What changed

Findings now get an exploitability score built from severity, analysis kind, evidence strength, and path-validation. Console output shows the score, and --min-score lets you filter by it when a repo is especially noisy.

Quality-category rules are excluded by default, high-frequency quality findings roll up by file and rule, and low-severity budgets keep minor issues from burying the things you probably opened the scanner to find.

State analysis

Nyx adds per-variable resource and auth-level state checks: use-after-close, double close, must leak, may leak, and unauthenticated sink access. It also adds inline nyx:ignore comments with same-line, next-line, comma-list, wildcard, and string-literal guard support.

CLI notes

  • --severity replaced --high-only with expressions like >=MEDIUM.
  • --mode replaced the older AST and CFG toggles.
  • --fail-on added CI exit-code gating by severity.
  • The console renderer was cleaned up, including confidence beside score.

Release Notes for today's update can be found here.