explaingit

yandex/gixy

8,556PythonAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

A command-line tool from Yandex that scans Nginx configuration files for security vulnerabilities like SSRF, HTTP splitting, path traversal, and header misconfigurations, and reports findings with severity levels and fix references.

Mindmap

mindmap
  root((Gixy))
    What it checks
      SSRF
      HTTP splitting
      Path traversal
      Header misuse
    Usage
      pip install
      Docker image
      CLI invocation
    Output
      Issue description
      Severity level
      Reference links
    Platform
      GNU Linux
      Python based
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Scan your Nginx config for known security vulnerabilities before deploying to production.

USE CASE 2

Use the Docker image to audit an Nginx config without installing Python or any local dependencies.

USE CASE 3

Integrate Gixy into a CI pipeline to automatically catch Nginx misconfigurations on every code change.

Tech stack

PythonDocker

Getting it running

Difficulty · easy Time to first run · 5min

Officially tested on GNU/Linux only, other operating systems may have issues per the README.

In plain English

Gixy is a command-line tool from Yandex that analyzes Nginx configuration files for security problems. Nginx is a popular web server, and its configuration files control how the server handles requests, routes traffic, and sets HTTP headers. Misconfigured Nginx setups can introduce security vulnerabilities even when the application code itself is fine. Gixy reads your configuration file and flags specific patterns known to cause problems. The types of issues it currently checks for include server-side request forgery, HTTP splitting, problems with how referrer and origin headers are validated, misuse of the add_header directive, host header forgery, path traversal through misconfigured aliases, and multiline response headers. Each detected issue includes a description, a severity level, and a reference link with more details. The output shows which part of the configuration triggered the finding. You install Gixy with pip and run it from the command line, pointing it at your nginx.conf file. By default it looks for the configuration at /etc/nginx/nginx.conf, but you can specify any path. Individual checks can be skipped if you know they are not relevant for your setup. A Docker image is also available if you prefer not to install it locally, and you can mount your configuration file as a volume for analysis. The project was built and is maintained by Yandex. It is written in Python and tested on GNU/Linux. The README notes that other operating systems may have issues. New detection plugins can be contributed, and there is an open issue tracker for tracking planned additions.

Copy-paste prompts

Prompt 1
Run Gixy on my /etc/nginx/nginx.conf to check for security issues and explain what each finding means and how to fix it.
Prompt 2
Use the Gixy Docker image to scan my nginx.conf by mounting it as a volume, give me the exact Docker run command.
Prompt 3
Add Gixy to my GitHub Actions workflow to check Nginx configuration files on every pull request and fail the build on findings.
Prompt 4
Gixy flagged an add_header directive misuse in my config, explain the vulnerability and show me the corrected Nginx configuration.
Open on GitHub → Explain another repo

← yandex on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.