Extensible, rule-based static auditor for NixOS configuration code, with multiple reporting outputs (JSON, Markdown, evaluation-time warnings and assertions).
For a complete list of available NixOS module options, see ./options.md.
For a complete list of the default NixSecAuditor rules, see ./nixos/rules.
To remove all NixSecAuditor rules, add the following to your NixOS configuration:
{
disabledModules = [
(nixsecauditor.nixosModules.default + "/rules")
];
}Add nixsecauditor as a flake input and include the NixOS module in your system configuration:
{
inputs.nixsecauditor.url = "github:yunfachi/NixSecAuditor";
outputs = { nixpkgs, nixsecauditor, ... }:
{
nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
modules = [
# Other modules...
nixsecauditor.nixosModules.default
];
};
};
}Then, enable NixSecAuditor in your NixOS configuration:
{
security.nixsecauditor.enable = true;
}Import the module directly from the Git repository:
{ pkgs, lib, ... }:
let
nixsecauditor = import (builtins.fetchGit {
url = "https://github.com/yunfachi/NixSecAuditor";
});
in
{
imports = [ nixsecauditor.nixosModules.default ];
security.nixsecauditor.enable = true;
}This project is licensed under the MIT License.