Nox blog

Nox blogOpen-source security scanner with first-class AI application and MCP security. Notes on MCP threats, scanner precision, and AppSec.https://nox-hq.dev/en-usWe scanned the 56 most-used MCP servers. Zero vulnerabilities. Here's what we actually learned.https://nox-hq.dev/blog/we-scanned-the-56-most-used-mcp-servers/https://nox-hq.dev/blog/we-scanned-the-56-most-used-mcp-servers/We ran Nox's offline MCP security scanner against the 56 most-used public MCP servers. Zero vulnerabilities, zero disclosures — and a hard lesson in scanner precision.Fri, 05 Jun 2026 00:00:00 GMTmcpai-securityfalse-positivesprecisionowasp-mcp-top-10nox-hqScan of the week: Haystack (or, why 12,367 findings is mostly a docs folder)https://nox-hq.dev/blog/scan-of-the-week-haystack/https://nox-hq.dev/blog/scan-of-the-week-haystack/Nox scanned deepset-ai/haystack and returned 12,367 findings. Strip the docs tree and it collapses to one real low-severity issue — plus a precision bug we fixed in our own rules.Fri, 05 Jun 2026 00:00:00 GMTscan-of-the-weekai-securityragfalse-positivesprecisionnox-hqScan of the week: smolagents (or, when a scanner flags a package as a typo of itself)https://nox-hq.dev/blog/scan-of-the-week-smolagents/https://nox-hq.dev/blog/scan-of-the-week-smolagents/Nox scanned huggingface/smolagents — 323 findings, 65% from one example folder, zero real vulnerabilities, and one genuine bug in our own typosquatting rule.Fri, 05 Jun 2026 00:00:00 GMTscan-of-the-weekai-securityagentsfalse-positivesprecisionnox-hqScan of the week: LangGraph — 134,614 findings, and the 'critical' one was ushttps://nox-hq.dev/blog/scan-of-the-week-langgraph/https://nox-hq.dev/blog/scan-of-the-week-langgraph/Nox scanned langchain-ai/langgraph: 134,614 findings, 99.8% noise. The lone critical AI finding flagged code that prevents the attack. Zero true positives; one AI-019 rule fix.Fri, 05 Jun 2026 00:00:00 GMTscan-of-the-weekai-securityfalse-positivesprecisionnox-hqNox v0.9.0 — K8s drift detection, triage history, and a remediation actionhttps://nox-hq.dev/blog/v0-9-0-release/https://nox-hq.dev/blog/v0-9-0-release/v0.9.0 ships cluster-vs-IaC drift detection, JSON-backed triage history for AI-assisted review, a strict PR gate for high/critical findings, and a marketplace action that opens dependency-remediation PRs.Sat, 09 May 2026 00:00:00 GMTreleasekubernetesai-securitycinox-hqScan of the week: anthropic-cookbook (or, what 1.95M findings teach you about precision)https://nox-hq.dev/blog/scan-of-the-week-anthropic-cookbook/https://nox-hq.dev/blog/scan-of-the-week-anthropic-cookbook/We pointed Nox at anthropic-cookbook. It returned 1,950,121 findings. Almost all of them are wrong. Here is what that taught us about RAG-corpus false positives, the literal_eval / eval distinction, and how a real CLAUDE-uses-MCP fixture trips the AI-004 rule.Sat, 09 May 2026 00:00:00 GMTscan-of-the-weekai-securityfalse-positivesprecisionnox-hqInside Nox: the four AI rule families that matter for LLM appshttps://nox-hq.dev/blog/ai-rule-families-explained/https://nox-hq.dev/blog/ai-rule-families-explained/AI-PI, AI-EMB, AI-AGENT, MCP-* — what they catch, why every other scanner misses them, and how the AIBOM ties it all together.Tue, 05 May 2026 00:00:00 GMTai-securitymcpllmdeep-divenox-hqScan of the week: the MCP Python SDKhttps://nox-hq.dev/blog/scan-of-the-week-mcp-python-sdk/https://nox-hq.dev/blog/scan-of-the-week-mcp-python-sdk/We ran Nox against modelcontextprotocol/python-sdk plus 6 other popular LLM/agent repos. Here's what AI-aware scanning catches in 2 seconds — across all 7.Mon, 04 May 2026 00:00:00 GMTscan-of-the-weekmcpai-securitybenchnox-hqAnnouncing Nox: the security scanner that understands your AI apphttps://nox-hq.dev/blog/announcing-nox/https://nox-hq.dev/blog/announcing-nox/Open-source, AI-native security scanner with a cosign-signed plugin marketplace. 19 verified plugins, 717 rules, MCP-native. No SaaS, no telemetry, no source upload.Sun, 03 May 2026 00:00:00 GMTlaunchai-securitysupply-chainnox-hq