{"id":29258906,"url":"https://github.com/ecpeter23/nyx","last_synced_at":"2025-08-13T21:45:37.388Z","repository":{"id":301052620,"uuid":"1003052404","full_name":"ecpeter23/nyx","owner":"ecpeter23","description":"Lightweight Rust CLI vulnerability scanner ","archived":false,"fork":false,"pushed_at":"2025-07-03T15:03:00.000Z","size":1668,"stargazers_count":2,"open_issues_count":2,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-03T16:22:46.858Z","etag":null,"topics":["ast-analysis","cli-tool","code-analysis","code-quality","code-security","developer-tools","multi-language","rust","rust-cli","sast","security-automation","security-scanner","security-scanning","security-tools","sqlite","static-analysis","static-code-analysis","tree-sitter","vulnerability-detection","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ecpeter23.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.MD","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE-APACHE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-16T14:47:24.000Z","updated_at":"2025-07-03T15:03:01.000Z","dependencies_parsed_at":"2025-06-24T23:31:39.079Z","dependency_job_id":"733b4374-9e14-4d66-bc79-039e4b721284","html_url":"https://github.com/ecpeter23/nyx","commit_stats":null,"previous_names":["ecpeter23/nyx"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/ecpeter23/nyx","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecpeter23%2Fnyx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecpeter23%2Fnyx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecpeter23%2Fnyx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecpeter23%2Fnyx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ecpeter23","download_url":"https://codeload.github.com/ecpeter23/nyx/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecpeter23%2Fnyx/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263358408,"owners_count":23454407,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ast-analysis","cli-tool","code-analysis","code-quality","code-security","developer-tools","multi-language","rust","rust-cli","sast","security-automation","security-scanner","security-scanning","security-tools","sqlite","static-analysis","static-code-analysis","tree-sitter","vulnerability-detection","vulnerability-scanner"],"created_at":"2025-07-04T06:10:25.488Z","updated_at":"2025-07-04T06:10:28.683Z","avatar_url":"https://github.com/ecpeter23.png","language":"Rust","readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"assets/logo.png\" alt=\"nyx logo\" width=\"300\"/\u003e\n\n**Fast, cross-language cli vulnerability scanner.**\n\n[![crates.io](https://img.shields.io/crates/v/nyx-scanner.svg)](https://crates.io/crates/nyx-scanner)\n[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)\n[![Rust 1.85+](https://img.shields.io/badge/rust-1.85%2B-orange)](https://www.rust-lang.org)\n[![CI](https://img.shields.io/github/actions/workflow/status/ecpeter23/nyx/ci.yml?branch=master)](https://github.com/ecpeter23/nyx/actions)\n\u003c/div\u003e\n\n---\n\n## What is Nyx?\n\n**Nyx** is a lightweight lightning-fast Rust‑native command‑line tool that detects potentially dangerous code patterns across several programming languages. It combines the accuracy of [`tree‑sitter`](https://tree-sitter.github.io/) parsing with a curated rule set and an optional SQLite‑backed index to deliver fast, repeatable scans on projects of any size.\n\n\u003e[!IMPORTANT]\n\u003e **Project status – Alpha**   \n\u003e Nyx is under active development. The public interface, rule set, and output formats may change without notice while we stabilise the core. The new CFG + taint engine is experimental and Rust-only for now – please report any crashes or false-positives. Pin exact versions in production environments\n\n---\n\n## Key Capabilities\n\n| Capability                   | Description                                                                               |\n|------------------------------|-------------------------------------------------------------------------------------------|\n| Multi‑language support       | Rust, C, C++, Java, Go, PHP, Python, Ruby, TypeScript, JavaScript                         |\n| AST‑level pattern matching   | Language‑specific queries written against precise parse trees                             |\n| Incremental indexing         | SQLite database stores file hashes and previous findings to skip unchanged files          |\n| Parallel execution           | File walking and rule execution run concurrently; defaults scale with available CPU cores |\n| Configurable scan parameters | Exclude directories, set maximum file size, tune worker threads, limit output, and more   |\n| Multiple output formats      | Human‑readable console view (default) and machine‑readable JSON / CSV / SARIF (roadmap)   |\n\n---\n\n## Why choose Nyx?\n\n| Advantage                      | What it means for you                                                                                                                                                        |\n|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| **Pure-Rust, single binary**   | No JVM, Python, or server to install; drop the `nyx` executable into your `$PATH` and go.                                                                                    |\n| **Massively parallel**         | Uses Rayon and a thread-pool walker; scales to all CPU cores. Example: scanning the entire **rust-lang/rust** codebase (~53,000 files) on an M2 MacBook Pro takes **≈ 1 s**. |\n| **Index-aware**                | An optional SQLite index stores file hashes and findings, subsequent scans touch *only* changed files, slashing CI times.                                                    |\n| **Offline \u0026 privacy-friendly** | Requires no login, cloud account, or telemetry. Perfect for air-gapped environments and strict compliance policies.                                                          |\n| **Tree-sitter precision**      | Parses real language grammars, not regexes, giving far fewer false positives than line-based scanners.                                                                       |\n| **Extensible**                 | Add new patterns with concise `tree-sitter` queries; no SaaS lock-in.                                                                                                        |\n\n---\n\n## Installation\n\n### Install crate\n```bash\n$ cargo install nyx-scanner\n```\n\n### Install Github release\n1. Navigate to the [Releases](https://github.com/ecpeter23/nyx/releases) page of the repository.\n2. Download the appropriate binary for your system:\n\n    ```nyx-x86_64-unknown-linux-gnu.zip``` for Linux\n\n    ```nyx-x86_64-pc-windows-msvc.zip``` for Windows\n\n    ```nyx-x86_64-apple-darwin.zip``` or ```nyx-aarch64-apple-darwin.zip``` for macOS (Intel or Apple Silicon)\n\n3. Unzip the file and move the executable to a directory in your system PATH:\n    ```bash\n    # Example for Unix systems\n    unzip nyx-x86_64-unknown-linux-gnu.zip\n    chmod +x nyx\n    sudo mv nyx /usr/local/bin/\n    ```\n    ```bash\n    # Example for Windows in PowerShell\n    Expand-Archive -Path nyx-x86_64-pc-windows-msvc.zip -DestinationPath .\n    Move-Item -Path .\\nyx.exe -Destination \"C:\\Program Files\\Nyx\\\"  # Add to PATH manually if needed\n    ```\n   \n4. Verify the installation:\n     ```bash\n    nyx --version\n    ```\n### Build from source\n\n```bash\n$ git clone https://github.com/ecpeter23/nyx.git\n$ cd nyx\n$ cargo build --release\n# optional – copy the binary into PATH\n$ cargo install --path .\n```\n\nNyx targets **stable Rust 1.85 or later**.\n\n---\n\n## Quick Start\n\n```bash\n# Scan the current directory (creates/uses an index automatically)\n$ nyx scan\n\n# Scan a specific path and emit JSON\n$ nyx scan ./server --format json\n\n# Perform an ad‑hoc scan without touching the index\n$ nyx scan --no-index\n\n# Restrict results to high‑severity findings\n$ nyx scan --high-only\n```\n\n### Index Management\n\n```bash\n# Create or rebuild an index\n$ nyx index build [PATH] [--force]\n\n# Display index metadata (size, modified date, etc.)\n$ nyx index status [PATH]\n\n# List all indexed projects (add -v for detailed view)\n$ nyx list [-v]\n\n# Remove a single project or purge all indexes\n$ nyx clean \u003cPROJECT_NAME\u003e\n$ nyx clean --all\n```\n\n---\n\n## Configuration Overview\n\nNyx merges a default configuration file (`nyx.conf`) with user overrides (`nyx.local`). Both live in the platform‑specific configuration directory shown below.\n\n| Platform      | Directory                                          |\n|---------------|----------------------------------------------------|\n| Linux         | `~/.config/nyx/`                                   |\n| macOS         | `~/Library/Application Support/dev.ecpeter23.nyx/` |\n| Windows       | `%APPDATA%\\ecpeter23\\nyx\\config\\`                  |\n\nMinimal example (`nyx.local`):\n\n```toml\n[scanner]\nmin_severity        = \"Medium\"\nfollow_symlinks     = true\nexcluded_extensions = [\"mp3\", \"mp4\"]\n\n[output]\ndefault_format = \"json\"\nmax_results    = 200\n\n[performance]\nworker_threads     = 8  # 0 = auto‑detect\nbatch_size         = 200\nchannel_multiplier = 2\n```\n\nA fully documented `nyx.conf` is generated automatically on first run.\n\n---\n\n## Architecture in Brief\n\n1. **File enumeration** – A highly parallel walker applies ignore rules, size limits, and user exclusions.\n2. **Parsing** – Supported files are parsed into ASTs via the appropriate `tree‑sitter` grammar.\n3. **Rule execution** – Each language ships with a dedicated rule set expressed as `tree‑sitter` queries. Matches are classified into three severity levels (`High`, `Medium`, `Low`).\n4. **Indexing (optional)** – File digests and findings are stored in SQLite. Later scans skip files whose content and modification time are unchanged.\n5. **Reporting** – Results are grouped by file and emitted to the console or serialized in the requested format.\n\n---\n\n## Roadmap\n\n| Area                  | Planned Improvements                                                                                  |\n|-----------------------|-------------------------------------------------------------------------------------------------------|\n| More language support | Plans to create rule sets for over 100 languages for maximum coverage                                 |\n| Control‑flow analysis | Inter‑procedural function summaries. Cap label propagation \u0026 bit‑flag checks. Loop/branch sensitivity |\n| Taint tracking        | Intra‑ / inter‑procedural tracing of untrusted data from sources to sinks                             |\n| Output formats        | Full SARIF 2.1.0, JUnit XML, HTML report generator                                                    |\n| Rule updates          | Remote rule feed with signature verification                                                          |\n| Performance \u0026 UX      | Incremental CFG cache, progress‑bar UX, smart file‑watch re‑scan                                      |\n\nCommunity feedback will help shape priorities; please open an issue to discuss proposed changes.\n\n---\n\n## Experimental Features \u0026 Feedback\n\nThe new Rust intra‑procedural CFG + taint engine is not enabled.\n\nExpect rough edges: slightly slower scans, occasional false positives, limited language coverage.\n\nPlease open an issue for every crash, panic, or suspicious result – attach the minimal code snippet and mention the Nyx version.\n\n---\n\n## Contributing\n\nPull requests are welcome. To contribute:\n\n1. Fork the repository and create a feature branch.\n2. Adhere to `rustfmt` and ensure `cargo clippy --all -- -D warnings` passes.\n3. Add unit and/or integration tests where applicable (`cargo test` should remain green).\n4. Submit a concise, well‑documented pull request.\n\nSee `CONTRIBUTING.md` for full guidelines.\n\n---\n\n## License\n\nNyx is licensed under the **GNU General Public License v3.0 (GPL‑3.0)**.\n\nThis ensures that all modified versions of the scanner remain free and open-source, protecting the integrity and transparency of security tools.\n\nSee [LICENSE](./LICENSE) for full details.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecpeter23%2Fnyx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fecpeter23%2Fnyx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecpeter23%2Fnyx/lists"}