July 5, 2026
Nox scanned microsoft/autogen: 304,629 findings, dominated by base64-encoded SVG art triggering 10 broad-pattern rules. Fixed the same FP cluster that hit LangGraph.
June 21, 2026
Nox scanned langchain-ai/langgraph: 134,614 findings, 99.8% noise. The lone critical AI finding flagged code that prevents the attack. Zero true positives; one AI-019 rule fix.
June 7, 2026
Nox scanned huggingface/smolagents — 323 findings, 65% from one example folder, zero real vulnerabilities, and one genuine bug in our own typosquatting rule.
June 5, 2026
We ran Nox's offline MCP security scanner against the 56 most-used public MCP servers. Zero vulnerabilities, zero disclosures — and a hard lesson in scanner precision.
May 24, 2026
Nox scanned deepset-ai/haystack and returned 12,367 findings. Strip the docs tree and it collapses to one real low-severity issue — plus a precision bug we fixed in our own rules.
May 10, 2026
We pointed Nox at anthropic-cookbook. It returned 1,950,121 findings. Almost all of them are wrong. Here is what that taught us about RAG-corpus false positives, the literal_eval / eval distinction, and how a real CLAUDE-uses-MCP fixture trips the AI-004 rule.
May 9, 2026
v0.9.0 ships cluster-vs-IaC drift detection, JSON-backed triage history for AI-assisted review, a strict PR gate for high/critical findings, and a marketplace action that opens dependency-remediation PRs.
May 5, 2026
AI-PI, AI-EMB, AI-AGENT, MCP-* — what they catch, why every other scanner misses them, and how the AIBOM ties it all together.
May 3, 2026
Open-source, AI-native security scanner with a cosign-signed plugin marketplace. 19 verified plugins, 717 rules, MCP-native. No SaaS, no telemetry, no source upload.
April 26, 2026
We ran Nox against modelcontextprotocol/python-sdk plus 6 other popular LLM/agent repos. Here's what AI-aware scanning catches in 2 seconds — across all 7.