Book a Demo

Code Configuration

Overview

Autofix

Control how Nullify drafts pull requests for code findings:

code:
  auto_fix:
    enabled: true
    max_pull_requests_open: 2
    max_pull_request_creation_rate:
      count: 2
      days: 7

  • enabled toggles automated fixes for supported languages (Go, Java, JavaScript/Node.js, Python).

  • max_pull_requests_open limits simultaneous fix branches per repository.

  • max_pull_request_creation_rate throttles how frequently new fixes are proposed.

Ignore Findings

Allow-list specific rules or CWEs when a risk is accepted:

code:
  ignore:
    - cwes: [589]
      reason: HTTP requests with variables in tests are acceptable
      paths: ["**/tests/*"]
      repositories:
        - config-file-parser
        - dast-action
        - cli
    - rule_ids: [python-sql-injection]
      reason: Deferred until Q4 rework
      expiry: "2024-12-31"

Inline suppressions are also supported. Reviewers can accept a finding inside a pull request by committing a Nullify ignore directive, which records the decision for audit and updates future assessments.

Reviewer commits a Nullify ignore directive above the flagged code.
The directive suppresses the precise instance of the finding.
Nullify summarises accepted risks in the pull request timeline.

Accepted-risk events also flow through the Nullify API so you can export them for compliance, metrics, or SIEM correlation.

PreviousGeneral ConfigurationNextDependency Configuration

Last updated

Was this helpful?