Skip to main content

Documentation Index

Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

2026-04
LLM security scanning, custom sources & sinks, rule packs, playbooks, and enhanced exports
  • SAST: New LLM Security vulnerability category detects OWASP LLM Top 10 issues including prompt injection, insecure output handling, system prompt leakage, and excessive agency, with conservative severity scoring.
  • SAST: Custom source and sink declarations are now fully integrated into the core scanning pipeline — prepared at scan start and evaluated in the same pre-screen and deep inspection passes as built-in detections.
  • SAST: Intra-run deduplication automatically collapses duplicate findings discovered by parallel AI models at overlapping code locations into a single canonical entry.
  • SAST: Severity pre-screening now applies to all SAST candidates (not just source-scan discoveries), reducing scan time and noise.
  • SAST: Cross-source deduplication uses file-boundary chunking so a failure in one chunk no longer discards all dedup results across the scan.
  • Platform: New Custom Sources & Sinks management page with dedicated tabs for custom sources, custom sinks, and a library of curated source and sink packs that can be enabled with one click.
  • Platform: Rule Packs tab added to the Rules page for browsing and enabling pre-built rule bundles covering privacy, compliance, and policy checks.
  • Platform: Agent Playbooks tab added to the AI AppSec Assistant dashboard for activating, pausing, and managing pre-built security automation workflows.
  • Platform: Enhanced issue export dialog with format selection (CSV, CASA CSV, SARIF), granular filter overrides for severity, category, and status, live export preview count, and optional SARIF toggles for preconditions and exploit walkthrough context.
  • Platform: Custom source and sink badges now appear on source and sink nodes in the data flow visualization, with clickable links to view or edit the declaration.
  • Platform: False positive context requirement can now be enforced per-team — team members must provide justification when marking findings as false positive.
  • Platform: Minified and long-line files are now handled gracefully during scanning, with truncated snippets for AI analysis while preserving full code in the UI.
  • Platform: IaC findings with incorrect relative file paths are automatically corrected by searching the repository for the correct file.
  • SCA: CVE Alerts table now shows an “Affected repositories” column displaying which repositories contain the vulnerable package, with expandable detail view for multi-repo alerts.
  • Scanning: PR scans now handle orphan branches and force-pushed histories by falling back to direct tree comparison instead of failing.
  • Integrations: Slack channel picker now supports search — type to filter channels by name instead of scrolling through a paginated list. Channels also load lazily for better performance.
  • Integrations: Editing notification groups now validates saved Slack channels against the current workspace and warns about archived, deleted, or removed channels.
  • API: Six new webhook event types: PATCH_PR_DENIED, VULNERABILITY_STATUS_CHANGED, SCA_SCAN_COMPLETE, SCA_SCAN_STARTED, SCA_SCAN_FAILED, and REPO_ADDED.
  • API: VULNERABILITY_STATUS_CHANGED fires for all triage actions (archive, unarchive, true positive, false positive, resolve, unresolve) from the dashboard, API, and AI agent.
  • API: New Custom Sources, Custom Sinks, Custom Source Packs, Custom Sink Packs, and Rule Packs API endpoints for programmatic management of security declarations and rule bundles.
  • API: Issue data flow details now include custom source and custom sink declaration names and descriptions when a finding matches a user-defined declaration.
  • Bug Fixes: Scan retry resilience improved — batch operations that hit constraint violations now retry individually instead of failing the entire batch.
  • Bug Fixes: Patch PR denied and vulnerability status change notifications now fire correctly across GitHub, GitLab, and Bitbucket.
2026-04
Playbooks, issue comments, PR cleanup, custom rules auto-apply, and scan reliability
  • Platform: AI Assistant Playbooks let you install pre-built, parameterized workflows that self-configure triggers, schedules, and memory. Automate triage routines, compliance checks, alert routing, and other multi-step security tasks without manual setup.
  • Platform: Issue comments allow developers and security teams to document triage decisions, capture fix reasoning, and maintain an audit trail directly on findings. Comments are visible in the issue timeline and synced when status changes arrive from Jira and Linear.
  • Platform: Custom rules and policies now automatically apply to newly onboarded repositories. When a repo is added, all org-level rules take effect immediately without manual association.
  • Platform: Organizations can now require developers to provide context when marking a finding as a false positive. This is configurable as an org-level toggle and enforced across the dashboard and integrations.
  • Platform: You can now provide additional context when requesting a retriage of a finding from the dashboard, the MCP server, or the API. Context is passed to the scanner to guide the re-evaluation.
