a file: `/explorer?file=src/handler.rs`. Past runs are persisted when `[runs].persist = true` (off by default to avoid disk growth on heavy users). When persistence is on, `/scans` lists historical runs. -

Nyx scans list: completed scan run with root, duration, finding count, languages, and started timestamp

+

Nyx scans list: completed scan run with root, duration, finding count, languages, and started timestamp

Each run drills into a detail page with files scanned, findings count, duration, languages, and a per-pass timing breakdown. -

Nyx scan detail: Summary tab with files scanned, findings, duration, languages; Details panel with Scan ID, Root, Engine version, started/finished timestamps; Timing breakdown bar showing Walk/Pass 1/Call Graph/Pass 2/Post

+

Nyx scan detail: Summary tab with files scanned, findings, duration, languages; Details panel with Scan ID, Root, Engine version, started/finished timestamps; Timing breakdown bar showing Walk/Pass 1/Call Graph/Pass 2/Post

Pick two scans to diff and see what got introduced, fixed, or rediscovered between runs. The retention cap is `[runs].max_runs` (default 100). Each run can also optionally save its log and stdout (`save_logs`, `save_stdout`); both are off by default. Code snippets are saved (`save_code_snippets = true`); turn off if storage is tight. @@ -134,7 +134,7 @@ Pick two scans to diff and see what got introduced, fixed, or rediscovered betwe Every rule the engine knows about, built-in plus user-added. Each row shows the matchers, kind (source / sanitiser / sink), capability, language, and how many findings it produced in the latest scan. Filter by language, by kind, or by free text. -

Nyx rules page: 218 rules with language/kind dropdowns and a matcher search; rows showing rule title, language, kind (SOURCE/SANITIZER/SINK), cap, and finding count

+

Nyx rules page: 218 rules with language/kind dropdowns and a matcher search; rows showing rule title, language, kind (SOURCE/SANITIZER/SINK), cap, and finding count

User-added rules can be deleted from this page; built-ins are immutable. Built-ins live in `src/labels/.rs` and `src/patterns/.rs`; user-added entries write to `nyx.local`. @@ -142,7 +142,7 @@ User-added rules can be deleted from this page; built-ins are immutable. Built-i A live config editor. Reads the merged config (`nyx.conf` + `nyx.local`), lets you flip switches and add custom source / sanitizer / sink rules, and writes back to `nyx.local`. Changes apply to the next scan; the running server uses its initial config snapshot. -

Nyx config page: General settings (analysis mode, max file size, excluded extensions, attack-surface ranking), Triage Sync toggle, Sources section with language/matcher/capability dropdowns and a per-language matcher table

+

Nyx config page: General settings (analysis mode, max file size, excluded extensions, attack-surface ranking), Triage Sync toggle, Sources section with language/matcher/capability dropdowns and a per-language matcher table

The custom-rule form picks a language, a matcher (function or property name), and a capability. The capability list matches the `Cap` bitflags the taint engine uses; see [rules.md](rules.md#capability-list-for-custom-rules) for what each one means.