GixyNG: NGINX Configuration Security Scanner for Security Audits

Overview

GixyNG is an open source NGINX configuration security scanner and hardening tool that performs static analysis of your nginx.conf to detect security misconfigurations, hardening gaps, and common performance pitfalls before they reach production.

Quick start

GixyNG (the gixy CLI) ~~is distributed on PyPI~~ (not distributed by PyPI just yet). You can install it with pip or uv:

# pip
pip3 install "GixyNG @ git+https://github.com/MegaManSec/GixyNG.git"

# uv
uv pip install "GixyNG @ git+https://github.com/MegaManSec/GixyNG.git"

You can also export your NGINX configuration to a single dump file:

# Dumps the full NGINX configuration into a single file (including all includes)
nginx -T > ./nginx-dump.conf

And then scan the dump file elsewhere (or via stdin):

# Equivalent to scanning the full rendered configuration output.
gixy ./nginx-dump.conf

# Equivalent to above
cat ./nginx-dump.conf | gixy -

What it can do

GixyNG can detect a wide range of NGINX security and performance misconfigurations across nginx.conf and included configuration files. The following plugins are supported:

Something not detected? Please open an issue on GitHub with what's missing!

Usage (flags)

gixy defaults to reading a system's NGINX configuration from /etc/nginx/nginx.conf. You can also specify the location by passing it to gixy:

# Analyze the configuration in /opt/nginx.conf
gixy /opt/nginx.conf

You can run a focused subset of checks with --tests:

# Only run these checks
gixy --tests http_splitting,ssrf,version_disclosure

Or skip a few noisy checks with --skips:

# Run everything except these checks
gixy --skips low_keepalive_requests,worker_rlimit_nofile_vs_connections

To only report issues of a certain severity or higher, use the compounding -l flag:

# -l for LOW severity issues and high, -ll for MEDIUM and higher, and -lll for only HIGH severity issues
gixy -ll

By default, the output of gixy is ANSI-colored; best viewed in an ANSI-compatible terminal. You can use the --format (-f) flag with the text value to get an uncolored output:

$ gixy -f text

==================== Results ===================

Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://gixy.io/plugins/http_splitting/
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;

    server {

        location ~ /v1/((?<action>[^.]*)\.json)?$ {
            add_header X-Action $action;
        }
    }


==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 0
    High: 1

You can also use -f json to get a reproducible, machine-readable JSON output:

$ gixy -f json
[{"config":"\nserver {\n\n\tlocation ~ /v1/((?<action>[^.]*)\\.json)?$ {\n\t\tadd_header X-Action $action;\n\t}\n}","description":"Using variables that can contain \"\\n\" or \"\\r\" may lead to http injection.","file":"/etc/nginx/nginx.conf","line":4,"path":"/etc/nginx/nginx.conf","plugin":"http_splitting","reason":"At least variable \"$action\" can contain \"\\n\"","reference":"https://gixy.io/plugins/http_splitting/","severity":"HIGH","summary":"Possible HTTP-Splitting vulnerability."}]

More flags for usage can be found by passing --help to gixy. You can also find more information in the Usage Guide.

Configuration and plugin options

Some plugins expose options which you can set via CLI flags or a configuration file. You can read more about those in the Configuration guide.

GixyNG for NGINX security and compliance

Unlike running nginx -t which only checks syntax, GixyNG actually analyzes your configuration and detects unhardened instances and vulnerabilities.

With GixyNG, you can perform an automated NGINX configuration security review that can run locally or in CI/CD on every change, whether that be for auditing purposes, compliance, or just general testing, helping produce actionable findings that help prevent unstable/slow NGINX servers, and reduce risk from unsafe directives and insecure defaults.

Contributing

Contributions to GixyNG are always welcome! You can help us in different ways, such as:

Reporting bugs.
Suggesting new plugins for detection.
Improving documentation.
Fixing, refactoring, improving, and writing new code.

Before submitting any changes in pull requests, please read the contribution guideline document, Contributing to GixyNG.

The official homepage of GixyNG is https://gixy.io/. Any changes to documentation in GixyNG will automatically be reflected on that website.

The source code can be found at https://github.com/MegaManSec/GixyNG.

What is Gixy? (Background)

Gixy is an older NGINX configuration analyzer originally developed by Yandex. GixyNG is a maintained fork of Gixy that adds new checks, performance improvements, hardening suggestions, and support for modern Python and NGINX versions. If you are looking for an NGINX config scanner that is actively maintained, use GixyNG.