  • Scanning: When a developer pushes a fix for a flagged finding in a PR, ZeroPath now automatically resolves the review comment thread and updates the finding status in the dashboard.
  • Scanning: PR rescans can now be triggered directly from GitHub by re-running the ZeroPath check from the checks page.
  • Scanning: PR scans for superseded commits are now automatically cancelled on GitLab and Bitbucket, matching the existing behavior on GitHub. Only the latest commit in a PR is scanned.
  • Integrations: PR comments now support custom footer links and an auto-generated vulnerability summary. Teams can add links to internal wikis and documentation directly in the PR comment, and each finding includes a plain-language explanation of why it matters.
  • Integrations: The Slack channel picker now supports search and alphabetical sorting when configuring notification groups.
  • Integrations: When an issue is closed in Jira or Linear, ZeroPath now captures the closure reason and stores it as context on the finding.
  • SCA: SCA vulnerability alerts can now be routed to per-org webhook endpoints, enabling direct integration with Microsoft Teams, Slack, and other notification systems.
  • SCA: SBOM exports now support the latest CycloneDX and SPDX specification versions.
  • Developer Tools: The ZeroPath MCP server now returns patch and remediation metadata alongside vulnerability details, so AI agents in Cursor, VS Code, and other tools can access fix suggestions directly.
  • Bug Fixes: Full scans now produce consistent results across repeated runs on unchanged code, with independent caching per model and improved deduplication.
  • Bug Fixes: Scheduled full scans now recover correctly when a prior scan was interrupted, preventing them from being permanently blocked.
  • Bug Fixes: PR scan results now display reliably in the repository view.
  • Bug Fixes: Marking issues as false positive now works correctly in all cases.
  • Bug Fixes: PR scan workers now enforce a concurrency cap to prevent resource contention under high load.
2026-04
Smarter SCA remediation, org-wide rules, resolved status, and API enhancements
  • SCA: Maven parent POM dependencies are now extracted from <dependencyManagement> sections in multi-module projects, improving manifest coverage for centralized version management.
  • SCA: Smarter upgrade version selection uses a two-pass strategy — first seeking a zero-CVE version, then falling back to the nearest version that fixes the specific vulnerability without introducing new ones, avoiding impractical major-version jumps.
  • SCA: Fix suggestions for npm transitive dependencies now validate that the recommended parent upgrade actually resolves the vulnerable transitive version.
  • Platform: You can now mark issues as “Resolved” directly from the issue action menu, with optional context explaining the resolution. Bulk “Resolved” action is also available when selecting multiple issues.
  • Platform: Issue triage actions (mark as false positive, accepted risk, true positive, or resolved) now apply immediately without a confirmation dialog, streamlining the workflow.
  • Platform: Resolving an issue now automatically clears any silenced state on that issue.
  • Platform: Custom rules and repository context with “Select All” scope now automatically apply to repositories added in the future, not just currently visible ones.
  • Platform: Rules and context list views display “All Repositories” for org-wide items instead of a numeric count.
  • Platform: First-time repository scans now display an “Indexing” status to indicate initial analysis is in progress.
  • Platform: Scan explorer shows a “Standalone Findings” node for findings not linked to a specific source, displayed in their own section below source-grouped results.
  • Platform: Deprovisioned members now display an “Inactive” badge on the members settings page, with role editing and removal disabled.
  • Integrations: Jira issue export now automatically retries without the epic link when the selected issue type does not support parent links, preventing export failures.
  • Integrations: Reconnecting a Jira integration automatically cleans up stale webhooks before creating new ones.
  • Integrations: Disconnecting a Linear integration now properly cleans up associated webhooks.
  • API: Issues and SCA API responses now include remediation and patch metadata (validation status, PR link, proposed diff) when a fix exists.
  • API: Rules API supports allRepositories as a first-class field for scoping rules org-wide, mutually exclusive with repositoryIds.
  • Bug Fixes: Scan retry resilience improved — interrupted scans now detect previously persisted results and resume from where they left off, with batched operations for large repositories.
  • Bug Fixes: Queued scans are gracefully cancelled when a VCS integration is disconnected, instead of producing error alerts.
2026-04
AI AppSec Assistant, CVSS 3.1 scoring, branch-scoped scanning, and expanded API
  • Platform: AI AppSec Assistant (early access) with a dedicated dashboard featuring Overview, Activity, Chat, Schedules, Triggers, Memory, and Settings tabs. Includes Jira, Confluence, and Linear integrations, custom MCP server installation, and Slack thread control (cancel, replace, amend).
