Search
K
Links

Configure

The Nullify config file can override various default configurations.

Repository configuration

Nullify can be configured on a per-repository basis by including a .nullify.yml file in the root of the repository.
This config file takes precedence over the global config file for any specific options which are defined. If config options aren't defined at the repo-level, the global defaults will be used.

Organization configuration

Nullify can be configured with global defaults that affect all repositories in an organization. To do so, create a .nullify.yml file in your organization's .github-private repository.

Config file options

The example .nullify.yml config file contains all available options below. We are continually expanding the config file options and will update this document regularly.
severity_threshold: medium
ignore_dirs:
- dir1
ignore_paths:
- data/**/*
notifications:
all-events-webhook:
events:
all:
minimum_severity: high
secret_types: [ ssh_key ]
targets:
webhook:
urls: [ https://example.com/123456 ]
findings-to-slack-and-email:
events:
new_code_findings:
minimum_severity: high
new_secret_findings:
types: [ ssh_key ]
new_dependency_findings:
minimum_severity: high
targets:
slack:
channels: [ "123456" ]
email:
repositories:
- config-file-parser
- dast-action
- cli
scheduled_notifications:
new-findings:
schedule: "0 0 * * *"
topics:
all: true
targets:
slack:
channels: [ "123456" ]
email:
repositories:
- config-file-parser
- dast-action
- cli
code:
ignore:
- cwes: [ 589 ] # Potential HTTP request made with variable url
reason: HTTP requests with variables in tests don't matter
paths: [ "**/tests/*" ]
repositories:
- config-file-parser
- dast-action
- cli
- rule_ids: [ python-sql-injection ]
reason: This code won't be going live until next year but we should fix it before then
expiry: "2021-12-31"
dependencies:
ignore:
- cve: CVE-2021-1234
reason: This is a false positive
- cve: CVE-2021-5678
reason: This isn't exploitable in client applications but we should update it eventually
expiry: "2021-12-31"
repositories:
- dast-action
- cli
secrets:
ignore:
- value: mocksecret123
reason: This is a test secret, it has no access to anything
paths: [ "**/tests/*" ]
- pattern: id[0-9]+
reason: These are not secrets, they are internal identifiers
- value: actualsecret123
reason: We can't remove this right now but we should
expiry: "2021-12-31"

Severity Threshold

You can specify the severity threshold of findings that should be reported and included in the Issues dashboards. By default, medium and above is reported. You must select one of critical, high, medium or low.
severity_threshold: high

Ignore Directories

You can ignore specific directories in a repository from being scanned and reported on. By default, every directory is allowed to be scanned.
ignore_dirs: ["data"]

Ignore Paths

You can also use globs to ignore specific files and paths from being scanned.
ignore_paths: ["tests/**", "**/*.py"]

Notifications

To receive notifications for Nullify events, specify the events, targets and repositories. The repositories list is only applicable in the global configuration file.
notifications:
all-events-webhook:
events:
all:
minimum_severity: high
secret_types: [ ssh_key ]
targets:
webhook:
urls: [ https://example.com/123456 ]
findings-to-slack-and-email:
events:
new_code_findings:
minimum_severity: high
new_secret_findings:
types: [ ssh_key ]
new_dependency_findings:
minimum_severity: high
targets:
slack:
channels: [ "123456" ]
email:
repositories:
- config-file-parser
- dast-action
- cli

Scheduled Notifications (Summaries)

Coming soon
To receive scheduled summary notifications, such as critical security events and weekly metric roundups, specify a cron schedule, topics and targets.
The following example will send a summary notification every day at midnight UTC to the specified Slack channels and email addresses for the config-file-parser, dast-action and cli repositories:
scheduled_notifications:
new-findings:
schedule: "0 0 * * *"
topics:
all: true
targets:
slack:
channels: [ "123456" ]
email:
repositories:
- config-file-parser
- dast-action
- cli

Ignore CWEs (Code)

To allowlist specific CWEs or Rule IDs add them to the ignore list. The repositories list is only applicable in the global configuration file.
code:
ignore:
- cwes: [ 589 ] # Potential HTTP request made with variable url
reason: HTTP requests with variables in tests don't matter
paths: [ "**/tests/*" ]
repositories:
- config-file-parser
- dast-action
- cli
- rule_ids: [ python-sql-injection ]
reason: This code won't be going live until next year but we should fix it before then
expiry: "2021-12-31"
Developers can insert in-line comments to accept instances of findings as false positives or accepted risks.
In the following example, the Nullify bot detects a potential vulnerability in a file changed in a pull-request and comments on the lines where an issue is detected.
The reviewer of the pull request believes the vulnerability to be either a false positive or not relevant. They click the “Commit Suggestion” button that the bot offers to create a comment on the line above the line in the code with the potentially vulnerable code.
With the ignore comment inserted in-line, that particular single instance of SQL Injection will no longer be reported as a finding by Nullify.
The Pull Request is ready to merge and Nullify makes a “Summary” comment on the PR to clearly state which risks were accepted and by who.
Accept risk “events” will also be able to be consumed from the Nullify API either by querying endpoints/webhook or URL/event stream.
Nullify's method of designating risks offers security teams:
  • The ability to accept risk with one click
  • Access control and audit log gated through the Pull Request (branch protection)
  • Pull Request summary comment for built-in historical log
  • API endpoint to consume whitelist events for reporting and metrics

Ignore CVEs (Dependencies)

To allowlist CVEs add them to the ignore list. The repositories list is only applicable in the global configuration file.
dependencies:
ignore:
- cve: CVE-2021-1234
reason: This is a false positive
- cve: CVE-2021-5678
reason: This isn't exploitable in client applications but we should update it eventually
expiry: "2021-12-31"
repositories:
- dast-action
- cli

Ignore Secrets

You can ignore specific secrets from being reported as findings by adding them to the whitelist.
secrets:
ignore:
- value: yLryKGwcGc3ez9G8YAnjeYMQOc
reason: This is a test secret, it has no access to anything
© 2023 Nullify | All Rights Reserved.