# Code Reviews ## Overview Nullify reviews code across three layers: application code vulnerabilities, dependency vulnerabilities, and leaked secrets. Every commit, pull request, and branch is continuously monitored to prevent security issues from reaching production. ## Scanning Scope ### Application Code Analysis * **Pull Requests**: Reviews all PRs targeting the default branch * Scans only changed files in the diff * Posts inline review comments on findings * Does not block merges (informational status only) * **Default Branch Commits**: Scans all commits pushed to the default branch * Full repository scan on every push * Updates vulnerability dashboard with complete inventory * Creates tickets and notifications for new findings * **Other Branches**: Not scanned for code vulnerabilities ### Dependency Analysis * **Pull Requests**: Reviews dependency changes in PRs targeting the default branch * Scans changed manifest files (package.json, pom.xml, Cargo.toml, etc.) * **Blocks merges** if vulnerabilities found in PR diff * Identifies both direct and transitive dependencies * **Default Branch Commits**: Full dependency scan on every push * Analyzes all package manifest and lock files * Updates dashboard with complete vulnerability inventory * Triggers auto-fix PRs for upgradeable dependencies * **Container Images**: Scans Docker images for vulnerable packages ### Secrets Detection * **All Branches, All Commits**: Scans every commit on every branch * Optimized diff-only scanning (not full repository clone) * Immediately notifies commit author via email if secrets found * Active verification of detected credentials * Prevents secrets from entering git history * **Default Branch**: Full git history scan on merge to main * Updates issues dashboard with all potential secrets * Comprehensive repository-wide secret inventory ## Supported Languages Nullify analyzes code in **12 languages**: * **Go** (.go) * **Java** (.java) * **JavaScript** (.js, .jsx, .mjs) * **TypeScript** (.ts, .tsx) * **Python** (.py) * **C#** (.cs) * **Kotlin** (.kt, .kts) * **Ruby** (.rb) * **PHP** (.php) * **Swift** (.swift) * **Scala** (.scala) * **C/C++** (limited support) ### Infrastructure as Code * **Terraform** (.tf) * **CloudFormation** (.yaml, .json templates) * **Kubernetes** (.yaml manifests) * **AWS SAM** (template.yaml) * **Serverless Framework** (serverless.yml) ## Supported Package Managers * **npm** (Node.js) - package.json, package-lock.json * **Maven** (Java) - pom.xml * **Gradle** (Java/Kotlin) - build.gradle, gradle.lockfile * **pip** (Python) - requirements.txt, Pipfile, pyproject.toml * **Ruby Gems** - Gemfile, Gemfile.lock * **Go modules** - go.mod, go.sum * **Cargo** (Rust) - Cargo.toml, Cargo.lock * **Composer** (PHP) - composer.json, composer.lock * **.NET** - \*.csproj, packages.config ## Supported Weaknesses Nullify detects **OWASP Top 10** and **CWE Top 25** vulnerability classes: * SQL Injection (CWE-89) * Command Injection (CWE-78) * Path Traversal (CWE-22) * Cross-Site Scripting (CWE-79) * Server-Side Request Forgery (SSRF) * Broken Authentication * Broken Access Control * Cryptographic Failures * Insecure Deserialization * Security Misconfiguration * Unsafe File Uploads * Hardcoded Credentials * Information Disclosure See [Supported Weaknesses](https://docs.nullify.ai/capabilities/code-reviews/code-analysis/supported-weaknesses) for the complete list. ## Reachability & Exploitability Analysis ### Code Analysis * AI-powered triage analyzes how code is used in context * Fast screening eliminates false positives * Severity scoring based on exploitability, not just theoretical risk ### Dependency Analysis * **Direct vs. Transitive**: Marks whether vulnerability is in direct dependency * **Reachability Analysis**: Maps vulnerabilities to source manifest files with line numbers * Direct dependency vulnerabilities trigger build failures in PRs * Transitive vulnerabilities have lower priority by default ### Secrets Verification * **Active Validation**: Attempts to use discovered credentials * Tests API keys against actual services * Validates JWT/token formats and expiration * Not just pattern matching—functional testing