System requirements
Noxen runs on Apple Silicon Macs with macOS 26 or later.
Network requirements are SSH outbound to your hosts and HTTPS
outbound to feed.noxen.app — nothing inbound,
no agent installed on remote hosts.
macOS app
| Requirement | Detail |
|---|---|
| macOS version | 26 or later |
| Architecture | Apple Silicon (M1, M2, M3, M4, or newer). Intel is not supported — macOS 26 itself drops Intel. |
| RAM | 4 GB minimum; 8 GB recommended for fleets > 100 hosts |
| Disk | ~150 MB for the app; ~100 MB for the CVE feed; ~500 MB working set during SQLite import on large fleets |
| Distribution | Developer ID + Sparkle (auto-update). Not on the Mac App Store — see why we ship via Developer ID. |
App Sandbox is intentionally disabled
Noxen does not ship with App Sandbox enabled
(ENABLE_APP_SANDBOX: false in the project config).
Two reasons:
- Raw socket port scanning — the port-scan
probe uses Apple's
Network.frameworkfor TCP connect probes. Sandbox would block the wide-open port range we need. - SSH config import —
reading
~/.ssh/configfrom the user's home directory directly is more reliable thanNSOpenPanelsecurity-scoped bookmarks.
The trade-off: Noxen ships via Developer ID with Sparkle for updates, not the Mac App Store. We notarise every release. Full reasoning →
Permissions Noxen requests
- Outgoing network — required, granted at first launch. Used for the CVE feed download, Sparkle update check, and SSH/TCP/HTTP probes against your enrolled hosts.
- Background item — optional, granted if you
enable scheduled scans.
Registers
NoxenAgentas a per-user LaunchAgent. - Notifications — optional, granted if you want a Mac-side toast on scheduled-scan completion.
- iCloud (CloudKit) — entitlement is provisioned for the upcoming iOS view-only companion, but the macOS app currently stores all data locally (CloudKit sync is wired but disabled in v1.0). No iCloud account is required to use Noxen.
Network requirements (outbound)
| Destination | Why | Frequency |
|---|---|---|
feed.noxen.app:443 | Signed CVE feed manifest + snapshot | Once per UTC-day on Live Feed; per-release on Noxen 1.x |
noxen.app/appcast.xml:443 | Sparkle update check | Per launch (cached 24 h) |
your hosts:22 (or custom) | SSH inventory + scan probes | Per scan |
your hosts:<port> | TCP / HTTP / TLS probes | Per scan, only on open ports |
| Webhook URLs (Slack/Discord/Teams/custom) | Critical-finding alerts | Per new finding ≥ minimum severity |
Remote host requirements
- SSH server — OpenSSH on Linux, macOS, or
BSD.
dropbearworks for connection but the SSH inventory probe expects standardcat /etc/os-release+ dpkg/rpm output. - SSH key auth — any key type your system's
/usr/bin/sshsupports (Ed25519, ECDSA, RSA). Noxen shells out to the OpenSSH binary that ships with macOS, so anything that works in your terminal works here. - Read access — the SSH user only needs
read access; Noxen never writes.
dpkg -l/rpm -qaare non-root commands on most distros. - Disk & CPU — negligible. The
per-scan footprint on the remote host is a handful of
cat+ package-list reads.
Supported distros for CVE matching
Out of the box: Ubuntu (LTS lines), Debian, Rocky Linux, AlmaLinux. Other distros can still be enrolled and scanned for network exposures (port scan, TLS, HTTP headers, admin surfaces) — only the CVE-vs-package match is distro-gated. OpenSUSE, Alpine, and FreeBSD support is on the roadmap.