Fast, cross-language cli vulnerability scanner.
Nyx is a lightweight lightning-fast Rust‑native command‑line tool that detects potentially dangerous code patterns across several programming languages. It combines the accuracy of tree‑sitter parsing with a curated rule set and an optional SQLite‑backed index to deliver fast, repeatable scans on projects of any size.
Important
Project status – Alpha
Nyx is under active development. The public interface, rule set, and output formats may change without notice while we stabilise the core. The new CFG + taint engine is experimental and Rust-only for now – please report any crashes or false-positives. Pin exact versions in production environments
| Capability | Description |
|---|---|
| Multi‑language support | Rust, C, C++, Java, Go, PHP, Python, Ruby, TypeScript, JavaScript |
| AST‑level pattern matching | Language‑specific queries written against precise parse trees |
| Incremental indexing | SQLite database stores file hashes and previous findings to skip unchanged files |
| Parallel execution | File walking and rule execution run concurrently; defaults scale with available CPU cores |
| Configurable scan parameters | Exclude directories, set maximum file size, tune worker threads, limit output, and more |
| Multiple output formats | Human‑readable console view (default) and machine‑readable JSON / CSV / SARIF (roadmap) |
| Advantage | What it means for you |
|---|---|
| Pure-Rust, single binary | No JVM, Python, or server to install; drop the nyx executable into your $PATH and go. |
| Massively parallel | Uses Rayon and a thread-pool walker; scales to all CPU cores. Example: scanning the entire rust-lang/rust codebase (~53,000 files) on an M2 MacBook Pro takes ≈ 1 s. |
| Index-aware | An optional SQLite index stores file hashes and findings, subsequent scans touch only changed files, slashing CI times. |
| Offline & privacy-friendly | Requires no login, cloud account, or telemetry. Perfect for air-gapped environments and strict compliance policies. |
| Tree-sitter precision | Parses real language grammars, not regexes, giving far fewer false positives than line-based scanners. |
| Extensible | Add new patterns with concise tree-sitter queries; no SaaS lock-in. |
$ cargo install nyx-scanner-
Navigate to the Releases page of the repository.
-
Download the appropriate binary for your system:
nyx-x86_64-unknown-linux-gnu.zipfor Linuxnyx-x86_64-pc-windows-msvc.zipfor Windowsnyx-x86_64-apple-darwin.zipornyx-aarch64-apple-darwin.zipfor macOS (Intel or Apple Silicon) -
Unzip the file and move the executable to a directory in your system PATH:
# Example for Unix systems unzip nyx-x86_64-unknown-linux-gnu.zip chmod +x nyx sudo mv nyx /usr/local/bin/# Example for Windows in PowerShell Expand-Archive -Path nyx-x86_64-pc-windows-msvc.zip -DestinationPath . Move-Item -Path .\nyx.exe -Destination "C:\Program Files\Nyx\" # Add to PATH manually if needed
-
Verify the installation:
nyx --version
$ git clone https://github.com/ecpeter23/nyx.git
$ cd nyx
$ cargo build --release
# optional – copy the binary into PATH
$ cargo install --path .Nyx targets stable Rust 1.85 or later.
# Scan the current directory (creates/uses an index automatically)
$ nyx scan
# Scan a specific path and emit JSON
$ nyx scan ./server --format json
# Perform an ad‑hoc scan without touching the index
$ nyx scan --no-index
# Restrict results to high‑severity findings
$ nyx scan --high-only# Create or rebuild an index
$ nyx index build [PATH] [--force]
# Display index metadata (size, modified date, etc.)
$ nyx index status [PATH]
# List all indexed projects (add -v for detailed view)
$ nyx list [-v]
# Remove a single project or purge all indexes
$ nyx clean <PROJECT_NAME>
$ nyx clean --allNyx merges a default configuration file (nyx.conf) with user overrides (nyx.local). Both live in the platform‑specific configuration directory shown below.
| Platform | Directory |
|---|---|
| Linux | ~/.config/nyx/ |
| macOS | ~/Library/Application Support/dev.ecpeter23.nyx/ |
| Windows | %APPDATA%\ecpeter23\nyx\config\ |
Minimal example (nyx.local):
[scanner]
min_severity = "Medium"
follow_symlinks = true
excluded_extensions = ["mp3", "mp4"]
[output]
default_format = "json"
max_results = 200
[performance]
worker_threads = 8 # 0 = auto‑detect
batch_size = 200
channel_multiplier = 2A fully documented nyx.conf is generated automatically on first run.
- File enumeration – A highly parallel walker applies ignore rules, size limits, and user exclusions.
- Parsing – Supported files are parsed into ASTs via the appropriate
tree‑sittergrammar. - Rule execution – Each language ships with a dedicated rule set expressed as
tree‑sitterqueries. Matches are classified into three severity levels (High,Medium,Low). - Indexing (optional) – File digests and findings are stored in SQLite. Later scans skip files whose content and modification time are unchanged.
- Reporting – Results are grouped by file and emitted to the console or serialized in the requested format.
| Area | Planned Improvements |
|---|---|
| More language support | Plans to create rule sets for over 100 languages for maximum coverage |
| Control‑flow analysis | Inter‑procedural function summaries. Cap label propagation & bit‑flag checks. Loop/branch sensitivity |
| Taint tracking | Intra‑ / inter‑procedural tracing of untrusted data from sources to sinks |
| Output formats | Full SARIF 2.1.0, JUnit XML, HTML report generator |
| Rule updates | Remote rule feed with signature verification |
| Performance & UX | Incremental CFG cache, progress‑bar UX, smart file‑watch re‑scan |
Community feedback will help shape priorities; please open an issue to discuss proposed changes.
The new Rust intra‑procedural CFG + taint engine is not enabled.
Expect rough edges: slightly slower scans, occasional false positives, limited language coverage.
Please open an issue for every crash, panic, or suspicious result – attach the minimal code snippet and mention the Nyx version.
Pull requests are welcome. To contribute:
- Fork the repository and create a feature branch.
- Adhere to
rustfmtand ensurecargo clippy --all -- -D warningspasses. - Add unit and/or integration tests where applicable (
cargo testshould remain green). - Submit a concise, well‑documented pull request.
See CONTRIBUTING.md for full guidelines.
Nyx is licensed under the GNU General Public License v3.0 (GPL‑3.0).
This ensures that all modified versions of the scanner remain free and open-source, protecting the integrity and transparency of security tools.
See LICENSE for full details.