mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
1bbe4b1cfb
* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
103 lines
2.3 KiB
Markdown
103 lines
2.3 KiB
Markdown
# Quick Start
|
|
|
|
## Your first scan
|
|
|
|
```bash
|
|
# Scan the current directory
|
|
nyx scan
|
|
|
|
# Scan a specific path
|
|
nyx scan ./my-project
|
|
```
|
|
|
|
Nyx automatically creates an SQLite index on first run. Subsequent scans skip unchanged files.
|
|
|
|
## Understanding the output
|
|
|
|
A typical console output looks like:
|
|
|
|
```
|
|
[HIGH] taint-unsanitised-flow (source 5:11) src/handler.rs:12:5
|
|
Source: env::var("CMD") at 5:11
|
|
Sink: Command::new("sh").arg("-c")
|
|
Score: 76
|
|
|
|
[MEDIUM] cfg-unguarded-sink src/handler.rs:12:5
|
|
Score: 35
|
|
|
|
[MEDIUM] rs.quality.unsafe_block src/lib.rs:44:5
|
|
Score: 30
|
|
```
|
|
|
|
Each finding shows:
|
|
|
|
| Field | Meaning |
|
|
|-------|---------|
|
|
| **Severity tag** | `[HIGH]`, `[MEDIUM]`, or `[LOW]` |
|
|
| **Rule ID** | Identifies the detector and specific rule |
|
|
| **Location** | `file:line:col` |
|
|
| **Evidence** | Source, Sink, and guard details (taint findings only) |
|
|
| **Score** | Attack-surface ranking score (higher = more exploitable) |
|
|
|
|
## Common workflows
|
|
|
|
### CI gate — fail on high-severity findings
|
|
|
|
```bash
|
|
nyx scan . --fail-on high --quiet
|
|
# Exit code 1 if any HIGH finding exists, 0 otherwise
|
|
```
|
|
|
|
### Export for tooling
|
|
|
|
```bash
|
|
# JSON for scripting
|
|
nyx scan . --format json > findings.json
|
|
|
|
# SARIF for GitHub Code Scanning
|
|
nyx scan . --format sarif > results.sarif
|
|
```
|
|
|
|
### Fast structural scan (no dataflow)
|
|
|
|
```bash
|
|
nyx scan . --mode ast
|
|
```
|
|
|
|
AST-only mode runs tree-sitter pattern queries without building CFGs or running taint analysis. Much faster, but misses dataflow vulnerabilities.
|
|
|
|
### Filter by severity
|
|
|
|
```bash
|
|
# Only high-severity
|
|
nyx scan . --severity HIGH
|
|
|
|
# High and medium
|
|
nyx scan . --severity ">=MEDIUM"
|
|
|
|
# Specific set
|
|
nyx scan . --severity "HIGH,MEDIUM"
|
|
```
|
|
|
|
### Skip the index
|
|
|
|
```bash
|
|
nyx scan . --index off
|
|
```
|
|
|
|
Useful for one-off scans or when you don't want to write to disk.
|
|
|
|
### Scan without non-production noise
|
|
|
|
By default, findings in test/vendor/build paths are downgraded one severity tier. To keep original severity:
|
|
|
|
```bash
|
|
nyx scan . --keep-nonprod-severity
|
|
```
|
|
|
|
## Next steps
|
|
|
|
- [CLI Reference](cli.md) — All flags and options
|
|
- [Configuration](configuration.md) — Customize rules, exclusions, and behavior
|
|
- [Detector Overview](detectors.md) — How the analysis engines work
|
|
- [Rule Reference](rules/index.md) — Browse all rules by language
|