From taint path to sandboxed indicator
Network probes find surfaces. Code finds reachability. The nexus_code pipeline turns a repo into graph-linked findings with an isolation boundary before anything is treated as confirmed.
Taint first
TaintAnalyser in nexus_code/project_graph.py runs inter-procedural BFS from request/input sources to dangerous sinks. Confidence starts at 0.90 and decays 0.08 per hop — longer call chains are weaker claims, not louder ones.
Parallel discovery
SemgrepAgent— community rules when the binary is presentSecretScanner— TruffleHog → gitleaks → regex fallbackSupplyChainAgent— OSV batch + typosquat checksVariantAnalyser/ fuzzers — structural variants and harness generation
Sandbox boundary
Docker · --network none · --cap-drop ALL · --read-only user 65534 · memory + cpus capped · indicator in stdout
SandboxExecutor confirms PoC indicators — not production RCE. Confirmed CodeFinding nodes bridge into the EvidenceGraph with source_type: code and optional maps_to_asset_id, so attack chains can span network and code in one projection.