Code Reviews

Overview

Nullify reviews code across three layers: application code vulnerabilities, dependency vulnerabilities, and leaked secrets. Every commit, pull request, and branch is continuously monitored to prevent security issues from reaching production.

Scanning Scope

Application Code Analysis

• Pull Requests: Reviews all PRs targeting the default branch

  • Scans only changed files in the diff

  • Posts inline review comments on findings

  • Does not block merges (informational status only)

• Default Branch Commits: Scans all commits pushed to the default branch

  • Full repository scan on every push

  • Updates vulnerability dashboard with complete inventory

  • Creates tickets and notifications for new findings

• Other Branches: Not scanned for code vulnerabilities

Dependency Analysis

• Pull Requests: Reviews dependency changes in PRs targeting the default branch

  • Scans changed manifest files (package.json, pom.xml, Cargo.toml, etc.)

  • Blocks merges if vulnerabilities found in PR diff

  • Identifies both direct and transitive dependencies

• Default Branch Commits: Full dependency scan on every push

  • Analyzes all package manifest and lock files

  • Updates dashboard with complete vulnerability inventory

  • Triggers auto-fix PRs for upgradeable dependencies

• Container Images: Scans Docker images for vulnerable packages

Secrets Detection

• All Branches, All Commits: Scans every commit on every branch

  • Optimized diff-only scanning (not full repository clone)

  • Immediately notifies commit author via email if secrets found

  • Active verification of detected credentials

  • Prevents secrets from entering git history

• Default Branch: Full git history scan on merge to main

  • Updates issues dashboard with all potential secrets

  • Comprehensive repository-wide secret inventory

Supported Languages

Nullify analyzes code in 12 languages:

• Go (.go)

• Java (.java)

• JavaScript (.js, .jsx, .mjs)

• TypeScript (.ts, .tsx)

• Python (.py)

• C# (.cs)

• Kotlin (.kt, .kts)

• Ruby (.rb)

• PHP (.php)

• Swift (.swift)

• Scala (.scala)

• C/C++ (limited support)

Infrastructure as Code

• Terraform (.tf)

• CloudFormation (.yaml, .json templates)

• Kubernetes (.yaml manifests)

• AWS SAM (template.yaml)

• Serverless Framework (serverless.yml)

Supported Package Managers

• npm (Node.js) - package.json, package-lock.json

• Maven (Java) - pom.xml

• Gradle (Java/Kotlin) - build.gradle, gradle.lockfile

• pip (Python) - requirements.txt, Pipfile, pyproject.toml

• Ruby Gems - Gemfile, Gemfile.lock

• Go modules - go.mod, go.sum

• Cargo (Rust) - Cargo.toml, Cargo.lock

• Composer (PHP) - composer.json, composer.lock

• .NET - *.csproj, packages.config

Supported Weaknesses

Nullify detects OWASP Top 10 and CWE Top 25 vulnerability classes:

• SQL Injection (CWE-89)

• Command Injection (CWE-78)

• Path Traversal (CWE-22)

• Cross-Site Scripting (CWE-79)

• Server-Side Request Forgery (SSRF)

• Broken Authentication

• Broken Access Control

• Cryptographic Failures

• Insecure Deserialization

• Security Misconfiguration

• Unsafe File Uploads

• Hardcoded Credentials

• Information Disclosure

See Supported Weaknesses for the complete list.

Reachability & Exploitability Analysis

Code Analysis

• AI-powered triage analyzes how code is used in context

• Fast screening eliminates false positives

• Severity scoring based on exploitability, not just theoretical risk

Dependency Analysis

• Direct vs. Transitive: Marks whether vulnerability is in direct dependency

• Reachability Analysis: Maps vulnerabilities to source manifest files with line numbers

• Direct dependency vulnerabilities trigger build failures in PRs

• Transitive vulnerabilities have lower priority by default

Secrets Verification

• Active Validation: Attempts to use discovered credentials

• Tests API keys against actual services

• Validates JWT/token formats and expiration

• Not just pattern matching—functional testing