Why Choose Gixy? The Original NGINX Security Scanner

The History of Gixy

Gixy was originally developed at Yandex in 2017 by Andrew Krasichkov as an internal tool to audit their massive NGINX infrastructure. It was open-sourced and quickly became the de-facto standard for NGINX configuration security analysis, earning over 8,000 stars on the original repository.

When the original Yandex repository became unmaintained (last commit in 2019), the community stepped up. Gixy-NG (now the actively maintained fork at dvershinin/gixy) continued development, adding:

• Python 3.10+ support — the original broke on modern Python
• New security checks — 10+ additional plugins
• Performance improvements — faster parsing and analysis
• CI/CD integration — JSON output, exit codes, GitHub Actions
• VS Code extension — real-time IDE feedback

Gixy vs. The Competition

There are several NGINX security tools available. Here's how Gixy compares:

Feature	Gixy (gixy-ng)	nginx -t	Manual Review
Syntax validation	✓	✓	~
Security analysis	✓ 30+ checks	✗	~ Manual
SSRF detection	✓	✗	~
HTTP splitting detection	✓	✗	~
Variable tracking	✓ Deep analysis	✗	✗
Include resolution	✓ Automatic	✓	✗ Manual
CI/CD integration	✓ JSON, exit codes	~ Basic	✗
IDE integration	✓ VS Code	✗	✗
GitHub stars	1,200+	N/A	N/A
Active maintenance	✓ 6+ years	✓	N/A

Why 1,200+ GitHub Stars Matter

GitHub stars aren't just vanity metrics. They represent:

• Community trust — developers have evaluated and endorsed the tool
• Battle-tested code — used in production by thousands of teams
• Active community — issues get reported and fixed quickly
• Stability — you're not betting on a fly-by-night project

What Gixy Detects

Gixy includes 30+ security checks covering the most dangerous NGINX misconfigurations:

Critical Security Issues

• SSRF — Server Side Request Forgery via unsafe proxy_pass variables
• HTTP Response Splitting — header injection via newlines
• Host Header Spoofing — $host in sensitive contexts
• Alias Traversal — path escape via misconfigured alias

Configuration Hardening

• add_header Overwrite — security headers lost in nested blocks
• Version Disclosure — server_tokens leaking version info
• Referrer/Origin Bypass — weak validation patterns
• SSL/TLS Weaknesses — insecure protocols and ciphers

Real-World Example

Consider this seemingly innocent NGINX configuration:

location /api/ {
    proxy_pass http://backend$request_uri;
}

location ~ /v1/((?<action>[^.]*)\\.json)?$ {
    add_header X-Action $action;
}

Running gixy reveals two critical issues:

$ gixy /etc/nginx/nginx.conf

==================== Results ====================

⚠ [ssrf] Server Side Request Forgery
  Using $request_uri in proxy_pass allows attackers to
  send requests to arbitrary internal servers.
  Severity: HIGH

✗ [http_splitting] HTTP Response Splitting
  Variable $action can contain newlines, enabling
  HTTP header injection attacks.
  Severity: HIGH

==================== Summary ====================
Total issues: 2 (High: 2, Medium: 0, Low: 0)

Getting Started

Install Gixy in seconds:

# Install with pip
pip install gixy-ng

# Scan your configuration
gixy /etc/nginx/nginx.conf

# Or use with nginx -T dump
nginx -T | gixy -

Frequently Asked Questions

Is Gixy free?

Yes, Gixy is 100% free and open-source under the MIT license. Use it for personal or commercial projects without restrictions.

Does Gixy work with NGINX Plus?

Yes, Gixy works with both open-source NGINX and NGINX Plus. It analyzes the configuration syntax which is identical between versions.

Can I use Gixy in CI/CD pipelines?

Absolutely! Gixy is designed for automation. Use -f json for machine-readable output and configure exit codes for your pipeline.

What Python versions are supported?

Gixy (gixy-ng) supports Python 3.6 through 3.12. The original Yandex version only worked with Python 2.7/3.5.