General Configuration

Overview

Once installed, Nullify immediately starts assessing pull requests and creating findings for new risks. The defaults get most teams moving quickly, but you can tailor behaviour through configuration files.

Global Configuration

Create a .nullify.yml in your organisation-level configuration repository to define shared policy. Depending on your platform this repository is:

GitHub: .github-private
Bitbucket: .bitbucket-private
Azure DevOps: .azure-private

The repository should remain private and accessible to the Nullify app. GitHub uses the same mechanism for organisation-wide issue and pull-request templates, so existing practices apply.

Automatic Document Ingestion

In addition to .nullify.yml, Nullify automatically ingests organisational documents committed to this repository into the Memory Vault. On every push, eligible files are uploaded to the vault and fed to the onboarding agent to build organisational context (security posture, escalation matrices, compliance controls) that informs vulnerability prioritisation.

Eligible file types:

Markdown (.md)
PDF (.pdf)
Plain text (.txt)
Structured data: JSON (.json), CSV (.csv)
Images: PNG, JPG/JPEG, GIF, SVG, WEBP, BMP, TIFF

Skipped at the repository root (to avoid boilerplate noise): README.md, package.json, package-lock.json, tsconfig.json. The same filenames inside subdirectories are ingested normally.

Useful examples to commit: security architecture diagrams, on-call escalation matrices, GDPR/SOC 2 attestations, vendor risk assessments, incident response runbooks, access review exports. Files can also be uploaded interactively from the onboarding UI — both paths feed the same vault.

Repository Configuration

Add a .nullify.yml to individual repositories when you need to override the global defaults. Settings cascade as follows: built-in defaults → organisation file → repository file.

The merge logic lives in config-file-parser if you want to review precedence rules.

Fail Builds

Control whether Nullify can fail CI when a new finding exceeds your policy:

enable_fail_builds: true

Severity Threshold

Limit surfaced findings by severity (critical, high, medium, low):

severity_threshold: high

Priority Threshold

Filter findings by Nullify’s priority classification (urgent, important, informational):

priority_threshold: urgent

Ignore Directories

Exclude directories from assessment:

ignore_dirs: ["data"]

Ignore Paths

Use glob patterns to skip specific files:

ignore_paths: ["tests/**", "**/*.py"]

PreviousMCP Setup NextCode Configuration

Last updated 13 days ago