gixy

Analyze nginx configuration (default path: /etc/nginx/nginx.conf)

$ gixy

$ gixy --skips [http_splitting]

$ gixy [-l|-ll|-lll]

$ gixy [path/to/configuration_file_1] [path/to/configuration_file_2]

gixy [OPTIONS] <PATH_TO_NGINX_CONF>

<PATH_TO_NGINX_CONF>
    The path to the Nginx configuration file or directory to be analyzed.

-h, --help
    Displays the help message and exits.

-v, --version
    Shows the program's version number and exits.

-c <CONFIG_FILE>, --config=<CONFIG_FILE>
    Specifies an alternative configuration file for Gixy itself, not Nginx.

-f <FORMAT>, --format=<FORMAT>
    Sets the output format, e.g., text, json, xml.

--strict
    Treats all warnings found as errors.

--all-warnings
    Shows all warnings, including those disabled by default.

--enable <RULE[,RULE...]>
    Enables specific Gixy rules by their ID or name.

--disable <RULE[,RULE...]>
    Disables specific Gixy rules by their ID or name.

--stdin
    Reads Nginx configuration from standard input.

--quiet
    Suppresses all output except for errors and issues found.

--diff
    Shows diff in current Nginx config and default configuration.

Gixy is a specialized security linter designed to analyze Nginx web server configuration files for potential vulnerabilities and misconfigurations. Developed and open-sourced by Yandex, it helps administrators identify common security pitfalls such as insecure SSL/TLS settings, improper redirects, potential information disclosure, weak CORS policies, and path traversal vulnerabilities. By parsing the Nginx configuration, Gixy applies a comprehensive set of predefined rules to highlight problematic directives or patterns, providing actionable insights to enhance the server's security posture. It acts as an automated security audit tool, crucial for maintaining secure Nginx deployments and can be seamlessly integrated into development and deployment workflows to enforce security best practices proactively.

Gixy is a Python application and requires a Python environment to run. It primarily acts as a static analysis tool; it cannot detect runtime vulnerabilities or issues not covered by its predefined rule set. Its effectiveness relies on the comprehensiveness and up-to-date status of its internal security rules.

Gixy categorizes security checks into various rule IDs (e.g., ssrf, redirect, hsts, xss, path_traversal), allowing users to enable or disable specific checks based on their security requirements. This flexibility helps in tailoring the linting process to specific organizational policies or compliance needs.

The command-line nature of Gixy makes it ideal for integration into Continuous Integration/Continuous Deployment (CI/CD) pipelines. Automating security checks during the build or deployment phase ensures that insecure Nginx configurations are identified and rectified before they reach production environments, enforcing a 'security-first' approach in the development lifecycle.

Developed by Yandex, Gixy was open-sourced to help the community secure Nginx configurations. Its creation stemmed from an internal need at Yandex for automated security auditing of Nginx instances. Since its release, it has been actively maintained on GitHub, with ongoing contributions to expand its rule set and improve its analysis capabilities, reflecting the evolving landscape of web security.

nginx(8), openssl(1), python(1), grep(1), awk(1)