LinuxCommandLibrary

gixy-next

Analyze Nginx configurations for security vulnerabilities

TLDR

Analyze nginx configuration (default path: /etc/nginx/nginx.conf)

$ gixy [path/to/nginx.conf]
copy

Analyze a rendered configuration dump via stdin (-)
$ cat [path/to/nginx-dump.conf] | gixy -
copy

Run only specific checks (comma-separated)
$ gixy --tests [http_splitting,ssrf,version_disclosure] [path/to/nginx.conf]
copy

Skip specific checks (comma-separated)
$ gixy --skips [low_keepalive_requests,worker_rlimit_nofile_vs_connections] [path/to/nginx.conf]
copy

Only report issues at a given severity or higher
$ gixy [-l|-ll|-lll] [path/to/nginx.conf]
copy

Output as uncolored text or machine-readable JSON
$ gixy [[-f|--format]] [text|json] [path/to/nginx.conf]
copy

SYNOPSIS

gixy-next [-c|--checks] [-f|--format] [-o|--output] [-q|--quiet] [--no-progress] [config-files]…

PARAMETERS

-c, --checks
    Comma-separated list of checks to enable/disable (e.g., 'no_relay,weak_tls')

-f, --format
    Output format: text (default), json, or sarif

-o, --output
    Write output to FILE; use '-' for stdout (default)

-q, --quiet
    Suppress non-error messages and progress bar

--no-progress
    Disable progress bar (useful in scripts)

-h, --help
    Print help and exit

-V, --version
    Print version info and exit

DESCRIPTION

gixy-next is a high-performance Rust-based static analysis tool for Postfix configuration files. It detects common security misconfigurations, deprecated options, and potential vulnerabilities that could lead to issues like open relays, weak TLS setups, or DoS vectors.

Designed as a faster, more maintainable successor to the original Python-based Gixy, it scans main.cf, master.cf, and related files for hundreds of rules derived from Postfix best practices and real-world exploits. Output can be formatted as human-readable text, JSON, or SARIF for CI/CD integration.

Ideal for sysadmins, DevOps teams, and security auditors, it runs quickly even on large configs, supports custom checks, and provides actionable fix suggestions. Regular updates incorporate new Postfix versions and emerging threats.

CAVEATS

Requires Postfix knowledge for interpreting results; false positives possible on custom setups. Does not modify configs.

EXAMPLES

gixy-next /etc/postfix/main.cf
gixy-next -f json -o report.sarif *.cf

INSTALLATION

Via Cargo: cargo install gixy-next. Binaries on GitHub releases.

HISTORY

Forked from original Python Gixy (2017, GreenSecurity/Yury Geints) as Rust rewrite for speed/scalability. Actively maintained since 2022 with Postfix 3.7+ support and 200+ checks.

SEE ALSO

postconf(5), postfix(8), gixy(1)

Copied to clipboard