Open-source security scanner

Security scanning for the AI era

Language-agnostic. Deterministic. Agent-native. One scanner for secrets, AI risk, infrastructure, and dependencies with policy-ready outputs.

Get Started View on GitHub

Platform snapshot

Security rules

1506+

Plugins

Security tracks

Output formats

brew install nox

GitHub Actions
MCP
SARIF
CycloneDX
SPDX
OWASP LLM Top 10
OWASP Agentic

Detection coverage

What Nox detects

Five analyzer suites covering the full attack surface of modern applications.

938 Secrets

API keys, tokens, and credentials across 25+ provider categories with high-entropy and pattern-based detection.

50 AI Security

Prompt injection, tool safety, model provenance, and full OWASP LLM Top 10 coverage.

500 Infrastructure

Terraform, Kubernetes, Docker, GitHub Actions, Helm, Ansible, and cross-resource graph analysis.

SCA Dependencies

Software composition analysis with OSV.dev vulnerability lookups and license compliance.

12 Data Protection

PII detection rules for email, SSN, credit card, phone number, and healthcare identifiers.

In action

Fast, focused output

Nox completes a full scan in seconds and writes machine-readable artifacts. No configuration required for a first run.

Terminal

$ nox scan .
nox v0.6.0 — scanning .

[discover] 847 files, 12 lockfiles, 3 AI components
[analyze] secrets, iac, deps, ai, data
[results] 12 findings (3 suppressed), 47 dependencies, 3 AI components
[done] wrote findings.json, results.sarif, sbom.cdx.json

$ nox scan . --format html --output report.html
[done] wrote report.html

Deterministic by design

Same inputs produce same outputs across local development and CI. No hidden state, no external service dependencies, no flaky results.

AI security is not an afterthought

First-class OWASP LLM Top 10 and OWASP Agentic coverage alongside traditional AppSec. Prompt injection, tool safety, and model provenance are built into the core engine.

Agent-native via MCP

Built-in MCP server with 10 read-only tools and 5 resources. AI agents can query scan results safely without write access or code execution.

Standard artifacts

Six output formats, zero vendor lock-in

Every scan produces standard artifacts that integrate with existing security tooling and compliance workflows.

findings.json JSON

Canonical findings schema for automation

results.sarif SARIF

GitHub Code Scanning compatible (SARIF 2.1.0)

sbom.cdx.json CycloneDX

Primary SBOM format with vulnerability data

sbom.spdx.json SPDX

Secondary SBOM format for license compliance

report.html HTML

Standalone dark-theme dashboard with filtering

ai.inventory.json AI Inventory

AI component inventory with provenance

Adoption workflow

From first scan to full enforcement in three steps.

Install and scan

brew install nox
nox scan .

Enforce in CI

- name: Run NOX
  uses: nox-hq/nox-action@v1
  with:
    args: scan . --format sarif --output results.sarif
- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Extend with plugins

nox plugin install nox/sast
nox plugin install nox/grc
nox scan . --plugins all

Open source under Apache 2.0

Nox is free to use, modify, and distribute. Contributions welcome.

Get Started Star on GitHub