Skip to main content
2026-05
Wiz exposure filters, Linear auto-assignment, On-Demand Code Scans, and expanded SCA
SCA
  • Transitive dependency resolution adds Maven, Gradle, Python (pip), .NET, and Rust (Cargo), alongside the existing sbt (Scala) support.
  • Filter SCA vulnerabilities and alerts by Wiz Exposure to focus on dependencies reachable by internet-facing or otherwise exposed applications.
  • Threat model and application context factor into reachability analysis and transitive dependency triage, so customer-defined trust zones and out-of-scope areas shape SCA decisions.
  • Real-time notifications for new SCA issues are sent through configured Slack and webhook channels.
  • New SCA_NEW_ISSUE event trigger for the AI AppSec Assistant.
  • SCA Warnings page adds a searchable repository filter and displays monorepo partition names in the repository column.
Secrets
  • Improved secrets false-positive rate.
IaC
  • Improved IaC false-positive rate.
Platform
  • Azure DevOps added as a supported platform for PR scanning.
  • Severity-level checkboxes (Critical, High, Medium, Low, Info) for scan filtering.
  • PR scans can be grouped by pull request, collapsing rescans into a single row with a count badge.
  • Scan statuses auto-refresh every 5 seconds while in-progress scans are visible.
  • Default team permissions let organization admins configure a baseline permission template and apply it across all teams, including teams auto-created via GitHub team sync.
  • Investigation results display a color-coded verdict label (Confirmed, Not Exploitable, or Unknown) in the issue detail view.
  • Single-partition monorepos can be converted to a normal repository as an alternative to deletion.
  • Repository context supports an optional title field (up to 120 characters) as a short label shown in the contexts list.
  • PR bot comments include account-linking instructions when the commenting user doesn’t have a linked ZeroPath account.
  • More informative scan error messages.
Scanning
  • Superseded PR scans are cancelled across GitHub, GitLab, and Bitbucket.
  • Large PR status comments link to the full scan results in the dashboard.
Integrations
  • Linear auto-ticketing supports automatic assignee resolution with three modes: automatic (matches git blame contributors to Linear users), fixed assignee, or disabled.
  • Wiz integration data is accessible through the AI Assistant and MCP server via four read-only query tools for settings, projects, cloud assets, and network exposures.
  • Improved Jira status synchronization.
Developer Tools
  • On-Demand Code Scans (beta) let you submit diffs, files, file sets, or snippets to ZeroPath for asynchronous security review without starting a full repository scan. Linked repository context is used automatically when the submitted Git remote resolves to a known repository.
API
  • New V2 integration endpoints for querying Wiz CSPM settings, projects, assets, and exposures.
  • Scans API supports severity-level filtering and PR scan grouping, with expanded issue status counts in responses.
  • Playbook templates support boolean, number, and select dropdown parameter types in addition to text.
  • New default team permissions endpoints for defining and applying permission templates across teams.
  • Breaking: The functionSummary field has been removed from vulnerability API response schemas. API consumers relying on this field should update their integrations.
2026-04
LLM Security scanning, Custom Sources & Sinks, Agent Playbooks, CVSS 3.1, and resolved issue status
AI AppSec Assistant
  • Agent Playbooks let you install pre-built, parameterized workflows that self-configure triggers, schedules, and memory. Automate triage routines, compliance checks, alert routing, and other multi-step security tasks without manual setup.
  • New event trigger types: PR Merged with Issues, Vulnerability Patched, Vulnerability Reopened, Long Running Scan, Report Complete, Scan Started, PR Scan Started, Scan Scheduled, and Audit Log Event. Multiple triggers per event type with repo/tag scoping.
  • Agent permissions (View, Manage, Run) added to team settings.
SAST
  • Expanded detection for OWASP LLM Top 10 issues including prompt injection, insecure output handling, system prompt leakage, and excessive agency.
  • Custom source and sink declarations participate in the full SAST scanning pipeline alongside built-in detections.
  • CVSS 3.1 scores are generated alongside CVSS 4.0 for all findings, with automatic backfill for older findings. Security impact labels (e.g., “Account Takeover”) are displayed in issue headers.
