Nix

Nix package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence License Dependencies Package Manager Claims
Depth Edges Kinds Files Digests Integrity Hash
nix-cataloger
nix/var/nix/db/db.sqlite, nix/store/*, nix/store/*.drv
 transitive complete runtime
nix-store-cataloger
nix/store/*, nix/store/*.drv
 transitive complete runtime
Syft Configuration
Configuration Key Description
nix.capture-owned-files Determines whether to record the list of files owned by each Nix package discovered in the store. Recording owned files provides more detailed information but increases processing time and memory usage.

Vulnerability scanning

Data Source Disclosures Fixes Track by
Source
Package
Affected Date Versions Date
National Vulnerability Database (NVD)
Grype Configuration
Configuration Key Description
match.stock.using-cpes Use CPE package identifiers to find vulnerabilities

Next steps

Last modified October 23, 2025: fix section ref (9417a27)