No cap. Just verified vulnerabilities.
Proof engine for security findings. A client (typically an LLM) proposes a vulnerability finding as a structured reproduction bundle; the engine validates the evidence, applies strict policy, executes one deterministic proof rule, and returns a reproducible verdict (verified, not_reproduced, inconclusive, rejected, invalid). It is not a scanner: it never improvises payloads and never discovers issues on its own.
For more info see the How It Works document.
- Go 1.26.1 or newer — to build the binary.
- Chrome or Chromium — only for browser-backed validators (reflected/stored XSS, open redirect). The rest of the engine runs without a browser.
Download the latest release binary and add it to your PATH:
macOS (Apple Silicon)
curl -Lo nocapsec.tar.gz https://github.com/lexdotdev/nocapsec/releases/latest/download/nocapsec_0.1.0_darwin_arm64.tar.gz
tar xzf nocapsec.tar.gz nocapsec
sudo mv nocapsec /usr/local/bin/
rm nocapsec.tar.gzmacOS (Intel)
curl -Lo nocapsec.tar.gz https://github.com/lexdotdev/nocapsec/releases/latest/download/nocapsec_0.1.0_darwin_amd64.tar.gz
tar xzf nocapsec.tar.gz nocapsec
sudo mv nocapsec /usr/local/bin/
rm nocapsec.tar.gzLinux (x86_64)
curl -Lo nocapsec.tar.gz https://github.com/lexdotdev/nocapsec/releases/latest/download/nocapsec_0.1.0_linux_amd64.tar.gz
tar xzf nocapsec.tar.gz nocapsec
sudo mv nocapsec /usr/local/bin/
rm nocapsec.tar.gzLinux (arm64)
curl -Lo nocapsec.tar.gz https://github.com/lexdotdev/nocapsec/releases/latest/download/nocapsec_0.1.0_linux_arm64.tar.gz
tar xzf nocapsec.tar.gz nocapsec
sudo mv nocapsec /usr/local/bin/
rm nocapsec.tar.gzAll release archives and checksums are available at github.com/lexdotdev/nocapsec/releases.
git clone https://github.com/lexdotdev/nocapsec.git
cd nocapsec
go build -o bin/nocapsec ./cmd/nocapsecOr install straight onto your PATH (requires Go):
go install github.com/lexdotdev/nocapsec/cmd/nocapsec@latestVerify the build:
./bin/nocapsec verify path/to/finding.json # one-shot verification
./bin/nocapsec serve # HTTP API + worker pools
./bin/nocapsec doc ssrf.oast # print the schema + example for a finding type- See llms.txt for an LLM-oriented guide to the CLI, HTTP API, evidence rules, and common finding shapes.
- See nocapsec skill for example of exploiter agent that produces evidence in nocapsec format.
- See examples for local advisory reproductions and their target-provenance boundary.
Install a browser only if you use the browser-backed validators. Pass -browser to enable the runner.
- macOS —
brew install --cask google-chrome(orchromium), or download Chrome from google.com/chrome. - Debian / Ubuntu —
sudo apt-get install -y chromium(orchromium-browser). - Fedora / RHEL —
sudo dnf install -y chromium. - Docker / CI — use a base image that bundles Chromium (e.g.
chromedp/headless-shell) and point the engine at it (see below).
The binary is located automatically in this precedence order:
- the
-chrome-pathflag (explicit path), - the
NOCAPSEC_CHROME_PATHenvironment variable, - a
google-chrome/chromiumcommand onPATH, - a well-known install location for the host OS (macOS app bundles,
/usr/bin,/snap/bin, WindowsProgram Files).
On macOS, Chrome installs under /Applications and is not on PATH; detection covers the standard, Beta, and Canary bundles as well as per-user installs under ~/Applications. When detection fails, pin the binary explicitly:
nocapsec serve -browser -chrome-path "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
# or, equivalently:
NOCAPSEC_CHROME_PATH="/path/to/chrome" nocapsec serve -browser