Capabilities

One scanner, full coverage, standard outputs.

NOX avoids tool sprawl by unifying detection, policy enforcement, and extension under one operating model. Every capability is deterministic, offline-capable, and CI-safe by default.

Detection Engine

1506+ security rules across 5 analyzer suites
Secrets, AI security, IaC, dependencies, and data sensitivity in one scan
Deterministic execution with offline-first defaults
Rule configuration and severity overrides through .nox.yaml

AI Security

Full OWASP LLM Top 10 coverage with 50 dedicated rules
Prompt injection and RAG boundary violation detection
MCP server configuration security analysis
Model provenance, tool safety, and AI-BOM v2.0 generation

Standard Outputs

SARIF 2.1.0 for GitHub Code Scanning integration
CycloneDX and SPDX SBOM generation
Standalone HTML dashboard with dark theme and filtering
AI inventory JSON with connection graph and tool matrix

Policy and Governance

Fail/warn thresholds for CI policy gates
Baseline management for known findings and controlled suppression
GRC compliance assessment across 12 frameworks including FedRAMP
Inline suppressions with audit trail

Plugin Ecosystem

32 plugins across 9 tracks with gRPC-based SDK
Track-based architecture with explicit risk classification
Plugin scaffolding via nox plugin init
Registry support for discovery and distribution

MCP Server

10 read-only tools for AI agent integration
5 MCP resources for artifact serving
Workspace allowlisting and output size limits
Sandboxed execution with rate limiting

Developer Experience

Watch mode for continuous scanning during development
Pre-commit hooks and shell completions
Incremental scan cache with content-addressed SHA-256
Differential scanning with --changed-since for fast CI

Supply Chain Security

Cosign keyless signing for release artifacts
SLSA Level 3 provenance attestation
CycloneDX and SPDX SBOM generation
Dependency confusion detection and artifact integrity verification