Configuration - Code
Auto Fix
This setting controls the creation of pull requests to fix vulnerabilities in source code.
To enable automatic creation of code fix pull requests, set code.auto_fix.enabled
to true
. You can also set the maximum number of open pull requests per repository with the code.auto_fix.max_pull_requests_open
key. You can also set the maximum rate of pull request creation with the code.auto_fix.max_pull_request_creation_rate
key.
code:
auto_fix:
enabled: true
max_pull_requests_open: 2
max_pull_request_creation_rate:
count: 2
days: 7
Ignore Findings
To allowlist specific CWEs or Rule IDs add them to the ignore list. The code.ignore[i].repositories
list is only applicable in the global configuration file.
code:
ignore:
- cwes: [ 589 ] # Potential HTTP request made with variable url
reason: HTTP requests with variables in tests don't matter
paths: [ "**/tests/*" ]
repositories:
- config-file-parser
- dast-action
- cli
- rule_ids: [ python-sql-injection ]
reason: This code won't be going live until next year but we should fix it before then
expiry: "2021-12-31"
Developers can insert in-line comments to accept instances of findings as false positives or accepted risks.
In the following example, the Nullify bot detects a potential vulnerability in a file changed in a pull-request and comments on the lines where an issue is detected.



Accept risk “events” will also be able to be consumed from the Nullify APIeither by querying endpoints/webhook
or URL/event stream
.
Nullify's method of designating risks offers security teams:
The ability to accept risk with one click
Access control and audit log gated through the Pull Request (branch protection)
Pull Request summary comment for built-in historical log
API endpoint to consume whitelist events for reporting and metrics
Last updated
Was this helpful?