Rule reference

Every finding Nyx emits has a rule ID. This page enumerates the IDs that ship with scanner 0.5.0, grouped by family.

This page is written by hand and drifts against the code. Authoritative sources: src/patterns/<lang>.rs for AST patterns, src/labels/<lang>.rs for taint matchers, and src/auth_analysis/config.rs for auth rules. If a rule fires that isn’t listed here, the source file is right and this page is wrong.

If you’d rather browse rules interactively, nyx serve ships a Rules page that lists every loaded matcher with its language, kind, and capability:

Nyx Rules page: filterable list of 218 rules with language, kind (SOURCE/SANITIZER/SINK), capability, and finding count columns

ID format

Prefix	Detector	Example
`taint-*`	Taint analysis	`taint-unsanitised-flow (source 5:11)`
`cfg-*`	CFG structural	`cfg-unguarded-sink`, `cfg-auth-gap`
`state-*`	State model	`state-use-after-close`, `state-resource-leak`
`<lang>.auth.*`	Auth analysis	`rs.auth.missing_ownership_check`
`<lang>.<category>.<name>`	AST patterns	`rs.memory.transmute`, `js.code_exec.eval`

Language prefixes: rs, c, cpp, go, java, js, ts, py, php, rb.

Cross-language rules

Taint

One rule covers every source-to-sink flow. The parenthetical identifies the source location.

Rule ID	Severity
`taint-unsanitised-flow (source L:C)`	Varies by source kind and sink capability

The matcher sets (sources, sanitizers, sinks, gated sinks) live per-language in src/labels/<lang>.rs. Language maturity gives per-language counts and what’s covered.

CFG structural

Rule ID	Severity
`cfg-unguarded-sink`	High/Medium
`cfg-auth-gap`	High
`cfg-unreachable-sink`	Medium
`cfg-unreachable-sanitizer`	Low
`cfg-unreachable-source`	Low
`cfg-error-fallthrough`	High/Medium
`cfg-resource-leak`	Medium
`cfg-lock-not-released`	Medium

State model

Rule ID	Severity
`state-use-after-close`	High
`state-double-close`	Medium
`state-resource-leak`	Medium
`state-resource-leak-possible`	Low
`state-unauthed-access`	High

Auth analysis (Rust only, today)

Rule ID	Severity
`rs.auth.missing_ownership_check`	High
`rs.auth.missing_ownership_check.taint`	High (gated by `scanner.enable_auth_as_taint`)

See auth.md for scope, the five sink-classes, and tuning.

Each language ships a tree-sitter pattern registry. Structural match on the pattern, no dataflow. Some patterns also have a Tier B heuristic guard (e.g. SQL execute must receive a concatenation, not a literal) noted in the registry.

The tables below are generated from src/patterns/<lang>.rs by tools/docgen. Run cargo run --features docgen --bin nyx-docgen after changing the registry to refresh them.

C: 8 patterns

Rule ID	Severity	Tier	Confidence
`c.cmdi.system`	High	A	High
`c.memory.gets`	High	A	High
`c.memory.printf_no_fmt`	High	B	Medium
`c.memory.scanf_percent_s`	High	A	High
`c.memory.sprintf`	High	A	High
`c.memory.strcat`	High	A	High
`c.memory.strcpy`	High	A	High
`c.cmdi.popen`	Medium	A	High

C++: 9 patterns

Rule ID	Severity	Tier	Confidence
`cpp.cmdi.popen`	High	A	High
`cpp.cmdi.system`	High	A	High
`cpp.memory.gets`	High	A	High
`cpp.memory.printf_no_fmt`	High	B	Medium
`cpp.memory.sprintf`	High	A	High
`cpp.memory.strcat`	High	A	High
`cpp.memory.strcpy`	High	A	High
`cpp.memory.const_cast`	Medium	A	High
`cpp.memory.reinterpret_cast`	Medium	A	High

Go: 8 patterns

Rule ID	Severity	Tier	Confidence
`go.cmdi.exec_command`	High	A	High
`go.transport.insecure_skip_verify`	High	A	High
`go.deser.gob_decode`	Medium	A	High
`go.memory.unsafe_pointer`	Medium	A	High
`go.secrets.hardcoded_key`	Medium	A	High
`go.sqli.query_concat`	Medium	B	Medium
`go.crypto.md5`	Low	A	Medium
`go.crypto.sha1`	Low	A	Medium

Java: 8 patterns

Rule ID	Severity	Tier	Confidence
`java.cmdi.runtime_exec`	High	A	High
`java.deser.readobject`	High	A	High
`java.reflection.class_forname`	Medium	A	High
`java.reflection.method_invoke`	Medium	A	High
`java.sqli.execute_concat`	Medium	B	Medium
`java.xss.getwriter_print`	Medium	A	High
`java.crypto.insecure_random`	Low	A	Medium
`java.crypto.weak_digest`	Low	A	Medium

