apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/default-nyx.conf
Eli Peter 1bbe4b1cfb
Phase 1 (#33) 
* chore: Exclude CLAUDE.md from Cargo.toml

* feat: add callgraph module and integrate into main analysis flow

* feat: enhance CLI with new severity filtering and analysis modes

* feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling

* feat: implement state-model dataflow analysis for resource lifecycle and auth state

* feat: enhance diagnostic output formatting and add evidence structure

* feat: implement attack surface ranking for diagnostics with scoring and sorting

* feat: add comprehensive documentation for installation, usage, and rules reference

* feat: add multiple language support for command execution and evaluation endpoints

* feat: implement inline suppression for findings using `nyx:ignore` comments

* feat: add confidence levels to AST patterns and update output structure

* feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets

* feat: bump version to 0.4.0 and update changelog with new features and improvements

* feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-02-25 21:16:36 -05:00

174 lines
5 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# --------------------------------------------------------------------
# nyx Vulnerability Scanner — DEFAULT CONFIGURATION
#
# Copy this file to `nyx.local` in the same directory and override
# only the keys you need. Anything you omit inherits the defaults
# shown here.
# --------------------------------------------------------------------
[scanner]
## If full uses both ast patterns and cfg taint analysis,
## Possible values: full | ast | cfg
mode = "full"
## Minimum severity level to include in the report
## Possible values: Low | Medium | High | Critical
min_severity = "Low"
## Maximum file size to scan (MiB); null = unlimited
max_file_size_mb = null
## File extensions to ignore completely
excluded_extensions = [
"jpg", "png", "gif", "mp4", "avi", "mkv",
"zip", "tar", "gz", "exe", "dll", "so",
]
## Directories to ignore completely
excluded_directories = [
"node_modules", ".git", "target", ".vscode",
".idea", "build", "dist",
]
## Individual files to ignore completely
excluded_files = []
## Honour global ignore file (e.g. ~/.config/nyx/ignore)
read_global_ignore = false
## Honour .gitignore / .hgignore, etc.
read_vcsignore = true
## Require a .git directory to read gitignore files
require_git_to_read_vcsignore = true
## Limit search to the starting file system only
one_file_system = false
## Follow symlinks when scanning
follow_symlinks = false
## Scan hidden files (dot-files)
scan_hidden_files = false
## Enable state-model dataflow analysis (resource lifecycle + auth state).
## Detects use-after-close, double-close, resource leaks, and unauthed access.
## Requires mode = "full" or "taint" (needs CFG). Default: off.
enable_state_analysis = false
[database]
## Where to store the SQLite database (empty = default path)
path = ""
## Number of days to keep database files; 0 = no cleanup (UNIMPLEMENTED)
auto_cleanup_days = 30
## Maximum database size in MiB; 0 = no limit (UNIMPLEMENTED)
max_db_size_mb = 1024
## Run VACUUM on startup (UNIMPLEMENTED)
vacuum_on_startup = false
[output]
## Output format: console | json | sarif
default_format = "console"
## Suppress all human-readable status output (stderr)
quiet = false
## Enable attack-surface ranking (sort findings by exploitability score)
attack_surface_ranking = true
## Cap the number of issues shown; null = unlimited
max_results = null
## Minimum attack-surface score to include; null = no minimum
## Findings below this threshold are dropped after ranking.
## Requires attack_surface_ranking to be enabled.
min_score = null
## Minimum confidence level to include in output; null = no minimum
## Values: "low", "medium", "high"
# min_confidence = "medium"
## Include Quality-category findings (excluded by default).
## Quality findings (e.g. unwrap, expect, panic) are noise-heavy and hidden
## unless this is set to true or --include-quality is passed.
include_quality = false
## Show all findings: disables category filtering, rollups, and LOW budgets.
## Equivalent to --all on the command line.
show_all = false
## Maximum total LOW findings to show (rollups count as 1).
max_low = 20
## Maximum LOW findings per file (rollups count as 1).
max_low_per_file = 1
## Maximum LOW findings per rule (rollups count as 1).
max_low_per_rule = 10
## Number of example locations stored in rollup findings.
rollup_examples = 5
[performance]
## Maximum search depth; null = unlimited (UNIMPLEMENTED)
max_depth = null
## Minimum depth for reported entries; null = none (UNIMPLEMENTED)
min_depth = null
## Stop traversing into matching directories
prune = false
## Worker threads; null or 0 = auto
worker_threads = null
## Number of entries to index in a single chunk
batch_size = 100
## Channel capacity multiplier (capacity = threads × this)
channel_multiplier = 4
## Maximum stack size for Rayon threads (bytes)
rayon_thread_stack_size = 8 * 1024 * 1024 # 8 MiB
## Timeout on individual files (seconds); null = none (UNIMPLEMENTED)
scan_timeout_secs = null
## Maximum memory to use in MiB; 0 = no limit (UNIMPLEMENTED)
memory_limit_mb = 512
# ─── Per-language analysis rules ─────────────────────────────────────
# Add custom sources, sanitizers, sinks, terminators, and event handlers.
# Each language is keyed under [analysis.languages.<slug>] where slug is
# one of: rust, javascript, typescript, python, go, java, c, cpp, php, ruby.
#
# Example: recognise `escapeHtml` as an HTML sanitizer in JavaScript:
#
# [analysis.languages.javascript]
# event_handlers = ["addEventListener"]
# terminators = ["process.exit"]
#
# [[analysis.languages.javascript.rules]]
# matchers = ["escapeHtml"]
# kind = "sanitizer"
# cap = "html_escape"
#
# [[analysis.languages.javascript.rules]]
# matchers = ["location.href", "window.location.href"]
# kind = "sink"
# cap = "url_encode"
#
# Valid `kind` values: "source", "sanitizer", "sink"
# Valid `cap` values: "env_var", "html_escape", "shell_escape",
# "url_encode", "json_parse", "file_io", "all"
Reference in a new issue View git blame Copy permalink