Skip to content

Organization Preferences

Organization preferences let you define natural-language guidelines that Pixee applies across all repositories in your organization. Instead of configuring each repository individually, you can set baseline rules once and have them take effect everywhere.

Accessing Preferences

Select your organization from the top bar in the Pixee Platform UI, then navigate to Preferences. The preferences editor supports Markdown formatting and saves your changes immediately.

Writing Preferences

Write your preferences in Markdown. Pixee interprets the document with AI, so plain prose works well — you don't need to follow a rigid schema. Be specific, show code where you can, and explain why a preference exists. That context is what lets Pixee apply your guidance correctly to new findings.

Preferences influence two stages of analysis:

  • Triage — whether a finding is a real risk in your environment.
  • Remediation — how Pixee should fix a vulnerability when it does generate a fix.

You can also use preferences to enable or disable specific scanner rules for automated remediation.

Remediation guidance

Tell Pixee how your team prefers to fix specific vulnerability classes — approved libraries, internal utilities, idiomatic patterns. Code examples are the clearest signal.

## SQL Injection

When fixing SQL injection vulnerabilities, use Spring's
`NamedParameterJdbcTemplate` with named parameters (`:paramName`)
rather than positional placeholders (`?`). This is our team
standard and `spring-jdbc` is already on the classpath.

**Preferred:**
```java
NamedParameterJdbcTemplate jdbc = new NamedParameterJdbcTemplate(dataSource);
String sql = "SELECT * FROM users WHERE email = :email";
MapSqlParameterSource params = new MapSqlParameterSource("email", email);
return jdbc.query(sql, params, rowMapper);
```

## Cross-Site Scripting

For XSS in user-generated content, use `DOMPurify` for HTML
sanitization. Our editors need safe HTML formatting preserved,
so escaping alone isn't sufficient. Add `dompurify` and `jsdom`
to `package.json` if not already present.

**Preferred:**
```javascript
const purify = DOMPurify(new JSDOM('').window);
return purify.sanitize(html, {
    ALLOWED_TAGS: ['p', 'br', 'strong', 'em', 'ul', 'ol', 'li', 'a'],
    ALLOWED_ATTR: ['href', 'class']
});
```

## Path Traversal

Use the internal `PathValidatorUtility` from
`DocumentManagement.Security` for any filesystem path that
incorporates user input. It has been audited by our security
team and enforces consistent path policy across services.

**Preferred:**
```csharp
string safePath = PathValidatorUtility.ValidatePathForRead(filename);
byte[] bytes = System.IO.File.ReadAllBytes(safePath);
```

Triage context

Give Pixee context about your deployment environment, compensating controls, or intentional patterns so it can decide whether a finding is a real risk in your code.

## Service Context

This is an internal microservice that is not exposed to the
internet. It runs behind our API gateway, which handles
authentication (OAuth 2.0 + JWT), rate limiting, request size
limits, and TLS termination. All callers are other internal
services using service accounts.

Findings about missing authentication, CSRF protection, or
request size validation at the controller level are lower
risk because those controls live at the infrastructure layer.

## SSRF Context

For SOC2 compliance, this application only makes outbound HTTP
requests to a fixed allowlist of pre-approved endpoints:

- `https://api.github.com/repos/`
- `https://hooks.slack.com/services/`
- `https://api.stripe.com/v1/`

Outbound URLs are validated against this allowlist at the
application layer before any request is made. URLs that do
not match an approved prefix are rejected.

## Cryptography Context

This service uses MD5 in two places, both intentional and
non-security-sensitive:

1. `src/cache/key_generator.py` — generating cache keys from
   request parameters. Collision resistance is not required.
2. `src/legacy/checksum.py` — verifying file integrity against
   checksums supplied by a third-party vendor that only
   provides MD5.

Findings about weak hashing in these files are expected. MD5
is not used for passwords, signatures, or authentication.

Enabling and disabling rules

You can tell Pixee to always remediate or never remediate specific scanner rules. Reference rules by tool name and rule ID for the best match.

## Rule Preferences

### Always fix
- Enable Sonar rule S2077 (SQL injection) — always remediate, even
  if triage might otherwise skip it.
- Enable CodeQL rule `javascript/sql-injection` for all SQL injection
  findings.

### Never auto-fix
- Disable CodeQL rule `java/hardcoded-credential` — we manage secrets
  through our vault integration; the "hardcoded" values are vault
  references resolved at deploy time.

Supported scanners include Sonar, CodeQL, Semgrep, Checkmarx, Snyk, GitLab SAST, Veracode, AppScan, Polaris, Trivy, Datadog SAST, and Fortify.

Tip

Start with a few high-impact rules and refine them over time. You can review how Pixee applies your preferences in the activity log for each repository.

When you first open the preferences editor, you'll see example content to help you get started. Replace it with rules tailored to your organization's standards and workflows.

How Preferences Are Applied

Pixee uses a single source of preferences for each analysis run. The following precedence rules determine which source is used:

  • Repo-level PIXEE.md takes priority when present. If a repository contains a PIXEE.md file, Pixee uses it and ignores organization preferences for that repository.
  • Organization preferences serve as the baseline for any repository that does not have its own PIXEE.md.
  • Empty PIXEE.md opts a repository out of organization preferences entirely. If you want a repository to have no preferences at all, commit an empty PIXEE.md file.

Info

There is no merging between sources. Pixee uses either the repo-level PIXEE.md or the organization preferences — never both. If you have requirements for merging preferences from multiple sources, please contact Pixee support.

Concurrent Editing

Organization preferences use optimistic locking to prevent silent overwrites. If another user saves changes while you are editing, you will see a conflict warning when you attempt to save. When this happens, refresh the page to load the latest version before making your changes again.