Changelog
Jul 17, 2023
Container image scanning
Nullify will detect vulnerable base images found in container files, and suggest alternative images with less (or lower severity) vulnerabilities, so developers can make immediate and prioritized actions on image updates.
AI auto-fix for SAST improvements
We recently upgraded our models and have been working on verifying the correctness and quality of remediation suggestions -validated vulnerability fixes will include a green tick and a message confirming they work. The auto-fixes also contain AI-generated descriptions to provide the developer better explanations on how to remediate the issue.
Nullify vulnerability prioritization score
To address alert-fatigue we have introduced our own risk-based prioritization scoring system that aggregates:
CVSS
EPSS (Exploitability)
CISA KEV (Known Exploited Vulnerability)
The "Nullify priority score" that is surfaced from this helps developers save time figuring out what to fix first.
Metrics digest
Nullify can now be configured to send a weekly cross-org snapshot of your DevSecOps posture, including trends over time and other insights!
Jun 19, 2023
Nullify configuration: Ignore files
You can now use globs to ignore specific files and paths from being scanned.
Mar 3, 2023
Automatic Issue generation for Code Scanning (SAST) findings
Nullify now creates an Issues "dashboard" in each repository that contains a summary of detected vulnerabilities. Issues are created for each language that Nullify detected potential vulnerabilities in - you can use these dashboards to view high level repository health metrics.
Software Composition Analysis (SCA)
Your dependencies in the following types of files will now be scanned for vulnerabilities if changed in Pull Requests:
Gemfile
(Ruby)package.json
(npm)requirements.txt
(Python)go.mod
(Golang)
Pull Request comments and Issues dashboards with vulnerability advice are now created, with detailed annotations and recommended upgrade versions to fix the vulnerabilities.
Auto-resolving comments
Nullify now automatically resolves PR comments after you've pushed up fixes for findings.
Improvements to PR comments
Comments now link to relevant external documentation with an explanation for the potential vulnerability or misconfiguration detected. They now reference the CWE ID and have improved formatting for better readability.
SAST: New language support
Java
Kubernetes manifest files
Bug Fixes
Fixed: Bandit running on test files
Fixed: Dockerfile scan repeated comments
Fixed: Completing GitHub check-runs when scans fail
Fixed: Duplicate comments on PRs
Fixed: Scans re-running when the title of the PR is changed
Feb 1, 2023
Language detection with multiple analyzers
Code scanning now uses a curated set of analyzers per language, with duplicate findings filtered out using CWE IDs.
SAST: New language support
Ruby
Bug Fixes
Fixed: Trivy Dockerfile findings
Fixed: Fine-tuned string interpolation regex rule in Semgrep
Fixed: Edge cases with scans hanging
Fixed: Scans re-triggering when the title of the PR is updated
Fixed: CloudFormation comments outside of the PR diff
Last updated