apunkt/nyx

mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00

* chore: Exclude CLAUDE.md from Cargo.toml

* feat: add callgraph module and integrate into main analysis flow

* feat: enhance CLI with new severity filtering and analysis modes

* feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling

* feat: implement state-model dataflow analysis for resource lifecycle and auth state

* feat: enhance diagnostic output formatting and add evidence structure

* feat: implement attack surface ranking for diagnostics with scoring and sorting

* feat: add comprehensive documentation for installation, usage, and rules reference

* feat: add multiple language support for command execution and evaluation endpoints

* feat: implement inline suppression for findings using `nyx:ignore` comments

* feat: add confidence levels to AST patterns and update output structure

* feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets

* feat: bump version to 0.4.0 and update changelog with new features and improvements

* feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs

2026-02-25 21:16:36 -05:00

2.3 KiB

Raw Blame History

Quick Start

Your first scan

# Scan the current directory
nyx scan

# Scan a specific path
nyx scan ./my-project

Nyx automatically creates an SQLite index on first run. Subsequent scans skip unchanged files.

Understanding the output

A typical console output looks like:

[HIGH]   taint-unsanitised-flow (source 5:11)  src/handler.rs:12:5
         Source: env::var("CMD") at 5:11
         Sink: Command::new("sh").arg("-c")
         Score: 76

[MEDIUM] cfg-unguarded-sink                    src/handler.rs:12:5
         Score: 35

[MEDIUM] rs.quality.unsafe_block               src/lib.rs:44:5
         Score: 30

Each finding shows:

Field	Meaning
Severity tag	`[HIGH]`, `[MEDIUM]`, or `[LOW]`
Rule ID	Identifies the detector and specific rule
Location	`file:line:col`
Evidence	Source, Sink, and guard details (taint findings only)
Score	Attack-surface ranking score (higher = more exploitable)

Common workflows

CI gate — fail on high-severity findings

nyx scan . --fail-on high --quiet
# Exit code 1 if any HIGH finding exists, 0 otherwise

Export for tooling

# JSON for scripting
nyx scan . --format json > findings.json

# SARIF for GitHub Code Scanning
nyx scan . --format sarif > results.sarif

Fast structural scan (no dataflow)

nyx scan . --mode ast

AST-only mode runs tree-sitter pattern queries without building CFGs or running taint analysis. Much faster, but misses dataflow vulnerabilities.

Filter by severity

# Only high-severity
nyx scan . --severity HIGH

# High and medium
nyx scan . --severity ">=MEDIUM"

# Specific set
nyx scan . --severity "HIGH,MEDIUM"

Skip the index

nyx scan . --index off

Useful for one-off scans or when you don't want to write to disk.

Scan without non-production noise

By default, findings in test/vendor/build paths are downgraded one severity tier. To keep original severity:

nyx scan . --keep-nonprod-severity

Next steps

CLI Reference — All flags and options
Configuration — Customize rules, exclusions, and behavior
Detector Overview — How the analysis engines work
Rule Reference — Browse all rules by language

2.3 KiB Raw Blame History