Config, SARIF, and a cleanup pass.

Custom rules

Sources, sanitizers, sinks, terminators, and event handlers can be defined per language in nyx.local or through nyx config add-rule and nyx config add-terminator. Config rules take priority over the built-ins, which matters when a team has project-specific wrappers around auth, escaping, or database calls.

CI output

SARIF 2.1.0 output landed in this release. That gave Nyx a cleaner path into GitHub Code Scanning, Azure DevOps, and other tools that already understand SARIF. Findings also gain source-kind classification, so severity can come from whether data came from user input, the environment, files, a database, or an unknown source.

Cleanup work

• Non-prod files are downgraded by default, with an opt-in flag to keep original severity.
• Resource leak detection was added for Python, Ruby, PHP, JavaScript, and TypeScript.
• Progress bars now show discovery, pass 1, and pass 2 unless JSON, SARIF, or quiet output is active.
• Several constant, path, event, and ownership-transfer false positives were closed.

Release Notes for today's update can be found here.