# -------------------------------------------------------------------- # nyx Vulnerability Scanner — DEFAULT CONFIGURATION # # Copy this file to `nyx.local` in the same directory and override # only the keys you need. Anything you omit inherits the defaults # shown here. # -------------------------------------------------------------------- [scanner] ## If full uses both ast patterns and cfg taint analysis, ## Possible values: full | ast | cfg mode = "full" ## Minimum severity level to include in the report ## Possible values: Low | Medium | High | Critical min_severity = "Low" ## Maximum file size to scan (MiB); null = unlimited max_file_size_mb = null ## File extensions to ignore completely excluded_extensions = [ "jpg", "png", "gif", "mp4", "avi", "mkv", "zip", "tar", "gz", "exe", "dll", "so", ] ## Directories to ignore completely excluded_directories = [ "node_modules", ".git", "target", ".vscode", ".idea", "build", "dist", ] ## Individual files to ignore completely excluded_files = [] ## Honour global ignore file (e.g. ~/.config/nyx/ignore) read_global_ignore = false ## Honour .gitignore / .hgignore, etc. read_vcsignore = true ## Require a .git directory to read gitignore files require_git_to_read_vcsignore = true ## Limit search to the starting file system only one_file_system = false ## Follow symlinks when scanning follow_symlinks = false ## Scan hidden files (dot-files) scan_hidden_files = false ## Enable state-model dataflow analysis (resource lifecycle + auth state). ## Detects use-after-close, double-close, resource leaks, and unauthed access. ## Requires mode = "full" or "taint" (needs CFG). Default: off. enable_state_analysis = false [database] ## Where to store the SQLite database (empty = default path) path = "" ## Number of days to keep database files; 0 = no cleanup (UNIMPLEMENTED) auto_cleanup_days = 30 ## Maximum database size in MiB; 0 = no limit (UNIMPLEMENTED) max_db_size_mb = 1024 ## Run VACUUM on startup (UNIMPLEMENTED) vacuum_on_startup = false [output] ## Output format: console | json | sarif default_format = "console" ## Suppress all human-readable status output (stderr) quiet = false ## Enable attack-surface ranking (sort findings by exploitability score) attack_surface_ranking = true ## Cap the number of issues shown; null = unlimited max_results = null ## Minimum attack-surface score to include; null = no minimum ## Findings below this threshold are dropped after ranking. ## Requires attack_surface_ranking to be enabled. min_score = null ## Minimum confidence level to include in output; null = no minimum ## Values: "low", "medium", "high" # min_confidence = "medium" ## Include Quality-category findings (excluded by default). ## Quality findings (e.g. unwrap, expect, panic) are noise-heavy and hidden ## unless this is set to true or --include-quality is passed. include_quality = false ## Show all findings: disables category filtering, rollups, and LOW budgets. ## Equivalent to --all on the command line. show_all = false ## Maximum total LOW findings to show (rollups count as 1). max_low = 20 ## Maximum LOW findings per file (rollups count as 1). max_low_per_file = 1 ## Maximum LOW findings per rule (rollups count as 1). max_low_per_rule = 10 ## Number of example locations stored in rollup findings. rollup_examples = 5 [performance] ## Maximum search depth; null = unlimited (UNIMPLEMENTED) max_depth = null ## Minimum depth for reported entries; null = none (UNIMPLEMENTED) min_depth = null ## Stop traversing into matching directories prune = false ## Worker threads; null or 0 = auto worker_threads = null ## Number of entries to index in a single chunk batch_size = 100 ## Channel capacity multiplier (capacity = threads × this) channel_multiplier = 4 ## Maximum stack size for Rayon threads (bytes) rayon_thread_stack_size = 8 * 1024 * 1024 # 8 MiB ## Timeout on individual files (seconds); null = none (UNIMPLEMENTED) scan_timeout_secs = null ## Maximum memory to use in MiB; 0 = no limit (UNIMPLEMENTED) memory_limit_mb = 512 # ─── Per-language analysis rules ───────────────────────────────────── # Add custom sources, sanitizers, sinks, terminators, and event handlers. # Each language is keyed under [analysis.languages.] where slug is # one of: rust, javascript, typescript, python, go, java, c, cpp, php, ruby. # # Example: recognise `escapeHtml` as an HTML sanitizer in JavaScript: # # [analysis.languages.javascript] # event_handlers = ["addEventListener"] # terminators = ["process.exit"] # # [[analysis.languages.javascript.rules]] # matchers = ["escapeHtml"] # kind = "sanitizer" # cap = "html_escape" # # [[analysis.languages.javascript.rules]] # matchers = ["location.href", "window.location.href"] # kind = "sink" # cap = "url_encode" # # Valid `kind` values: "source", "sanitizer", "sink" # Valid `cap` values: "env_var", "html_escape", "shell_escape", # "url_encode", "json_parse", "file_io", "all"