# Nyx

Nyx is an open-source, local-first security scanner for developers. It runs cross-file interprocedural taint analysis on your repository, then serves findings in a React UI bound to `127.0.0.1`. No cloud, no account, no source upload. Everything stays on your machine.

## Install

```bash
cargo install nyx-scanner
```

Requires Rust 1.88+. Pre-built binaries for Linux and macOS (x86_64, ARM64) are on the [Releases page](https://github.com/elicpeter/nyx/releases).

## Basic usage

```bash
nyx scan           # taint analysis, caches findings in .nyx/
nyx serve          # opens http://localhost:9700 in your browser
```

## CI usage

```bash
nyx scan --format sarif --fail-on MEDIUM > results.sarif
```

GitHub Action:

```yaml
- uses: elicpeter/nyx@v0.6.1
  with:
    format: sarif
    fail-on: MEDIUM
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: nyx-results.sarif
```

## Supported languages

| Tier | Languages | Use as CI gate? |
|------|-----------|-----------------|
| Stable | Python, JavaScript, TypeScript | Yes |
| Beta | Go, Java, PHP, Ruby, Rust | Yes, with light FP triage |
| Preview | C, C++ | No — deep pointer aliasing and function pointers not tracked |

All 10 languages parse via tree-sitter and run through the same cross-file taint pipeline. Rule-level F1 = 100% on a 507-case corpus across all 10 languages.

## What it detects

Four detector families: taint analysis (cross-file source to sink), CFG structural (auth gaps, unguarded sinks), state model (use-after-close, resource leaks), AST patterns (banned APIs, weak crypto).

Taint analysis finds: SQL injection, command injection, path traversal, SSRF, XSS, unsafe deserialization, code execution (eval, SSTI), open redirect, data exfiltration.

Verified against 38 published CVEs across all 10 languages, including Ray (CVE-2023-48022), mongo-express (CVE-2019-14939), hashicorp/go-getter (CVE-2022-30323), Apache Commons Collections (CVE-2015-7501), Rust stdlib (CVE-2024-24576), and others.

## Browser UI

`nyx serve` opens a local React UI at `127.0.0.1:9700`:

- Overview dashboard: finding counts, severity breakdown, health score
- Finding list: severity, confidence, triage status, rule and language filters
- Flow visualizer: numbered source to sanitizer to sink steps with code snippets
- Bulk triage with audit trail (states: open, investigating, fixed, false_positive, accepted_risk, suppressed)
- Scan history and diff view
- File explorer with per-file finding overlay
- Rules editor (built-in and custom)
- Config editor

## Security model

Loopback-only bind (`127.0.0.1`). Host-header enforcement. CSRF on every mutation. No telemetry. No outbound connections. Source code never leaves the machine.

## Engine depth

```bash
nyx scan --mode ast              # AST patterns only, fastest
nyx scan --mode full             # default: taint + CFG + state + AST
nyx scan --engine-profile deep   # adds symex + backwards taint (~2-3x cost)
```

## Output formats

- `console` (default)
- `sarif` (GitHub Code Scanning, any SARIF viewer)
- `json`

## Compared to alternatives

**vs Semgrep:** Semgrep matches patterns. Cross-file taint tracking requires Semgrep Pro (paid). Nyx does it in the open-source version.

**vs CodeQL:** CodeQL needs a build step and either GitHub Actions or the CodeQL CLI. Nyx reads source files directly with no build step required.

**vs Snyk:** Snyk sends code to its cloud and requires an account. Nyx runs entirely on-device.

**vs Bandit / ESLint plugins:** Pattern-based linters that do not track data flow. Nyx traces the full source-to-sink path.

## License and cost

GPL-3.0-or-later. Free, no paid tier, no usage limits.

## Links

- Primary site: https://nyxscan.dev
- Source code: https://github.com/elicpeter/nyx
- Crate: https://crates.io/crates/nyx-scanner
- Docs: https://elicpeter.github.io/nyx/
- Rustdocs: https://docs.rs/nyx-scanner/latest/nyx_scanner/
- Releases: https://github.com/elicpeter/nyx/releases

## Real-world findings

Nyx has been used to find and report 3 vulnerabilities in widely-used open-source projects. One fix is merged. Two patches are in progress. Projects and details withheld pending patch release.

## Key topics

- local-first security scanner
- open-source SAST
- static application security testing
- source-to-sink taint analysis
- cross-file interprocedural taint
- no cloud security scanner
- offline security scanner
- developer security workflow
- Rust security tooling
- SARIF output
- GitHub Actions security
- browser triage UI
- no code upload scanner
- privacy-preserving SAST
- security scanner without account
- alternative to Semgrep
- alternative to CodeQL
- alternative to Snyk