← Research

From taint path to sandboxed indicator

2026-06-14 · systems · Ryan Editraj

Network probes find surfaces. Code finds reachability. The nexus_code pipeline turns a repo into graph-linked findings with an isolation boundary before anything is treated as confirmed.

Taint first

TaintAnalyser in nexus_code/project_graph.py runs inter-procedural BFS from request/input sources to dangerous sinks. Confidence starts at 0.90 and decays 0.08 per hop — longer call chains are weaker claims, not louder ones.

Parallel discovery

  • SemgrepAgent — community rules when the binary is present
  • SecretScanner — TruffleHog → gitleaks → regex fallback
  • SupplyChainAgent — OSV batch + typosquat checks
  • VariantAnalyser / fuzzers — structural variants and harness generation

Sandbox boundary

Docker · --network none · --cap-drop ALL · --read-only
user 65534 · memory + cpus capped · indicator in stdout

SandboxExecutor confirms PoC indicators — not production RCE. Confirmed CodeFinding nodes bridge into the EvidenceGraph with source_type: code and optional maps_to_asset_id, so attack chains can span network and code in one projection.