LogoLogo
Book a Demo
  • Introduction
  • Getting Started
    • Install
    • Configuration - General
    • Configuration - Code
    • Configuration - Dependencies
    • Configuration - Containers
    • Configuration - Secrets
    • Configuration - Attack Surface Monitoring
  • Features
    • Code Scanning
      • Custom Rules
      • Supported Languages
    • Dependency Scanning
      • Supported Package Managers
    • Secrets Scanning
      • Supported Secret Types
      • Confidential Information
    • Web App Penetration Testing
      • Quickstart
      • Supported Applications
      • Apps in Private Networks
      • Custom Rules
    • Orchestration
  • Integrations
    • GitHub
      • Repository Issue Dashboards
    • Bitbucket
      • Repository Dashboards
    • Slack
      • Install
    • Jira
      • Install
      • Configuration
      • Assignee
      • Priorities
      • Manual Ticket Creation
    • AWS
      • Prerequisites
      • Configuration
  • API Reference
    • Nullify API
      • Authentication
      • Pagination
      • Admin
      • Code Scanning (SAST)
      • Dependency Scanning (SCA)
      • Secrets Scanning
      • Dynamic Scanning (DAST)
  • Enterprise Tier
    • GitHub Install
    • Azure DevOps Install
  • More Info
    • About Us
    • Latest Updates
    • Security
    • Data Handling Policy
Powered by GitBook

© 2023 Nullify | All Rights Reserved.

On this page
  • Setup
  • Writing Rules
  • Example

Was this helpful?

  1. Features
  2. Code Scanning

Custom Rules

PreviousCode ScanningNextSupported Languages

Last updated 7 months ago

Was this helpful?

Nullify ships out of the box with a set of pre-configured SAST rules to detect vulnerabilities in code.

However, you can also create custom rules to detect vulnerabilities specific to your codebase.

All Nullify features are supported with custom rules:

  • AI false positive and prioritization

  • Auto-fix

  • Pull request comments

  • Web dashboard metrics and triage page

The metadata in your custom SAST rules will be passed to the AI agents performing triage (false positive and prioritization). This means you can provide additional context to the AI agents to help them make better decisions. For example, you can leave a comment explaining edge cases when it is not a vulnerability or when it is critical.

Setup

  1. Create a .nullify/semgrep directory in the root of your repository.

  2. Add custom rules in the .nullify/semgrep directory (see example below).

Rules added to the global configuration repository (e.g. .github-private) will be run on all repositories in the organization.

Writing Rules

Custom rules use the same syntax as Semgrep rules.

Example

This example rule detects when an http.Get request is made in Go code. The AI agent triaging the findings will allow requests made to api.github.com and flag all other requests as a vulnerability.

rules:
- id: detect-http-get
  languages:
  - go
  patterns:
  - pattern: |
      http.Get
  message: Custom rule - http.Get request made
  metadata:
    shortDescription: "http GET request made - this codebase is banned from making network requests except for api.github.com"
    cwe: "CWE-0"
  severity: "ERROR"
https://semgrep.dev/docs/writing-rules/overview