# -------------------------------------------------------------------- # nyx Vulnerability Scanner — DEFAULT CONFIGURATION # # Copy this file to `nyx.local` in the same directory and override # only the keys you need. Anything you omit inherits the defaults # shown here. # -------------------------------------------------------------------- [scanner] ## If full uses both ast patterns and cfg taint analysis, ## Possible values: full | ast | cfg mode = "full" ## Minimum severity level to include in the report ## Possible values: Low | Medium | High | Critical min_severity = "Low" ## Maximum file size to scan (MiB); null = unlimited max_file_size_mb = null ## File extensions to ignore completely excluded_extensions = [ "jpg", "png", "gif", "mp4", "avi", "mkv", "zip", "tar", "gz", "exe", "dll", "so", ] ## Directories to ignore completely excluded_directories = [ "node_modules", ".git", "target", ".vscode", ".idea", "build", "dist", ] ## Individual files to ignore completely excluded_files = [] ## Honour global ignore file (e.g. ~/.config/nyx/ignore) read_global_ignore = false ## Honour .gitignore / .hgignore, etc. read_vcsignore = true ## Require a .git directory to read gitignore files require_git_to_read_vcsignore = true ## Limit search to the starting file system only one_file_system = false ## Follow symlinks when scanning follow_symlinks = false ## Scan hidden files (dot-files) scan_hidden_files = false [database] ## Where to store the SQLite database (empty = default path) path = "" ## Number of days to keep database files; 0 = no cleanup (UNIMPLEMENTED) auto_cleanup_days = 30 ## Maximum database size in MiB; 0 = no limit (UNIMPLEMENTED) max_db_size_mb = 1024 ## Run VACUUM on startup (UNIMPLEMENTED) vacuum_on_startup = false [output] ## Output format — only "console" exists for now default_format = "console" ## Suppress all console output (UNIMPLEMENTED) quiet = false ## Cap the number of issues shown; null = unlimited max_results = null [performance] ## Maximum search depth; null = unlimited (UNIMPLEMENTED) max_depth = null ## Minimum depth for reported entries; null = none (UNIMPLEMENTED) min_depth = null ## Stop traversing into matching directories prune = false ## Worker threads; null or 0 = auto worker_threads = null ## Number of entries to index in a single chunk batch_size = 100 ## Channel capacity multiplier (capacity = threads × this) channel_multiplier = 4 ## Maximum stack size for Rayon threads (bytes) rayon_thread_stack_size = 8 * 1024 * 1024 # 8 MiB ## Timeout on individual files (seconds); null = none (UNIMPLEMENTED) scan_timeout_secs = null ## Maximum memory to use in MiB; 0 = no limit (UNIMPLEMENTED) memory_limit_mb = 512 # ─── Per-language analysis rules ───────────────────────────────────── # Add custom sources, sanitizers, sinks, terminators, and event handlers. # Each language is keyed under [analysis.languages.] where slug is # one of: rust, javascript, typescript, python, go, java, c, cpp, php, ruby. # # Example: recognise `escapeHtml` as an HTML sanitizer in JavaScript: # # [analysis.languages.javascript] # event_handlers = ["addEventListener"] # terminators = ["process.exit"] # # [[analysis.languages.javascript.rules]] # matchers = ["escapeHtml"] # kind = "sanitizer" # cap = "html_escape" # # [[analysis.languages.javascript.rules]] # matchers = ["location.href", "window.location.href"] # kind = "sink" # cap = "url_encode" # # Valid `kind` values: "source", "sanitizer", "sink" # Valid `cap` values: "env_var", "html_escape", "shell_escape", # "url_encode", "json_parse", "file_io", "all"