Skip to content

lexdotdev/nocapsec

Repository files navigation

nocapsec

No cap. Just verified vulnerabilities.

Proof engine for security findings. A client (typically an LLM) proposes a vulnerability finding as a structured reproduction bundle; the engine validates the evidence, applies strict policy, executes one deterministic proof rule, and returns a reproducible verdict (verified, not_reproduced, inconclusive, rejected, invalid). It is not a scanner: it never improvises payloads and never discovers issues on its own.

For more info see the How It Works document.

Installation

Prerequisites

  • Go 1.26.1 or newer — to build the binary.
  • Chrome or Chromium — only for browser-backed validators (reflected/stored XSS, open redirect). The rest of the engine runs without a browser.

Install from GitHub Releases

Download the latest release binary and add it to your PATH:

macOS (Apple Silicon)

curl -Lo nocapsec.tar.gz https://github.com/lexdotdev/nocapsec/releases/latest/download/nocapsec_0.1.0_darwin_arm64.tar.gz
tar xzf nocapsec.tar.gz nocapsec
sudo mv nocapsec /usr/local/bin/
rm nocapsec.tar.gz

macOS (Intel)

curl -Lo nocapsec.tar.gz https://github.com/lexdotdev/nocapsec/releases/latest/download/nocapsec_0.1.0_darwin_amd64.tar.gz
tar xzf nocapsec.tar.gz nocapsec
sudo mv nocapsec /usr/local/bin/
rm nocapsec.tar.gz

Linux (x86_64)

curl -Lo nocapsec.tar.gz https://github.com/lexdotdev/nocapsec/releases/latest/download/nocapsec_0.1.0_linux_amd64.tar.gz
tar xzf nocapsec.tar.gz nocapsec
sudo mv nocapsec /usr/local/bin/
rm nocapsec.tar.gz

Linux (arm64)

curl -Lo nocapsec.tar.gz https://github.com/lexdotdev/nocapsec/releases/latest/download/nocapsec_0.1.0_linux_arm64.tar.gz
tar xzf nocapsec.tar.gz nocapsec
sudo mv nocapsec /usr/local/bin/
rm nocapsec.tar.gz

All release archives and checksums are available at github.com/lexdotdev/nocapsec/releases.

Build from source

git clone https://github.com/lexdotdev/nocapsec.git
cd nocapsec
go build -o bin/nocapsec ./cmd/nocapsec

Or install straight onto your PATH (requires Go):

go install github.com/lexdotdev/nocapsec/cmd/nocapsec@latest

Verify the build:

./bin/nocapsec verify path/to/finding.json   # one-shot verification
./bin/nocapsec serve                         # HTTP API + worker pools
./bin/nocapsec doc ssrf.oast                 # print the schema + example for a finding type

Using With An LLM

  • See llms.txt for an LLM-oriented guide to the CLI, HTTP API, evidence rules, and common finding shapes.
  • See nocapsec skill for example of exploiter agent that produces evidence in nocapsec format.
  • See examples for local advisory reproductions and their target-provenance boundary.

Chrome / Chromium

Install a browser only if you use the browser-backed validators. Pass -browser to enable the runner.

  • macOSbrew install --cask google-chrome (or chromium), or download Chrome from google.com/chrome.
  • Debian / Ubuntusudo apt-get install -y chromium (or chromium-browser).
  • Fedora / RHELsudo dnf install -y chromium.
  • Docker / CI — use a base image that bundles Chromium (e.g. chromedp/headless-shell) and point the engine at it (see below).

The binary is located automatically in this precedence order:

  1. the -chrome-path flag (explicit path),
  2. the NOCAPSEC_CHROME_PATH environment variable,
  3. a google-chrome / chromium command on PATH,
  4. a well-known install location for the host OS (macOS app bundles, /usr/bin, /snap/bin, Windows Program Files).

On macOS, Chrome installs under /Applications and is not on PATH; detection covers the standard, Beta, and Canary bundles as well as per-user installs under ~/Applications. When detection fails, pin the binary explicitly:

nocapsec serve -browser -chrome-path "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
# or, equivalently:
NOCAPSEC_CHROME_PATH="/path/to/chrome" nocapsec serve -browser

About

Proof engine for security findings

Resources

Stars

Watchers

Forks

Packages

 
 
 

Contributors

Languages