Nix Security

Security practices for Nix including reproducibility verification, sandboxed builds, and trusted substituters

Nix

Security

Use in Builder All Nix Options

Details

Language / Topic

Nix

Rules

Nix Security · balanced balanced

- Enable the Nix sandbox for all builds (`sandbox = true` in `nix.conf`) to prevent derivations from accessing the network or host filesystem during build phases.

- Always pin flake inputs with `flake.lock` and commit the lock file — never use `--update-input` in production CI without reviewing the diff.

- Use `nix hash path` or `nix store verify` to validate store paths against expected hashes before trusting binary substitutes from external caches.

- Restrict `nix.settings.trusted-users` to only the users and CI service accounts that need to configure substituters or push to binary caches.