  • Platform: New event trigger types for the AI Assistant: PR Merged with Issues, Vulnerability Patched, Vulnerability Reopened, Long Running Scan, Report Complete, Scan Started, PR Scan Started, Scan Scheduled, and Audit Log Event. Multiple triggers per event type with repo/tag scoping.
  • Platform: Branch-scoped full scan deduplication ensures each branch maintains independent issue lifecycle. Branch filter dropdowns added to the Issues and Scans tabs.
  • Platform: Per-branch scan scheduling with support for multiple schedules per repository. Bulk scheduling warns when repositories have multiple schedules.
  • Platform: Scan explorer upgraded with repository and scan navigation dropdowns, SCA manifest file nodes, and improved filter labels. No longer marked as deprecated.
  • Platform: Per-issue AI chat assistant embedded in the issue detail view for questions about exploitation, fixes, and reachability.
  • Platform: Scanner setting toggles now show whether values are inherited from org/tag defaults or explicitly set at the repo level.
  • Platform: Codex-enhanced differential scanning now enabled by default. Manual scans prioritized over scheduled scans in the processing queue.
  • Platform: Shai Hulud Impact report type added to reports. Custom report filters now include Repository Name, Branch, and Tag fields.
  • Platform: Agent permissions (View, Manage, Run) added to team settings.
  • SAST: CVSS 3.1 scores now generated alongside CVSS 4.0 for all findings, with automatic backfill for older findings. Security impact labels (e.g., “Account Takeover”) displayed in issue headers.
  • SAST: Multiple CWE identifiers can now be assigned per finding instead of at most one. File path validation prevents hallucinated paths in findings.
  • SAST: Differential scan planning classifies changed files into code vs. dependency categories and selects the minimal scan strategy. Dependency manifest changes trigger fresh SCA even when no code files changed.
  • SAST: PR bot now falls back to AI-powered natural language replies when @-mentions don’t match structured commands. Prompt injection attempts are automatically blocked.
  • SAST: PR review threads are now natively resolved (GitHub/GitLab/Bitbucket) when findings are no longer detected, preserving original comment text.
  • SCA: Cross-package advisory filtering reduces false positives by only raising findings relevant to the specific package in your dependency graph.
  • SCA: Smarter CVE alerting skips metadata-only advisory updates and uses a circuit breaker to prevent one failed advisory from blocking the queue.
  • SCA: Advisory search now accepts titles and CVE identifiers in addition to GHSA identifiers. Issue headers show clickable links to both the advisory source and associated CVE.
  • SCA: Broader ecosystem version comparison: Hex, Pub, and SwiftURL now use semver; CRAN and Hackage use Maven-style comparison.
  • Secrets: AI-powered validation now shared across all detection engines with three validation states: Confirmed, Disconfirmed, and Unknown.
  • Integrations: Confluence integration added via existing Jira/Atlassian connection — enable with one click from integrations settings.
  • Integrations: Jira auto-ticketing now supports grouping issues under an epic, with epic selection available for all issue types.
  • Integrations: Merge notifications now include all confirmed findings carried forward through the deduplication system.
  • API: New AI Assistant API with full management of conversations, jobs, schedules, triggers, and memory. Real-time SSE streaming for job output.
  • API: New semantic search endpoints for vulnerabilities and application endpoints using natural language queries.
  • API: New endpoints: scan start/cancel, scan schedule management with branch targeting, repository add-by-URL and delete, organization member management.
  • API: organizationId now optional on most V2 endpoints — auto-resolved from the API token.
  • API: New webhook event types: SCA_NEW_CVE and INBOUND_WEBHOOK.
  • Bug Fixes: SBOM generation jobs now auto-update status even if the dialog is closed. Go pseudo-versions excluded from version comparisons to prevent false negatives.
2026-03
Custom reports, fix verification, V2 API expansion, and inbound webhooks
  • Platform: Custom Reports dashboard with interactive charts (severity distribution, MTTR, top vulnerability classes, issue trends), a chip-based filter bar with 14 filterable fields, six preset report templates, and the ability to save and share filter configurations.
  • Platform: New Assets tab in Reports provides a dedicated view of organization assets alongside the existing Views, Generate, and History tabs.
  • Platform: Custom Report permissions (View, Create, Delete) added to team settings for granular access control.
  • SAST: Fix verification allows you to reference ZeroPath issues in PR descriptions using ZP-ID: syntax or dashboard URLs. ZeroPath checks whether the referenced issues are resolved by the PR and reports results in a PR comment and a dedicated check status.