  • Each finding can carry multiple CWE identifiers.
  • Differential scan planning classifies changed files into code vs. dependency categories and selects the minimal scan strategy. Dependency manifest changes trigger fresh SCA even when no code files changed.
  • PR bot falls back to AI-powered natural language replies when @-mentions don’t match structured commands.
  • When findings drop off in a rescan, ZeroPath natively resolves the corresponding PR review threads on GitHub, GitLab, and Bitbucket, preserving the original comment text.
SCA
  • Maven parent POM dependencies are extracted from <dependencyManagement> sections in multi-module projects.
  • Improved npm transitive dependency fix suggestion accuracy.
  • CVE Alerts table includes an “Affected repositories” column showing which repositories contain the vulnerable package, with an expandable detail view for multi-repo alerts.
  • Improved SCA advisory matching for cross-package advisories.
  • Advisory search accepts titles and CVE identifiers in addition to GHSA identifiers. Issue headers show clickable links to both the advisory source and the associated CVE.
  • Broader ecosystem version comparison: Hex, Pub, and SwiftURL use semver; CRAN and Hackage use Maven-style comparison.
  • SCA vulnerability alerts can be routed to per-org webhook endpoints, enabling direct integration with Microsoft Teams, Slack, and other notification systems.
  • SBOM exports support the latest CycloneDX and SPDX specification versions.
Secrets
  • AI-powered validation runs across all secrets detection engines with three validation states: Confirmed, Disconfirmed, and Unknown.
Platform
  • Issue comments let developers and security teams document triage decisions, capture fix reasoning, and maintain an audit trail directly on findings. Comments are visible in the issue timeline and sync when status changes arrive from Jira and Linear.
  • Mark issues as “Resolved” directly from the issue action menu, with optional context explaining the resolution. Bulk “Resolved” action is available when selecting multiple issues.
  • Issue triage actions (false positive, accepted risk, true positive, resolved) apply with a single click.
  • Resolving an issue clears any silenced state on that issue.
  • Per-issue AI chat assistant embedded in the issue detail view for questions about exploitation, fixes, and reachability.
  • Provide additional context when requesting a retriage of a finding from the dashboard, MCP server, or API — context is passed to the scanner to guide the re-evaluation.
  • Custom rules and repository context with “Select All” scope apply to repositories added in the future.
  • Rules and context list views display “All Repositories” for org-wide items.
  • Organizations can require developers to provide context when marking a finding as a false positive, configurable per-team.
  • New Custom Sources & Sinks management page with dedicated tabs for custom sources, custom sinks, and a library of curated source and sink packs that can be enabled with one click.
  • Rule Packs tab added to the Rules page for browsing and enabling pre-built rule bundles covering privacy, compliance, and policy checks.
  • Issue export dialog adds format selection (CSV, CASA CSV, SARIF), filter overrides for severity, category, and status, live export preview count, and optional SARIF toggles for preconditions and exploit walkthrough context.
  • Custom source and sink badges appear on source and sink nodes in the data flow visualization, with clickable links to view or edit the declaration.
  • Branch-scoped full scan deduplication ensures each branch maintains an independent issue lifecycle. Branch filter dropdowns added to the Issues and Scans tabs.
  • Per-branch scan scheduling with support for multiple schedules per repository.
  • Scan explorer adds repository and scan navigation dropdowns and SCA manifest file nodes.
  • Scanner setting toggles show whether values are inherited from org/tag defaults or explicitly set at the repo level.
  • Scan explorer shows a “Standalone Findings” node for findings not linked to a specific source.
  • Deprovisioned members are marked with an “Inactive” badge on the members settings page, with role editing and removal disabled.
  • Differential scanning is enabled by default. Manual scans are prioritized over scheduled scans in the processing queue.
  • Shai Hulud Impact report type added. Custom report filters include Repository Name, Branch, and Tag fields.
Scanning
  • When a developer pushes a fix for a flagged finding in a PR, ZeroPath automatically resolves the review comment thread and updates the finding status in the dashboard.
