build(deps): bump gixy-ng from 0.2.27 to 0.2.34

[dependabot]

Bumps gixy-ng from 0.2.27 to 0.2.34.

Release notes

Sourced from gixy-ng's releases.

v0.2.34

Fixed

• Documentation: Fixed malformed Docker command in README and documentation (missing space before nginx:alpine)
• Documentation: Updated outdated /plugins/ paths to /checks/ with kebab-case naming across all README and doc index files
• Documentation: Added missing status_page_exposed check to the Access Control section in English documentation index
• CI/CD: Changed PyPI publish workflow trigger from release: created to release: published for consistency with Docker publish workflow
• Code: Fixed double period typo in gixy/core/variable.py docstring

Full Changelog: dvershinin/gixy@v0.2.33...v0.2.34

v0.2.33

Fixed

• status_page_exposed false positive: Servers listening only on Unix sockets (e.g. listen unix:/run/nginx/status.sock) no longer trigger the missing IP restrictions warning, since Unix domain sockets are inherently inaccessible from the network (#101).

v0.2.32

Fixed

• HSTS false positive: security_headers on; (ngx_security_headers module) is now recognized as providing HSTS — no longer flags "Missing HSTS header".
• HSTS false positive: more_set_headers setting Strict-Transport-Security is now recognized as providing HSTS.
• ssl_prefer_server_ciphers false positive: Inverted the check — on is now flagged (LOW) instead of off (MEDIUM). All authoritative sources (Mozilla, nginx maintainers) recommend off for modern cipher lists.

v0.2.31

What's Changed

New Features

• status_page_exposed: New security check that detects NGINX stub_status directives publicly accessible without IP restrictions. The stub_status module exposes server metrics (active connections, requests handled, etc.) that can aid attackers in reconnaissance. The check flags configurations missing allow directives or deny all.

Full Changelog

dvershinin/gixy@v0.2.30...v0.2.31

v0.2.30

What's Changed

Bug Fixes

• regex_redos: Fixed false positive in ReDoS detection for optional groups (? quantifier). Patterns like ([a-z]+/)? with inner quantifiers are no longer incorrectly flagged as nested quantifier vulnerabilities, since the ? quantifier (0 or 1 times) cannot cause exponential backtracking.

Full Changelog

dvershinin/gixy@v0.2.29...v0.2.30

v0.2.29

Changed

• Parser: Use parse_string() API directly instead of temporary file workaround, now that ngxparse supports it.

Full Changelog: dvershinin/gixy@v0.2.28...v0.2.29

v0.2.28

Changed

• Dependency: Switched from crossplane to ngxparse for NGINX config parsing. ngxparse is a maintained fork with bug fixes and the same API.

... (truncated)

Changelog

Sourced from gixy-ng's changelog.

[0.2.34] - 2026-02-12

Fixed

• Documentation: Fixed malformed Docker command in README and documentation (missing space before nginx:alpine).
• Documentation: Updated outdated /plugins/ paths to /checks/ with kebab-case naming across all README and doc index files.
• Documentation: Added missing status_page_exposed check to the Access Control section in English documentation index.
• CI/CD: Changed PyPI publish workflow trigger from release: created to release: published for consistency with Docker publish workflow.
• Code: Fixed double period typo in gixy/core/variable.py docstring.

[0.2.33] - 2026-02-09

Fixed

• status_page_exposed false positive: Servers listening only on Unix sockets (e.g. listen unix:/run/nginx/status.sock) no longer trigger the missing IP restrictions warning, since Unix domain sockets are inherently inaccessible from the network (#101).

[0.2.32] - 2026-02-07

Fixed

• HSTS false positive: security_headers on; (ngx_security_headers module) is now recognized as providing HSTS — no longer flags "Missing HSTS header".
• HSTS false positive: more_set_headers setting Strict-Transport-Security is now recognized as providing HSTS.
• ssl_prefer_server_ciphers false positive: Inverted the check — on is now flagged (LOW) instead of off (MEDIUM). All authoritative sources (Mozilla, nginx maintainers) recommend off for modern cipher lists.

[0.2.29] - 2026-01-30

Changed

• Parser: Use parse_string() API directly instead of temporary file workaround, now that ngxparse supports it.

[0.2.28] - 2026-01-30

Changed

• Dependency: Switched from crossplane to ngxparse for NGINX config parsing. ngxparse is a maintained fork with bug fixes and the same API.

Fixed

• Parser: Fixed tokenization of adjacent braced variables like ${var1}${var2} in map directives (ngxparse 0.5.16).

[0.2.25] - 2025-12-28

Changed

• Terminology: User-facing documentation now uses "checks" instead of "plugins" for clarity and consistency.
• CLI: --checks is now the primary flag for selecting checks to run (--tests remains as a backward-compatible alias).
• Configuration: Config files now prefer checks = ... over tests = ... (both still work for backward compatibility).
• Help URLs: Plugin help URLs are now auto-generated from class names using kebab-case slugs (e.g., http_splitting → /checks/http-splitting/).
• Documentation URLs: All check documentation moved from /plugins/ to /checks/ path with kebab-case naming.

Fixed

• Pre-commit hooks: Removed hardcoded filesystem paths; hooks now work in any environment.
• Documentation front-matter: Fixed missing/short SEO metadata in Chinese documentation files.

Developer

• Plugin base class now auto-generates help_url property from class name (no manual URL definition needed).
• Plugins can override with _help_url class attribute for external documentation links.

... (truncated)

Commits

• 265aa65 release: v0.2.34
• abcc450 fix: include MANIFEST.in in Docker build for template files
• 2f4fd33 test: add Docker image integration test
• 09dd111 fix: use USER nobody for non-root container execution
• 2e07350 chore: add sonar-project.properties to ignore root user in Dockerfile
• 7f1102f fix: use explicit COPY for Dockerfile instead of COPY .
• 4a9fb0d fix: use line-before NOSONAR comments in Dockerfile
• 48ebe37 fix: move NOSONAR comments to same line as flagged code
• e96b816 fix: resolve SonarCloud security hotspots
• 3775e51 fix: use custom sre_parse in regex_redos for PCRE pattern support
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)