Nix Flake Analyzer

Analyze Nix flakes for best practices, input management, reproducibility guarantees, and derivation quality. Audit flake.nix structure, overlays, development shells, CI integration, and cross-platform support. Use when setting up or reviewing Nix-based projects.

Usage

"Analyze my Nix flake for issues"
"Check my flake.nix for best practices"
"Audit Nix inputs for security"
"Optimize my development shell"

How It Works

1. Flake Discovery

cat flake.nix 2>/dev/null
cat flake.lock 2>/dev/null | python3 -c "
import json, sys
d = json.load(sys.stdin)
for name, node in d.get('nodes', {}).items():
    if name == 'root': continue
    locked = node.get('locked', {})
    print(f'{name}: {locked.get(\"type\",\"?\")} rev={locked.get(\"rev\",\"?\")[:8]} ({locked.get(\"lastModified\",\"?\")})')
"

2. Input Analysis

• Pinned versions: All inputs locked in flake.lock?
• Stale inputs: Last update date — inputs older than 90 days flagged
• Duplicate nixpkgs: Multiple nixpkgs inputs with different versions
• Unnecessary inputs: Inputs referenced but unused
• Input follows: Proper use of follows to deduplicate nixpkgs
• Security: Known CVEs in pinned nixpkgs revision

3. Derivation Quality

• Package builds reproducibly (pure evaluation)
• Proper use of mkDerivation vs buildPythonPackage etc.
• License metadata present
• Build inputs minimized (no unnecessary dependencies)
• Check phase runs tests
• Meta attributes complete (description, homepage, license)

4. Development Shell

• devShells.default defined?
• All required build tools included
• Shell hook sets up environment correctly
• direnv integration (.envrc exists)
• Pre-commit hooks configured
• Language-specific tooling (formatters, linters, LSP servers)

5. Cross-Platform Support

• Supports all standard systems: x86_64-linux, aarch64-linux, x86_64-darwin, aarch64-darwin
• Uses flake-utils or systems for multi-platform
• Platform-specific conditionals handled correctly

6. CI Integration

• GitHub Actions workflow with cachix/install-nix-action
• Cachix or Attic caching configured
• nix flake check runs in CI
• Build matrix covers target platforms

Output

## Nix Flake Analysis

**Inputs:** 5 | **Outputs:** packages, devShells, checks
**Systems:** x86_64-linux, aarch64-linux (missing Darwin)

### 🔴 Issues (2)
1. **Stale nixpkgs** — last updated 127 days ago (rev: a1b2c3d4)
   → Run `nix flake update nixpkgs`
2. **Duplicate nixpkgs** — both `nixpkgs` and `nixpkgs-unstable` imported
   → Use `follows` or consolidate to one channel

### 🟡 Improvements (3)
3. Missing `devShells.default` — no development shell defined
4. No `.envrc` for direnv integration
5. Darwin systems not supported (missing aarch64-darwin)

### ✅ Good Practices
- All inputs pinned in flake.lock
- Pure evaluation (no impure references)
- Check phase runs test suite
- Cachix configured for CI builds