# Code Reviews ## Overview Nullify reviews code across three layers: application code vulnerabilities, dependency vulnerabilities, and leaked secrets. Every commit, pull request, and branch is continuously monitored to prevent security issues from reaching production. ## Scanning Scope ### Application Code Analysis * **Pull Requests**: Reviews all PRs targeting the default branch * Scans only changed files in the diff * Posts inline review comments on findings * Does not block merges (informational status only) * **Default Branch Commits**: Scans all commits pushed to the default branch * Full repository scan on every push * Updates vulnerability dashboard with complete inventory * Creates tickets and notifications for new findings * **Other Branches**: Not scanned for code vulnerabilities ### Dependency Analysis * **Pull Requests**: Reviews dependency changes in PRs targeting the default branch * Scans changed manifest files (package.json, pom.xml, Cargo.toml, etc.) * **Blocks merges** if vulnerabilities found in PR diff * Identifies both direct and transitive dependencies * **Default Branch Commits**: Full dependency scan on every push * Analyzes all package manifest and lock files * Updates dashboard with complete vulnerability inventory * Triggers auto-fix PRs for upgradeable dependencies * **Container Images**: Scans Docker images for vulnerable packages ### Secrets Detection * **All Branches, All Commits**: Scans every commit on every branch * Optimized diff-only scanning (not full repository clone) * Immediately notifies commit author via email if secrets found * Active verification of detected credentials * Prevents secrets from entering git history * **Default Branch**: Full git history scan on merge to main * Updates issues dashboard with all potential secrets * Comprehensive repository-wide secret inventory ## Supported Languages Nullify analyzes code in **12 languages**: * **Go** (.go) * **Java** (.java) * **JavaScript** (.js, .jsx, .mjs) * **TypeScript** (.ts, .tsx) * **Python** (.py) * **C#** (.cs) * **Kotlin** (.kt, .kts) * **Ruby** (.rb) * **PHP** (.php) * **Swift** (.swift) * **Scala** (.scala) * **C/C++** (limited support) ### Infrastructure as Code * **Terraform** (.tf) * **CloudFormation** (.yaml, .json templates) * **Kubernetes** (.yaml manifests) * **AWS SAM** (template.yaml) * **Serverless Framework** (serverless.yml) ## Supported Package Managers * **npm** (Node.js) - package.json, package-lock.json * **Maven** (Java) - pom.xml * **Gradle** (Java/Kotlin) - build.gradle, gradle.lockfile * **pip** (Python) - requirements.txt, Pipfile, pyproject.toml * **Ruby Gems** - Gemfile, Gemfile.lock * **Go modules** - go.mod, go.sum * **Cargo** (Rust) - Cargo.toml, Cargo.lock * **Composer** (PHP) - composer.json, composer.lock * **.NET** - \*.csproj, packages.config ## Supported Weaknesses Nullify detects **OWASP Top 10** and **CWE Top 25** vulnerability classes: * SQL Injection (CWE-89) * Command Injection (CWE-78) * Path Traversal (CWE-22) * Cross-Site Scripting (CWE-79) * Server-Side Request Forgery (SSRF) * Broken Authentication * Broken Access Control * Cryptographic Failures * Insecure Deserialization * Security Misconfiguration * Unsafe File Uploads * Hardcoded Credentials * Information Disclosure See [Supported Weaknesses](/capabilities/code-reviews/code-analysis/supported-weaknesses.md) for the complete list. ## Reachability & Exploitability Analysis ### Code Analysis * AI-powered triage analyzes how code is used in context * Fast screening eliminates false positives * Severity scoring based on exploitability, not just theoretical risk ### Dependency Analysis * **Direct vs. Transitive**: Marks whether vulnerability is in direct dependency * **Reachability Analysis**: Maps vulnerabilities to source manifest files with line numbers * Direct dependency vulnerabilities trigger build failures in PRs * Transitive vulnerabilities have lower priority by default ### Secrets Verification * **Active Validation**: Attempts to use discovered credentials * Tests API keys against actual services * Validates JWT/token formats and expiration * Not just pattern matching—functional testing --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.nullify.ai/capabilities/code-reviews.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.