  • PR rescans can be triggered directly from GitHub by re-running the ZeroPath check from the checks page.
  • Disconnecting a VCS integration cancels queued scans for affected repositories.
Integrations
  • PR comments support custom footer links and an auto-generated vulnerability summary. Teams can add links to internal wikis and documentation directly in the PR comment, and each finding includes a plain-language explanation of why it matters.
  • Jira auto-ticketing supports grouping issues under an epic, with epic selection available for all issue types.
  • Improved Jira issue export reliability across issue types.
  • Slack channel picker supports search and alphabetical sorting in notification groups.
  • When an issue is closed in Jira or Linear, ZeroPath captures the closure reason and stores it as context on the finding.
Developer Tools
  • The ZeroPath MCP server returns patch and remediation metadata alongside vulnerability details, so AI agents in Cursor, VS Code, and other tools can access fix suggestions directly.
API
  • New AI Assistant API with full management of conversations, jobs, schedules, triggers, and memory. Real-time SSE streaming for job output.
  • New semantic search endpoints for vulnerabilities and application endpoints using natural language queries.
  • New endpoints for scan start/cancel, scan schedule management with branch targeting, repository add-by-URL and delete, and organization member management.
  • New Custom Sources, Custom Sinks, Custom Source Packs, Custom Sink Packs, and Rule Packs endpoints for programmatic management of security declarations and rule bundles.
  • Issue data flow details include custom source and custom sink declaration names and descriptions when a finding matches a user-defined declaration.
  • Issues and SCA API responses include remediation and patch metadata (validation status, PR link, proposed diff) when a fix exists.
  • Rules API supports allRepositories as a first-class field for scoping rules org-wide, mutually exclusive with repositoryIds.
  • organizationId is optional on most V2 endpoints — auto-resolved from the API token.
  • VULNERABILITY_STATUS_CHANGED notification fires on all triage actions (archive, unarchive, true positive, false positive, resolve, unresolve) from the dashboard, API, and AI agent.
2026-03
AI AppSec Assistant (early access), on-demand investigations, custom reports, fix verification, and CI/CD scanning
AI AppSec Assistant
  • New early-access AI AppSec Assistant with a dedicated dashboard featuring Overview, Activity, Chat, Schedules, Triggers, Memory, and Settings tabs. Includes Jira, Confluence, and Linear integrations, custom MCP server installation, and Slack thread control (cancel, replace, amend).
SAST
  • On-demand investigation allows deeper AI re-evaluation of findings, available from the issue detail view, in bulk, and via the API and MCP server.
  • Each confirmed finding includes step-by-step exploitation steps and a mandatory data flow path for exploitable vulnerabilities.
  • Exploitability preconditions surface deployment-context factors (WAFs, network exposure, auth middleware) that may affect whether a finding is exploitable, with expandable per-precondition evidence in the issue detail view.
  • New “Informational” status for findings where exploitability cannot be determined.
  • Deep codebase analysis follows extended call chains and complex cross-file data flows for more thorough vulnerability detection.
  • Smart rescans match issues to changed line ranges per file.
  • Fix verification: reference ZeroPath issues in PR descriptions using ZP-ID: syntax or dashboard URLs to have ZeroPath check whether they are resolved by the PR and report results in a PR comment and a dedicated check status. Supported on GitHub, GitLab, and Bitbucket.
  • @bot retriage on PRs with fix verification references re-runs fix verification instead of the standard investigation flow.
  • AL (Business Central) added to supported languages.
SCA
  • SCA findings link to the manifest file and line number where the dependency is declared.
  • Compiled asset scanning detects packages embedded in JARs, WARs, Python wheels, and other binary artifacts.
  • Multi-hop transitive dependency resolution walks up to 5 hops to find the nearest upgradable direct dependency.
  • Remediation instructions are provided for unpatchable findings when no safe version exists.
  • SBT (Scala) transitive dependency support with lockfile parsing and automatic sandbox fallback when no lockfile is present.
