NOX logo NOX
Star

Enterprise · Air-gapped · Self-hosted

Nox for organisations that won't ship source code to a vendor.

Nox runs on your build hosts, with a private plugin registry, a managed Ed25519 signer keyring, and a SLSA Level 3 release attestation chain. Operators in regulated industries — finance, healthcare, defence, EU sovereign cloud — adopt Nox precisely because the SaaS-required scanners they're forced to evaluate cannot meet their data-residency or supply-chain requirements.

Contact Is this you?

Core principles

What makes Nox enterprise-ready

No source upload, ever

Scans run entirely on your build hosts. OSV vulnerability lookups gated behind a single flag (--no-osv) for fully air-gapped environments.

No telemetry

Zero outbound network calls beyond operator-initiated plugin installs. Auditable: open-source, deterministic, single binary.

Open core, Apache 2.0

Every detection rule, the trust verifier, the plugin SDK — all open-source under Apache 2.0. No proprietary lock-in.

Fit check

Is Nox the right fit for your organisation?

If you check three or more of these, Nox is likely the strongest open-source option for your environment:

  • You scan internal source repositories that cannot leave your network
  • You require a managed signer keyring (not just trust-on-first-use)
  • You serve plugins from an internal artifact server / Artifactory / Sonatype Nexus
  • You answer compliance questionnaires that ask "does this tool ship code off-host?"
  • You give AI agents access to security findings via MCP and need read-only sandboxed tools
  • You have an existing Sigstore / SLSA / supply-chain investment and want it leveraged

Capabilities

Enterprise deployment patterns

Private signer keyring (Ed25519)

Beyond the default Sigstore-keyless trust policy, organisations can bind plugin installs to a curated set of Ed25519 keys. The enterprise trust policy refuses any artifact whose signer key is not in the local keyring.

# .nox.yaml
plugins:
  trust_policy: enterprise
  signer_keyring:
    - name: acme-security
      pubkey_pem: |
        -----BEGIN PUBLIC KEY-----
        ...your Ed25519 pubkey...
        -----END PUBLIC KEY-----

Private plugin registry

Run an internal plugin registry that mirrors the public official registry plus your own custom plugins. Operators discover and install via the same nox plugin install UX.

# .nox.yaml
plugins:
  registries:
    - acme=https://nox-registry.acme.internal/index.json
  required:
    - acme/internal-secrets-pack@>=1.2
    - nox/reachability
    - nox/grc

Air-gapped deployment

Mirror the registry into your artifact server, sign with your keyring, distribute the nox binary via internal channels. No network calls required at scan time.

nox plugin install nox/grc \
  --registry https://artifacts.acme.internal/nox-mirror.json \
  --trust-policy enterprise

# Or set the registry persistently:
nox registry add https://artifacts.acme.internal/nox-mirror.json \
  --name acme-mirror

Compliance posture

nox/grc covers 12 frameworks: SOC 2, ISO 27001, GDPR, FedRAMP Low / Moderate / High, HIPAA, PCI-DSS, NIST 800-53, NIST CSF, CIS v8, CMMC. Generate audit-ready evidence bundles directly from scan output.

nox plugin call grc gap_report \
  framework=fedramp-moderate \
  output=fedramp-moderate-gap.json

SLSA Level 3 provenance

Every nox release ships a SLSA v1.0 provenance attestation alongside cosign keyless signatures. Enterprises verify both before promoting to production.

cosign verify-attestation \
  --certificate-identity-regexp \
    "(?i)https://github.com/Nox-HQ/nox/.github/workflows/.*" \
  --certificate-oidc-issuer \
    https://token.actions.githubusercontent.com \
  --type slsaprovenance \
  nox

MCP-native integration

Internal AI agents query scan results through the built-in MCP server. Read-only tools, workspace allowlisting, output size limits. Drop-in for Claude Desktop / Cursor / your internal MCP host.

# Internal MCP host config
{
  "mcpServers": {
    "nox": {
      "command": "/usr/local/bin/nox",
      "args": ["serve", "--allowed-paths", "/repos"]
    }
  }
}

Talk to us

Evaluating Nox at scale?

We're a small team focused on making Nox excellent at its core mission. Enterprise inquiries — private registry hosting, signed evaluation reports, custom rule pack development, scoped security review of your AI integration patterns — go to the address below.

[email protected]

Open-source-only deployments stay free under Apache 2.0 forever. Enterprise inquiries help us prioritise the roadmap (next: managed private registry hosting, signed evaluation reports for procurement teams, GitHub Actions runner appliance for air-gapped CI).