Jul 17, 2023

Container image scanning

Nullify will detect vulnerable base images found in container files, and suggest alternative images with less (or lower severity) vulnerabilities, so developers can make immediate and prioritized actions on image updates.

AI auto-fix for SAST improvements

We recently upgraded our models and have been working on verifying the correctness and quality of remediation suggestions -validated vulnerability fixes will include a green tick and a message confirming they work. The auto-fixes also contain AI-generated descriptions to provide the developer better explanations on how to remediate the issue.

Nullify vulnerability prioritization score

To address alert-fatigue we have introduced our own risk-based prioritization scoring system that aggregates:

  • CVSS

  • EPSS (Exploitability)

  • CISA KEV (Known Exploited Vulnerability)

The "Nullify priority score" that is surfaced from this helps developers save time figuring out what to fix first.

Metrics digest

Nullify can now be configured to send a weekly cross-org snapshot of your DevSecOps posture, including trends over time and other insights!

Jun 19, 2023

Nullify configuration: Ignore files

You can now use globs to ignore specific files and paths from being scanned.

Mar 3, 2023

Automatic Issue generation for Code Scanning (SAST) findings

Nullify now creates an Issues "dashboard" in each repository that contains a summary of detected vulnerabilities. Issues are created for each language that Nullify detected potential vulnerabilities in - you can use these dashboards to view high level repository health metrics.

Software Composition Analysis (SCA)

Your dependencies in the following types of files will now be scanned for vulnerabilities if changed in Pull Requests:

  • Gemfile (Ruby)

  • package.json (npm)

  • requirements.txt (Python)

  • go.mod (Golang)

Pull Request comments and Issues dashboards with vulnerability advice are now created, with detailed annotations and recommended upgrade versions to fix the vulnerabilities.

Auto-resolving comments

Nullify now automatically resolves PR comments after you've pushed up fixes for findings.

Improvements to PR comments

Comments now link to relevant external documentation with an explanation for the potential vulnerability or misconfiguration detected. They now reference the CWE ID and have improved formatting for better readability.

SAST: New language support

  • Java

  • Kubernetes manifest files

Bug Fixes

  • Fixed: Bandit running on test files

  • Fixed: Dockerfile scan repeated comments

  • Fixed: Completing GitHub check-runs when scans fail

  • Fixed: Duplicate comments on PRs

  • Fixed: Scans re-running when the title of the PR is changed

Feb 1, 2023

Language detection with multiple analyzers

Code scanning now uses a curated set of analyzers per language, with duplicate findings filtered out using CWE IDs.

SAST: New language support

  • Ruby

Bug Fixes

  • Fixed: Trivy Dockerfile findings

  • Fixed: Fine-tuned string interpolation regex rule in Semgrep

  • Fixed: Edge cases with scans hanging

  • Fixed: Scans re-triggering when the title of the PR is updated

  • Fixed: CloudFormation comments outside of the PR diff

Last updated

© 2023 Nullify | All Rights Reserved.