  • SBT auto-remediation creates version bump PRs for vulnerable dependencies in build.sbt files.
  • Haskell (Hackage) and R (CRAN) ecosystems added.
  • New filters for ecosystem, package reachability, source type (manifest vs. compiled), and info severity level.
  • Gradle version catalog support with line-level tracking in build files; PEP 621 pyproject.toml and Poetry 1.2+ group dependencies are parsed.
  • SCA findings include exploitability preconditions.
  • SBOMs can be generated directly without first running an SCA scan.
Secrets
  • Multi-engine secrets detection with automatic cross-engine deduplication for broader coverage.
IaC
  • GitHub Actions workflow security scanning for CI/CD pipeline misconfigurations.
  • IaC findings include exploitability preconditions and supporting evidence.
Reports
  • Custom Reports dashboard with interactive charts (severity distribution, MTTR, top vulnerability classes, issue trends), a chip-based filter bar with 14 filterable fields, six preset report templates, and the ability to save and share filter configurations.
  • New Assets tab in Reports provides a dedicated view of organization assets alongside the existing Views, Generate, and History tabs.
  • Custom Report permissions (View, Create, Delete) added to team settings.
Platform
  • Separate PR summary comment controls for scans that find issues and clean scans, both enabled by default.
  • PR summary comments display exact issue counts and limit inline display to the top 10 findings, with a link to the full dashboard.
  • Detailed vulnerability info toggle added to PR scan settings for controlling the level of detail shown in PR comments.
  • Bot commands for PR comments: @bot rescan triggers a PR rescan and @bot retriage triggers deeper AI re-investigation of findings. Bot responses update in-place to keep PR comment threads clean.
  • @ZeroPath is accepted as a universal bot alias in PR comments, in addition to the configured bot username and @zeropath-ai.
  • Marking an issue as false positive or resolved automatically resolves the corresponding inline PR comment threads on GitHub, GitLab, and Bitbucket.
  • Dashboard overview statistics redesigned with four key metrics: Total Open, Total Resolved, Avg PR Scan Time, and Mean Time To Resolve, with trend indicators.
  • Integrations settings page redesigned with a master-detail sidebar layout.
  • History cutoff setting allows a clean baseline by ignoring scan history before a configured date, including during dependency analysis and deduplication.
  • Custom rules only mode is available at the repository level in addition to organization and tag levels.
  • Improved SCA fix PR merge reliability.
  • Monorepo patch PRs update all linked vulnerabilities on merge.
  • Team repository selector supports search and pagination.
  • Unmatched contributors can be searched and linked individually.
  • Report history auto-refreshes while reports are processing.
  • Automatic GitHub repository sync for rename, transfer, archive, and delete events.
Integrations
  • Jira and Linear support bulk export of multiple findings at once.
  • Linear custom templates with title, description, labels, and priority fields for auto-ticketing.
  • Linear integration can be connected at the organization level.
  • GitLab pipeline webhooks support pipelines outside of merge requests.
Developer Tools
  • MCP server adds code inspection tools and investigation tools, including a scans.rescanPR tool for triggering PR rescans.
API
  • New V2 API endpoints for semantic search across vulnerabilities and detected endpoints, SCA vulnerability listing, report generation, and custom report management (CRUD and filter schema discovery).
  • New V2 Agent API with endpoints for patch management, PR creation, repository access for agent workflows, event triggers (including inbound webhooks), and global agent instructions.
  • Custom report statistics endpoint returns aggregated metrics including severity distribution, top vulnerability classes, MTTR, and new/resolved trends.
  • New Code Inspection API endpoints for searching, reading, and listing files in connected repositories.
  • On-demand investigations: POST /api/v2/issues/requestInvestigation with issueIds and optional context.
  • POST /scans/rescanPR endpoint to trigger a rescan of a previously scanned PR.
  • New INFORMATIONAL issue status and CICD detection type added across v1 and v2 APIs.
  • VULNERABILITY_PATCHED webhook fires per-vulnerability for multi-fix PRs.
Join our Discord community to get notified about new releases and features, or subscribe to our RSS feed for automatic updates.