Configuration - Code

Auto Fix

This setting controls the creation of pull requests to fix vulnerabilities in source code.

To enable automatic creation of code fix pull requests, set code.auto_fix.enabled to true. You can also set the maximum number of open pull requests per repository with the code.auto_fix.max_pull_requests_open key. You can also set the maximum rate of pull request creation with the code.auto_fix.max_pull_request_creation_rate key.

code:
  auto_fix:
    enabled: true
    max_pull_requests_open: 2
    max_pull_request_creation_rate:
      count: 2
      days: 7

Ignore Findings

To allowlist specific CWEs or Rule IDs add them to the ignore list. The code.ignore[i].repositories list is only applicable in the global configuration file.

code:
  ignore:
    - cwes: [ 589 ] # Potential HTTP request made with variable url
      reason: HTTP requests with variables in tests don't matter
      paths: [ "**/tests/*" ]
      repositories:
        - config-file-parser
        - dast-action
        - cli
    - rule_ids: [ python-sql-injection ]
      reason: This code won't be going live until next year but we should fix it before then
      expiry: "2021-12-31"

Developers can insert in-line comments to accept instances of findings as false positives or accepted risks.

In the following example, the Nullify bot detects a potential vulnerability in a file changed in a pull-request and comments on the lines where an issue is detected.

The reviewer of the pull request believes the vulnerability to be either a false positive or not relevant. They click the “Commit Suggestion” button that the bot offers to create a comment on the line above the line in the code with the potentially vulnerable code.
With the ignore comment inserted in-line, that particular single instance of SQL Injection will no longer be reported as a finding by Nullify.
The Pull Request is ready to merge and Nullify makes a “Summary” comment on the PR to clearly state which risks were accepted and by who.

Accept risk “events” will also be able to be consumed from the Nullify APIeither by querying endpoints/webhook or URL/event stream.

Nullify's method of designating risks offers security teams:

  • The ability to accept risk with one click

  • Access control and audit log gated through the Pull Request (branch protection)

  • Pull Request summary comment for built-in historical log

  • API endpoint to consume whitelist events for reporting and metrics

Last updated

© 2023 Nullify | All Rights Reserved.