Declare plugins (.nox.yaml)
Treat security plugins like dependencies. Pin them in .nox.yaml so anyone cloning your repo gets the same verified set on first scan.
# .nox.yaml — package.json for security
plugins:
required:
- nox/reachability # filter VULN by import reachability
- nox/taint-analysis # cross-file + AI taint flow
- nox/k8s-runtime # live cluster scanning
- nox/grc # 15 compliance frameworks (incl. EU AI Act, ISO 42001, NIST AI RMF)
trust_policy: default # require Cosign keyless or Ed25519
# First scan auto-installs missing required plugins.
# Verified end-to-end via Sigstore — install fails closed
# on unsigned third-party drops.
nox install # fetch all required plugins
nox scan . # auto-installs if missing