  • SAST: @bot retriage on PRs with fix verification references now re-runs fix verification instead of the standard investigation flow.
  • Platform: @ZeroPath is now accepted as a universal bot alias in PR comments, in addition to the configured bot username and @zeropath-ai.
  • Platform: PR scan summary comments are now enabled by default for both scans with findings and clean scans.
  • API: New V2 API endpoints for semantic search across vulnerabilities and detected endpoints, SCA vulnerability listing, report generation, and custom report management (CRUD and filter schema discovery).
  • API: New V2 Agent API with endpoints for patch management, PR creation, authenticated repo clone URLs, event triggers (including inbound webhooks), and global agent instructions.
  • API: Inbound webhook triggers allow external systems to invoke agent actions via unique webhook URLs.
  • API: Custom report statistics endpoint returns aggregated metrics including severity distribution, top vulnerability classes, MTTR, and new/resolved trends.
  • Bug Fixes: Fix verification now supported on Bitbucket and GitLab in addition to GitHub.
  • Bug Fixes: PR scans skipped by the relevance check are now correctly excluded from incremental refresh baselines.
2026-03
Azure DevOps PR scanning, SBT support, preconditions, bot commands, and more
  • SAST: Exploitability preconditions now surface deployment-context factors (WAFs, network exposure, auth middleware) that may affect whether a finding is exploitable, with expandable per-precondition evidence in the issue detail view.
  • SAST: AI validation pass now detects and removes duplicate findings describing the same root cause at overlapping code locations before results are stored. Deduplication automatically batches high-volume files and runs a cross-batch pass for reliable results regardless of finding count.
  • SAST: Deep codebase analysis can now follow extended call chains and complex cross-file data flows for more thorough vulnerability detection.
  • SAST: PR scan deduplication is now scoped to full scan baselines and same-PR rescans, preventing cross-branch finding contamination. Scans skipped due to non-security-relevant diffs are excluded from refresh baselines.
  • SAST: Contributor attribution and code locations are automatically refreshed when existing findings are re-detected in subsequent scans.
  • SCA: SBT (Scala) transitive dependency support with lockfile parsing and automatic sandbox fallback when no lockfile is present.
  • SCA: SBT auto-remediation creates version bump PRs for vulnerable dependencies in build.sbt files.
  • SCA: SCA findings now include exploitability preconditions consistent with other finding types.
  • Platform: Azure DevOps added as a supported platform for PR scanning.
  • Platform: PR summary comment settings split into separate controls for scans that find issues and clean scans.
  • Platform: PR summary comments now display exact issue counts and limit inline display to the top 10 findings with a link to the full dashboard.
  • Platform: Bot commands added for PR comments: @bot rescan to trigger a PR rescan and @bot retriage for deeper AI re-investigation of findings. Bot responses update in-place instead of posting new comments.
  • Platform: Marking an issue as false positive or resolved now automatically resolves the corresponding inline PR comment threads on GitHub, GitLab, and Bitbucket.
  • Platform: Dashboard overview statistics redesigned with four key metrics: Total Open, Total Resolved, Avg PR Scan Time, and Mean Time To Resolve with trend indicators.
  • Platform: Detailed vulnerability info toggle added to PR scan settings for controlling the level of detail shown in PR comments.
  • IaC: IaC findings now include exploitability preconditions and supporting evidence.
  • API: New POST /scans/rescanPR endpoint to trigger a rescan of a previously scanned PR via the API.
  • API: New POST /api/v2/issues/requestInvestigation endpoint for on-demand re-evaluation (non-empty issueIds array; optional context). Use one ID for a single-issue investigation.
  • API: Issue detail API response now includes structured preconditions with conditions and evidence.
  • Developer Tools: MCP server updated with scans.rescanPR tool for triggering PR rescans.
  • Bug Fixes: Improved Go module version matching for v-prefix and +incompatible suffix handling in SCA vulnerability linking.
  • Bug Fixes: Custom rules documentation clarified to note they are evaluated during full scans.
2026-03
Reachability analysis, investigations, CI/CD scanning, and more
  • SAST: On-demand investigation allows deeper AI re-evaluation of findings, available from the issue detail view, in bulk, and via the API and MCP server.
  • SAST: Each confirmed finding now includes step-by-step attack exploitation steps and a mandatory data flow path for exploitable vulnerabilities.
  • SAST: Secondary AI validation pass reviews all true-positive findings before recording, filtering non-exploitable results and correcting inaccurate details.
