Configuration - General

Once installed, Nullify will start reviewing your pull requests and creating issues for any vulnerabilities it finds. An out of box configuration is provided, but you can customize Nullify to suit your organization.

Global configuration

The global defaults can be overridden by creating a .nullify.yml file in the root of the global configuration repository.

On GitHub this is the .github-private repository. On BitBucket this is the .bitbucket-private repository.

If these repositories do not exist, you can create them. Make sure they are private and added to the list of repositories that the Nullify app has access to if you didnt enable all repositories.

This repository is private to your organization and is used to store organization-wide settings and templates. GitHub makes use of this same repository for organization wide issue and pull request templates.

Repository configuration

Nullify can be configured on a per-repository basis by including a .nullify.yml file in the root of the repository.

This config file takes precedence over the global config file for any specific options which are defined. If config options aren't defined at the repo-level, the global defaults will be used.

The merge of the default, global and repository level configuration files is done by the following code:

https://github.com/Nullify-Platform/config-file-parser/blob/main/pkg/merger/merger.go

Fail Builds

You can specify whether Nullify should fail the build on a pull request when it will add a new vulnerability. By default, the build will not fail.

fail_builds: true

Severity Threshold

You can specify the severity threshold of findings that should be reported and included in the Issues dashboards. By default, medium and above is reported. You must select one of critical, high, medium or low.

severity_threshold: high

Ignore Directories

You can ignore specific directories in a repository from being scanned and reported on. By default, every directory is allowed to be scanned.

ignore_dirs: ["data"]

Ignore Paths

You can also use glob patterns to ignore specific files and paths from being scanned.

ignore_paths: ["tests/**", "**/*.py"]

Notifications

To receive notifications for Nullify events, specify the events, targets and repositories. The repositories list is only applicable in the global configuration file.

notifications:
  replace-with-your-notification-id:
    # define the event filters
    events:
      all:
        minimum_severity: high
        secret_types: [ ssh_key ]
    # define the targets for the notifications
    targets:
      webhook:
        urls: [ https://example.com/123456 ]
      slack:
        channels: [ "123456" ]
      email:
        addresses: [ notifications@example.com ]
    # optional repositories filter
    repositories:
      - config-file-parser
      - dast-action
      - cli

TODO add definitions for all events and targets

Future targets:

• EventBridge Bus

• Other messaging platforms (e.g. Teams)

Scheduled Notifications (Summaries)

To receive scheduled summary notifications, such as critical security events and weekly metric roundups, specify a cron schedule, topics and targets.

The following example will send a summary notification every day at midnight UTC to the specified Slack channels and email addresses for the config-file-parser, dast-action and cli repositories:

scheduled_notifications:
  replace-with-your-notification-id:
    # define the cron schedule for triggering the notification
    schedule: "0 0 * * *"
    # define the topics to include in the summary
    topics:
      all: true
    # define the targets for the notifications
    targets:
      slack:
        channels: [ "123456" ]
      email:
        addresses: [ notifications@example.com, noreply@example.com ]
    # optional repositories filter
    repositories:
      - config-file-parser
      - dast-action
      - cli