Custom Rules

Nullify ships out of the box with a set of pre-configured SAST rules to detect vulnerabilities in code.

However, you can also create custom rules to detect vulnerabilities specific to your codebase.

All Nullify features are supported with custom rules:

• AI false positive and prioritization

• Auto-fix

• Pull request comments

• Web dashboard metrics and triage page

The metadata in your custom SAST rules will be passed to the AI agents performing triage (false positive and prioritization). This means you can provide additional context to the AI agents to help them make better decisions. For example, you can leave a comment explaining edge cases when it is not a vulnerability or when it is critical.

Setup

1. Create a .nullify/semgrep directory in the root of your repository.

2. Add custom rules in the .nullify/semgrep directory (see example below).

Rules added to the global configuration repository (e.g. .github-private) will be run on all repositories in the organization.

Writing Rules

Custom rules use the same syntax as Semgrep rules.

https://semgrep.dev/docs/writing-rules/overview

Example

This example rule detects when an http.Get request is made in Go code. The AI agent triaging the findings will allow requests made to api.github.com and flag all other requests as a vulnerability.

rules:
- id: detect-http-get
  languages:
  - go
  patterns:
  - pattern: |
      http.Get
  message: Custom rule - http.Get request made
  metadata:
    shortDescription: "http GET request made - this codebase is banned from making network requests except for api.github.com"
    cwe: "CWE-0"
  severity: "ERROR"