  • SAST: Three-tier regression detection pipeline uses deterministic fast-path, structured diff review, and deep-agent escalation for faster and more accurate rescans.
  • SAST: Smart rescans now resolve issues by exact line range per file, preventing incorrect resolution of findings that are still present.
  • SAST: Findings where exploitability cannot be determined are now categorized as “Informational” instead of “Non-Exploitable.”
  • SAST: AL (Business Central) added to supported languages.
  • SCA: Reachability analysis determines whether vulnerable code paths are actually called in your application, with per-package reachability status and filtering. Reachability defaults to “unknown” until analysis completes, preventing false “reachable” statuses.
  • SCA: Findings now link back to the original manifest file and line number where a dependency was declared, rather than the lockfile.
  • SCA: Compiled asset scanning detects packages embedded in JARs, WARs, Python wheels, and other binary artifacts.
  • SCA: Haskell (Hackage) and R (CRAN) ecosystems added; CocoaPods removed.
  • SCA: New filters for ecosystem, package reachability, source type (manifest vs. compiled), and info severity level.
  • SCA: Multi-hop transitive dependency resolution walks up to 5 hops to find the nearest upgradable direct dependency.
  • SCA: Remediation instructions provided for unpatchable findings when no safe version exists.
  • SCA: Gradle version catalog support with line-level tracking in build files, PEP 621 pyproject.toml, and Poetry 1.2+ group dependencies now parsed.
  • SCA: SBOM generation no longer requires a prior SCA scan.
  • Secrets: Multi-engine secrets detection with automatic cross-engine deduplication for broader coverage.
  • IaC: GitHub Actions workflow security scanning for CI/CD pipeline misconfigurations.
  • Platform: Integrations settings page redesigned with a master-detail sidebar layout.
  • Platform: Differential scanning mode uses AI-powered analysis for small code changes instead of re-running the full pipeline.
  • Platform: Identical-commit carry-forward skips re-scanning when the commit and settings are unchanged.
  • Platform: PR scans can now auto-resolve previously reported issues determined to be false positives.
  • Platform: PR comment visibility threshold renamed and shown conditionally when PR comments are enabled.
  • Platform: History cutoff setting allows a clean baseline by ignoring scan history before a configured date. Now also applies during dependency analysis and deduplication.
  • Platform: Issue statuses like Reviewing and Backlog are now preserved across scan refreshes instead of being reset.
  • Platform: Custom rules only mode is now available at the repository level in addition to organization and tag levels.
  • Platform: Scans now surface specific error messages instead of generic failures, and partial results are cleaned up on retry to prevent duplicates.
  • Platform: SCA fix PRs now automatically resolve merge conflicts by regenerating lock files on the latest base.
  • Platform: Team repository selector now supports search and pagination for large organizations.
  • Platform: Unmatched contributors can be searched and linked individually.
  • Platform: Report history auto-refreshes while reports are processing.
  • Platform: Automatic GitHub repository sync for rename, transfer, archive, and delete events.
  • Integrations: Jira and Linear now support bulk export of multiple findings at once.
  • Integrations: Linear custom templates with title, description, labels, and priority fields for auto-ticketing.
  • Integrations: Linear integration can now be connected at the organization level.
  • Integrations: Slack notification management moved inline to the new detail panel.
  • API: New Code Inspection API endpoints for searching, reading, and listing files in connected repositories.
  • API: On-demand investigations: POST /api/v2/issues/requestInvestigation with issueIds (and optional context). Investigation status is available via tRPC/MCP and the dashboard — not a separate REST GET route.
  • API: New INFORMATIONAL issue status and CICD detection type added across v1 and v2 APIs.
  • API: VULNERABILITY_PATCHED webhook now fires per-vulnerability for multi-fix PRs.
  • Developer Tools: MCP server updated with code inspection tools and investigation tools.
  • CLI: Scan polling now has a ~50-minute timeout to prevent CI/CD pipelines from hanging indefinitely.
  • Bug Fixes: Improved error messages for scan failures, CLI upload errors, and SBOM generation issues with specific failure categories (artifact download failed, artifact missing, generation failed, timeout).
  • Bug Fixes: IaC findings are now consistently categorized under the IaC finding type.
  • Bug Fixes: Monorepo patch PRs now correctly update all linked vulnerabilities when merged.
  • Bug Fixes: GitLab pipeline webhooks now handle pipelines not associated with a merge request.
Join our Discord community to get notified about new releases and features, or subscribe to our RSS feed for automatic updates.