Noxen docs

Everything you need to install Noxen, enrol your hosts, and run your first scan. v1.0 ships soon — these docs describe the v1.0 behaviour exactly, and will fill in as the public build lands.

Requirements

• macOS 14.0 (Sonoma) or later.
• Apple Silicon or Intel.
• SSH access to each host you want to scan (key-based preferred).
• An iCloud account if you want findings + host catalog to sync to the iOS companion.

Installation

Download link will appear here at launch (soon). The signed .dmg will be served from noxen.app/releases/. First launch registers Noxen with Gatekeeper via notarisation; nothing to sideload.

Purchased licenses arrive by email from Lemon Squeezy with a .dmg link and an activation key. The email includes a noxen://activate?key=… link that activates the license in one click, and a manual-entry fallback for anyone who'd rather paste the key directly.

Enrolling hosts

Noxen imports from your existing ~/.ssh/config. The onboarding wizard lists every concrete host (wildcard Host *.home lines are skipped) and lets you pick which to enrol. The referenced private key is copied into the macOS Keychain, scoped to the Noxen app group so the scheduled- scan helper can read it.

For hosts not in your SSH config, add them manually via + Add host in the sidebar.

Running a scan

Select a host in the sidebar. Click Scan now. Noxen runs six steps:

1. Port scan (top 1000 TCP).
2. SSH inventory (packages, kernel, sshd_config, authorized_keys).
3. CVE match against the loaded feed.
4. TLS audit on any TLS-capable open port (443, 465, 636, 993, 995, 8443, 9443).
5. HTTP security-header probe on web-capable open ports.
6. Exposed admin-surface probe (Grafana, Portainer, Kibana, phpMyAdmin, unauth Redis / Mongo / Elasticsearch, .git/config, .env).

Total time: typically 10–60 seconds per host depending on open-port count.

Scheduling

Noxen registers a LaunchAgent (via SMAppService) that wakes nightly at 03:00 local time. Change the schedule in Settings → Schedule. Disable it with one click; re-enable the same way.

Troubleshooting

"SSH authentication failed"

Noxen only supports Ed25519 in v1.0. RSA, ECDSA, and encrypted keys land in v1.1. Until then, generate an Ed25519 key for Noxen's use: ssh-keygen -t ed25519 -f ~/.ssh/noxen_id, then ssh-copy-id -i ~/.ssh/noxen_id to each host.

"CVE feed signature mismatch"

Either your clock is badly skewed or the bundled public key is out of date. Update to the latest Noxen point release via Noxen → Check for Updates….

"No open ports found, but we know the host is up"

Noxen's default port range is the top 1000. If the host is firewalled down to a non-standard port, add it manually in Settings → Scan → Custom ports.

Feed architecture

Noxen pulls a signed CVE snapshot from feed.noxen.app once per day. The signed manifest points to a gzipped NDJSON snapshot with every (cve_id, cpe, severity, summary) tuple from the last 28-hour window across NVD, OSV, and GHSA. Details: A signed CVE feed on Cloudflare Workers.

Privacy

Noxen does not send host inventories to any server. CVE matching happens on your Mac after the feed is downloaded. The only outbound network traffic is:

• The daily feed manifest + snapshot poll to feed.noxen.app.
• The Sparkle update check to noxen.app/appcast.xml.
• SSH, TCP, and HTTP(S) traffic to your enrolled hosts — initiated by you.