NOX logo NOX
Star

Security policy

Disclosure, attestation, verification.

Nox is a security tool. We hold ourselves to the standard we ask of users — every release is reproducibly built, Cosign-signed via Sigstore keyless OIDC, and ships a SLSA Level 3 provenance attestation. This page is the canonical reference for verifying a release and reporting a vulnerability.

Reporting a vulnerability

Responsible disclosure

If you have found a vulnerability in nox, the official plugins, or the registry index pipeline, please use GitHub's private vulnerability disclosure flow: Open a private advisory.

We aim to acknowledge reports within 48 hours and ship a fix within 14 days for high-severity findings. Please do not file a public issue for vulnerabilities.

Out-of-band channel: security@nox-hq.dev. PGP key on request.

Supported versions

Supported releases

Security fixes ship to the latest minor release line on main. Earlier minors are supported for 90 days after the next minor's release. Patch releases (v0.x.y) are issued for critical fixes during that window.

Verification

Verify a release out-of-band

Every nox release publishes a checksums.txt signed by the GoReleaser workflow's OIDC subject via Sigstore. To verify a downloaded binary: 

cosign verify-blob \
  --certificate-identity-regexp \
    "https://github.com/Nox-HQ/nox/.github/workflows/release.yml@.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --bundle nox_<version>_checksums.txt.sig.bundle \
  --new-bundle-format \
  nox_<version>_checksums.txt

A passing verification asserts:

  • The checksums file was produced by the release.yml workflow in Nox-HQ/nox at the tagged ref
  • The OIDC subject was issued by GitHub Actions (token.actions.githubusercontent.com)
  • The downloaded binary's SHA-256 matches the entry in the signed checksums file

The same chain applies to every plugin in the official marketplace. Replace the repository slug with the plugin name (e.g. Nox-HQ/nox-plugin-reachability).

Provenance

SLSA Level 3 attestation

Each release uploads a SLSA v1.0 provenance attestation alongside the artifacts. The attestation captures the source repository, the commit SHA, the builder identity, and the build configuration. Verify with: 

cosign verify-attestation \
  --certificate-identity-regexp "(?i)https://github.com/Nox-HQ/nox/.github/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --type slsaprovenance \
  <binary>

Trust model

What Nox does (and never does)

  • Never uploads source code. Scans run entirely on the build host. OSV vulnerability lookups are gated behind --no-osv.
  • Never executes untrusted code. Plugins run as subprocesses with explicit risk classification (passive / active / runtime); active plugins require operator confirmation.
  • Never auto-applies fixes. nox fix writes a patch to disk; the human commits.
  • No telemetry. Zero outbound network calls beyond the operator's nox plugin install requests.
  • Default trust policy. Plugin install fails closed unless either Cosign keyless or an in-tool Ed25519 signature passes verification.

Coordinated disclosure

Plugin vulnerabilities

Vulnerabilities in third-party plugins should be reported to that plugin's maintainer via the same private-advisory flow on its own repository. Nox-HQ retains the right to delist a plugin from the official registry if a critical vulnerability is unpatched within 30 days; the plugin remains installable via --allow-unverified for operators who accept the risk.