Configuration - Code

Auto Fix

This setting controls the creation of pull requests to fix vulnerabilities in source code.

To enable automatic creation of code fix pull requests, set code.auto_fix.enabled to true. You can also set the maximum number of open pull requests per repository with the code.auto_fix.max_pull_requests_open key. You can also set the maximum rate of pull request creation with the code.auto_fix.max_pull_request_creation_rate key.

code:
  auto_fix:
    enabled: true
    max_pull_requests_open: 2
    max_pull_request_creation_rate:
      count: 2
      days: 7

Ignore Findings

To allowlist specific CWEs or Rule IDs add them to the ignore list. The code.ignore[i].repositories list is only applicable in the global configuration file.

code:
  ignore:
    - cwes: [ 589 ] # Potential HTTP request made with variable url
      reason: HTTP requests with variables in tests don't matter
      paths: [ "**/tests/*" ]
      repositories:
        - config-file-parser
        - dast-action
        - cli
    - rule_ids: [ python-sql-injection ]
      reason: This code won't be going live until next year but we should fix it before then
      expiry: "2021-12-31"

Developers can insert in-line comments to accept instances of findings as false positives or accepted risks.

In the following example, the Nullify bot detects a potential vulnerability in a file changed in a pull-request and comments on the lines where an issue is detected.

Nullify's method of designating risks offers security teams:

• The ability to accept risk with one click

• Access control and audit log gated through the Pull Request (branch protection)

• Pull Request summary comment for built-in historical log

• API endpoint to consume whitelist events for reporting and metrics