apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/default-nyx.conf
Eli Peter 19b578c5c4
Feat/configurable sanitizers and js precision (#32) 
* chore: Exclude CLAUDE.md from Cargo.toml

* feat: Add configurable analysis rules and CLI commands for custom sanitizers and terminators

* feat: Enhance resource management and analysis efficiency

- Implemented parallel summary merging in `scan_filesystem` using rayon for improved performance.
- Introduced `GlobalSummaries::merge()` for efficient merging of summaries.
- Optimized file reading and hashing to eliminate redundant I/O operations.
- Added `should_scan_with_hash()` and `upsert_file_with_hash()` methods to streamline file processing.
- Enhanced taint analysis with in-place mutations to reduce memory allocations.
- Updated resource acquisition patterns to exclude false positives for `freopen` and wrapper functions.

* feat: Implement severity downgrade for findings in non-production paths and add source kind inference

* feat: Update versioning information in SECURITY.md for new stable line

* feat: Update categories in Cargo.toml to include parser-implementations and text-processing

* feat: Update dependencies in Cargo.lock for improved compatibility and performance

* feat: Update dependencies in Cargo.lock and Cargo.toml for improved compatibility
2026-02-25 04:02:11 -05:00

136 lines
3.7 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# --------------------------------------------------------------------
# nyx Vulnerability Scanner — DEFAULT CONFIGURATION
#
# Copy this file to `nyx.local` in the same directory and override
# only the keys you need. Anything you omit inherits the defaults
# shown here.
# --------------------------------------------------------------------
[scanner]
## If full uses both ast patterns and cfg taint analysis,
## Possible values: full | ast | cfg
mode = "full"
## Minimum severity level to include in the report
## Possible values: Low | Medium | High | Critical
min_severity = "Low"
## Maximum file size to scan (MiB); null = unlimited
max_file_size_mb = null
## File extensions to ignore completely
excluded_extensions = [
"jpg", "png", "gif", "mp4", "avi", "mkv",
"zip", "tar", "gz", "exe", "dll", "so",
]
## Directories to ignore completely
excluded_directories = [
"node_modules", ".git", "target", ".vscode",
".idea", "build", "dist",
]
## Individual files to ignore completely
excluded_files = []
## Honour global ignore file (e.g. ~/.config/nyx/ignore)
read_global_ignore = false
## Honour .gitignore / .hgignore, etc.
read_vcsignore = true
## Require a .git directory to read gitignore files
require_git_to_read_vcsignore = true
## Limit search to the starting file system only
one_file_system = false
## Follow symlinks when scanning
follow_symlinks = false
## Scan hidden files (dot-files)
scan_hidden_files = false
[database]
## Where to store the SQLite database (empty = default path)
path = ""
## Number of days to keep database files; 0 = no cleanup (UNIMPLEMENTED)
auto_cleanup_days = 30
## Maximum database size in MiB; 0 = no limit (UNIMPLEMENTED)
max_db_size_mb = 1024
## Run VACUUM on startup (UNIMPLEMENTED)
vacuum_on_startup = false
[output]
## Output format — only "console" exists for now
default_format = "console"
## Suppress all console output (UNIMPLEMENTED)
quiet = false
## Cap the number of issues shown; null = unlimited
max_results = null
[performance]
## Maximum search depth; null = unlimited (UNIMPLEMENTED)
max_depth = null
## Minimum depth for reported entries; null = none (UNIMPLEMENTED)
min_depth = null
## Stop traversing into matching directories
prune = false
## Worker threads; null or 0 = auto
worker_threads = null
## Number of entries to index in a single chunk
batch_size = 100
## Channel capacity multiplier (capacity = threads × this)
channel_multiplier = 4
## Maximum stack size for Rayon threads (bytes)
rayon_thread_stack_size = 8 * 1024 * 1024 # 8 MiB
## Timeout on individual files (seconds); null = none (UNIMPLEMENTED)
scan_timeout_secs = null
## Maximum memory to use in MiB; 0 = no limit (UNIMPLEMENTED)
memory_limit_mb = 512
# ─── Per-language analysis rules ─────────────────────────────────────
# Add custom sources, sanitizers, sinks, terminators, and event handlers.
# Each language is keyed under [analysis.languages.<slug>] where slug is
# one of: rust, javascript, typescript, python, go, java, c, cpp, php, ruby.
#
# Example: recognise `escapeHtml` as an HTML sanitizer in JavaScript:
#
# [analysis.languages.javascript]
# event_handlers = ["addEventListener"]
# terminators = ["process.exit"]
#
# [[analysis.languages.javascript.rules]]
# matchers = ["escapeHtml"]
# kind = "sanitizer"
# cap = "html_escape"
#
# [[analysis.languages.javascript.rules]]
# matchers = ["location.href", "window.location.href"]
# kind = "sink"
# cap = "url_encode"
#
# Valid `kind` values: "source", "sanitizer", "sink"
# Valid `cap` values: "env_var", "html_escape", "shell_escape",
# "url_encode", "json_parse", "file_io", "all"
Reference in a new issue View git blame Copy permalink