v0.2.36

Add server mode (--server) for IDE integration — NDJSON over stdin/stdout protocol for persistent process communication.

v0.2.35

Release v0.2.35 — adds frozen binary builds for all platforms

v0.2.33

Fixed

• status_page_exposed false positive: Servers listening only on Unix sockets (e.g. listen unix:/run/nginx/status.sock) no longer trigger the missing IP restrictions warning, since Unix domain sockets are inherently inaccessible from the network (#101).

v0.2.32

Fixed

• HSTS false positive: security_headers on; (ngx_security_headers module) is now recognized as providing HSTS — no longer flags "Missing HSTS header".
• HSTS false positive: more_set_headers setting Strict-Transport-Security is now recognized as providing HSTS.
• ssl_prefer_server_ciphers false positive: Inverted the check — on is now flagged (LOW) instead of off (MEDIUM). All authoritative sources (Mozilla, nginx maintainers) recommend off for modern cipher lists.

v0.2.31

What's Changed

New Features

• status_page_exposed: New security check that detects NGINX stub_status directives publicly accessible without IP restrictions. The stub_status module exposes server metrics (active connections, requests handled, etc.) that can aid attackers in reconnaissance. The check flags configurations missing allow directives or deny all.

Full Changelog

v0.2.30...v0.2.31

v0.2.30

What's Changed

Bug Fixes

• regex_redos: Fixed false positive in ReDoS detection for optional groups (? quantifier). Patterns like ([a-z]+/)? with inner quantifiers are no longer incorrectly flagged as nested quantifier vulnerabilities, since the ? quantifier (0 or 1 times) cannot cause exponential backtracking.

Full Changelog

v0.2.29...v0.2.30

v0.2.29

Changed

• Parser: Use parse_string() API directly instead of temporary file workaround, now that ngxparse supports it.

Full Changelog: v0.2.28...v0.2.29

v0.2.28

Changed

• Dependency: Switched from crossplane to ngxparse for NGINX config parsing. ngxparse is a maintained fork with bug fixes and the same API.

Fixed

• Parser: Fixed tokenization of adjacent braced variables like ${var1}${var2} in map directives (ngxparse 0.5.16).

Full Changelog: v0.2.27...v0.2.28

v0.2.27

Fix: Graceful handling of malformed nginx configs

Instead of crashing with IndexError on malformed directives like map $single_arg { }, gixy now catches the exception and displays a helpful error message suggesting the user run nginx -t to validate.

Changes

• Add try/except wrapper in directive_factory for IndexError/TypeError
• Display error message in CLI instead of silently failing
• Add tests for malformed config handling

v0.2.26

Changes

• Restore promotional footer in rich_console formatter linking to getpagespeed.com/repo-subscribe

This footer was accidentally removed in v0.2.25.