JavaScript: 22 patterns

Rule ID	Severity	Tier	Confidence
`js.code_exec.eval`	High	A	High
`js.code_exec.new_function`	High	A	High
`js.config.cors_dynamic_origin`	High	A	Medium
`js.code_exec.settimeout_string`	Medium	A	High
`js.config.insecure_session_httponly`	Medium	A	High
`js.config.reject_unauthorized`	Medium	A	High
`js.config.verbose_error_response`	Medium	A	Medium
`js.crypto.weak_hash_import`	Medium	A	Medium
`js.prototype.extend_object`	Medium	A	High
`js.prototype.proto_assignment`	Medium	A	High
`js.secrets.fallback_secret`	Medium	A	Medium
`js.xss.cookie_write`	Medium	A	High
`js.xss.document_write`	Medium	A	High
`js.xss.insert_adjacent_html`	Medium	A	High
`js.xss.location_assign`	Medium	A	High
`js.xss.outer_html`	Medium	A	High
`js.config.insecure_session_samesite`	Low	A	High
`js.config.insecure_session_secure`	Low	A	Medium
`js.crypto.math_random`	Low	A	Medium
`js.crypto.weak_hash`	Low	A	Medium
`js.secrets.hardcoded_secret`	Low	A	Medium
`js.transport.fetch_http`	Low	A	Medium

PHP: 11 patterns

Rule ID	Severity	Tier	Confidence
`php.cmdi.system`	High	A	High
`php.code_exec.assert_string`	High	A	High
`php.code_exec.create_function`	High	A	High
`php.code_exec.eval`	High	A	High
`php.code_exec.preg_replace_e`	High	A	High
`php.deser.unserialize`	High	A	High
`php.path.include_variable`	High	B	Medium
`php.sqli.query_concat`	Medium	B	Medium
`php.crypto.md5`	Low	A	Medium
`php.crypto.rand`	Low	A	Medium
`php.crypto.sha1`	Low	A	Medium

Python: 13 patterns

Rule ID	Severity	Tier	Confidence
`py.cmdi.os_popen`	High	A	High
`py.cmdi.os_system`	High	A	High
`py.cmdi.subprocess_shell`	High	B	Medium
`py.code_exec.eval`	High	A	High
`py.code_exec.exec`	High	A	High
`py.deser.pickle_loads`	High	A	High
`py.deser.yaml_load`	High	A	High
`py.code_exec.compile`	Medium	A	High
`py.deser.shelve_open`	Medium	A	High
`py.sqli.execute_format`	Medium	B	Medium
`py.xss.jinja_from_string`	Medium	A	High
`py.crypto.md5`	Low	A	Medium
`py.crypto.sha1`	Low	A	Medium

Ruby: 11 patterns

Rule ID	Severity	Tier	Confidence
`rb.cmdi.backtick`	High	A	High
`rb.cmdi.system_interp`	High	A	High
`rb.code_exec.class_eval`	High	A	High
`rb.code_exec.eval`	High	A	High
`rb.code_exec.instance_eval`	High	A	High
`rb.deser.marshal_load`	High	A	High
`rb.deser.yaml_load`	High	A	High
`rb.reflection.constantize`	Medium	A	High
`rb.reflection.send_dynamic`	Medium	B	Medium
`rb.ssrf.open_uri`	Medium	A	High
`rb.crypto.md5`	Low	A	Medium

Rust: 13 patterns

Rule ID	Severity	Tier	Confidence
`rs.memory.copy_nonoverlapping`	High	A	High
`rs.memory.get_unchecked`	High	A	High
`rs.memory.mem_zeroed`	High	A	High
`rs.memory.ptr_read`	High	A	High
`rs.memory.transmute`	High	A	High
`rs.quality.unsafe_block`	Medium	A	High
`rs.quality.unsafe_fn`	Medium	A	High
`rs.memory.mem_forget`	Low	A	High
`rs.memory.narrow_cast`	Low	A	Medium
`rs.quality.expect`	Low	A	High
`rs.quality.panic_macro`	Low	A	High
`rs.quality.todo`	Low	A	High
`rs.quality.unwrap`	Low	A	High

TypeScript: 22 patterns

Rule ID	Severity	Tier	Confidence
`ts.code_exec.eval`	High	A	High
`ts.code_exec.new_function`	High	A	High
`ts.config.cors_dynamic_origin`	High	A	Medium
`ts.code_exec.settimeout_string`	Medium	A	High
`ts.config.insecure_session_httponly`	Medium	A	High
`ts.config.reject_unauthorized`	Medium	A	High
`ts.config.verbose_error_response`	Medium	A	Medium
`ts.crypto.weak_hash_import`	Medium	A	Medium
`ts.prototype.proto_assignment`	Medium	A	High
`ts.secrets.fallback_secret`	Medium	A	Medium
`ts.xss.document_write`	Medium	A	High
`ts.xss.insert_adjacent_html`	Medium	A	High
`ts.xss.location_assign`	Medium	A	High
`ts.xss.outer_html`	Medium	A	High
`ts.config.insecure_session_samesite`	Low	A	High
`ts.config.insecure_session_secure`	Low	A	Medium
`ts.crypto.math_random`	Low	A	Medium
`ts.crypto.weak_hash`	Low	A	Medium
`ts.quality.any_annotation`	Low	A	Medium
`ts.quality.as_any`	Low	A	Medium
`ts.secrets.hardcoded_secret`	Low	A	Medium
`ts.xss.cookie_write`	Low	A	Medium

Capability list for custom rules

nyx config add-rule --cap <name> and [analysis.languages.*.rules] in config accept:

env_var, html_escape, shell_escape, url_encode, json_parse, file_io, fmt_string, sql_query, deserialize, ssrf, code_exec, crypto, unauthorized_id, all

Source for both the enum and the to_cap mapping: src/labels/mod.rs (Cap) and src/utils/config.rs (CapName).

Keyboard shortcuts

Nyx