Provider Execution
Nightward has built-in offline heuristics and optional explicit providers.
Local Providers
These run only when selected with --with:
- Gitleaks: secret scanning.
- TruffleHog: secret scanning with verification disabled by Nightward's default runner.
- Semgrep: static analysis using explicit local config.
- Syft: local SBOM and package inventory.
nw providers doctor --with gitleaks,trufflehog,semgrep,syft
nw analyze --workspace . --with gitleaks,trufflehog,semgrep,syft --jsonNightward discovers providers on PATH, marks unselected optional providers as skipped, runs bounded commands only when selected, parses supported JSON shapes, and redacts provider-derived evidence before emitting JSON, SARIF, TUI, Raycast, MCP, policy, badge, or HTML output. Timeout and output-cap failures are provider warnings, not clean results.
Known provider installs are available through the shared action registry and require disclosure acceptance plus --confirm, TUI confirmation, Raycast confirmation, or an MCP approval ticket that was approved locally:
nw providers install gitleaks --confirm
nw providers enable gitleaks --confirmOnline-Capable Providers
These require both provider selection and an online gate:
nw analyze --workspace . --with trivy,osv-scanner,grype,scorecard,socket --online --json| Provider | Behavior |
|---|---|
trivy | Runs a filesystem scan with JSON output. Vulnerability database behavior can contact upstream services. |
osv-scanner | Runs source scanning against vulnerability data. |
grype | Runs filesystem/SBOM vulnerability scanning. Vulnerability database behavior can contact upstream services. |
scorecard | Runs repository-trust checks against the git remote or NIGHTWARD_SCORECARD_REPO. |
socket | Creates a remote Socket scan artifact and uploads dependency manifest metadata. Nightward does not fetch remote Socket reports in v1. |
Use allow_online_providers: true only in policy files where that network behavior is intended.
Raycast Provider Doctor
The Raycast Provider Doctor mirrors this model:
- enable or disable selected providers for Raycast Analysis;
- keep online-capable providers blocked until the extension preference allows them;
- show install commands and upstream docs when a provider is missing.
Raycast provider actions use the same action registry and confirmation prompts as the CLI/TUI.
MCP Provider Actions
MCP clients can preview provider install/enable actions and request approval, but cannot self-confirm package-manager execution:
{ "action_id": "provider.install.gitleaks", "client": "my-ai-client" }The request response includes an approval_id, which is separate from action_id; action_id names the registry action, while approval_id names the one-time approval ticket. You can also find the ticket in the TUI, Raycast approvals list, or nw approvals list --json. Approve the exact ticket in the TUI, Raycast, or via CLI: nw approvals approve <approval-id>. The MCP client can then apply only that approved ticket once.