software

Gixy-Next: NGINX Configuration Misconfiguration Scanner

Published: (January 2, 2026 at 12:54 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

What is Gixy‑Next?

Gixy‑Next is a maintained fork in the “Gixy family” of NGINX configuration analyzers. It scans your configuration statically (no need to run NGINX) and reports findings with severity levels and actionable context.

It started as a fork of Yandex’s original Gixy (first released in 2017), which is now unmaintained and not great with modern Python/NGINX realities. Gixy‑Next exists to keep the project healthy: modern Python support, bug fixes, improved detection logic, and a focus on maintainable, reviewable changes.

Quick start

Install

pip3 install gixy-next
# or, if you use uv:
uv pip install gixy-next

Run it (defaults to /etc/nginx/nginx.conf)

gixy

Scan a specific file

gixy /opt/nginx.conf

Tip: scan the fully rendered config (includes resolved includes)

NGINX configs often sprawl across many include files. A reliable approach is to dump the entire rendered configuration and scan that artifact on a different system than the one running NGINX:

# Dump the fully rendered NGINX configuration on one system
nginx -T > ./nginx-dump.conf

# Run gixy on another system, just with that single file
gixy ./nginx-dump.conf

# Or via stdin:
cat ./nginx-dump.conf | gixy -

What it catches (examples)

Gixy‑Next ships with a ton of plugins that detect a wide range of issues. A few examples you might care about:

  • HTTP response splitting hazards
  • SSRF‑style proxy misconfigurations
  • Host header spoofing risks
  • Alias path‑traversal gotchas
  • Weak Referer/Origin validation
  • Unanchored regex patterns and ReDoS risk
  • Risky DNS resolver configurations
  • Version disclosure via server_tokens
  • Misleading “looks fine” patterns like if usage in location

You can browse the full plugin list in the Gixy‑Next documentation. The main point is: it finds the kinds of problems that are easy to mess up or completely miss.

Tune the signal: run only what you want

Run a focused subset of checks

gixy --tests http_splitting,ssrf,version_disclosure

Skip noisy checks

gixy --skips low_keepalive_requests,worker_rlimit_nofile_vs_connections

Filter by severity (compounding -l)

# -l  = LOW and higher
# -ll = MEDIUM and higher
# -lll = HIGH only
gixy -ll

Output formats: human‑friendly and machine‑friendly

Plain text (no ANSI colors)

gixy -f text

JSON (perfect for CI pipelines and dashboards)

gixy -f json ./nginx-dump.conf

The JSON includes fields like plugin, severity, file, line, reason, and a reference link for the specific check.

Why I like this approach

  • It complements code review: reviewers focus on intent, the scanner catches patterns.
  • It turns “tribal knowledge” hardening rules into repeatable checks.
  • It fits modern workflows: run locally, run in CI, track over time.

Contributing / feedback

If you run into a config pattern that should be detected but is missed, open an issue with a minimal reproducible snippet. New plugins and improvements are welcome.

Back to Blog

Related posts

Read more »

The RGB LED Sidequest 💡

markdown !Jennifer Davishttps://media2.dev.to/dynamic/image/width=50,height=50,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%...

Mendex: Why I Build

Introduction Hello everyone. Today I want to share who I am, what I'm building, and why. Early Career and Burnout I started my career as a developer 17 years a...