Overview
This integration connects a ZeroPath scan to an existing SD Elements project. Your SD Elements countermeasures are translated into ZeroPath scanning rules, and ZeroPath scans your repository against them. Three things sit in this relationship:- Your SD Elements project is the source of truth for countermeasures — the security requirements your application is expected to meet.
- Your Git repository is what ZeroPath scans.
- ZeroPath sits in the middle. It maps the project to the repository, classifies each countermeasure (covered by built-in analysis, covered by an auto-generated rule, or not supported), and scans the code against the resulting rules.
Before you start
Accounts you need
- A ZeroPath tenant with admin access. If you don’t have one, talk to your Security Compass contact or email ZeroPath at support@zeropath.com. Provisioning a tenant typically takes about 24 hours.
- An SD Elements deployment with API access, and at least one project you want to link.
- A Git repository in GitHub, GitLab, Bitbucket, or Azure Repos that you can connect to ZeroPath.
Software you need
- An AI assistant that supports MCP. The configuration below covers Claude Code, Cursor, and GitHub Copilot.
- For the ZeroPath MCP server you install locally, the
uvtoolchain — it runs throughuvx. The SD Elements MCP server is hosted by your SD Elements instance, so there is nothing to install for it.
Credentials you need
You will collect six values. Keep them somewhere safe while you set things up.ZeroPath base URL
ZeroPath base URL
https://zeropath.com. Enterprise or dedicated tenants may use a different
host — use whatever appears in your browser when you are signed in, with no
trailing path.ZeroPath organization ID
ZeroPath organization ID
org_0123ABC…). Find it under Settings → General in the dashboard, or
ask your AI assistant once the ZeroPath MCP is connected: “What is my
ZeroPath organization ID?”ZeroPath API token (ID + secret)
ZeroPath API token (ID + secret)
SD Elements base URL
SD Elements base URL
https://<your-sde-instance>.sdelements.com. Host only, no trailing path.SD Elements API key
SD Elements API key
SD Elements project ID
SD Elements project ID
…/projects/8/). You’ll supply one project ID per mapping.Network access
If your repository or your SD Elements instance sits behind a VPN or in a private network, allow ZeroPath’s outbound IP addresses through:Provision your ZeroPath tenant
If you don’t have a tenant yet, request one through your Security Compass contact or at support@zeropath.com. Use one organization per proof-of-concept; separate customers get separate tenants for isolation.Ask ZeroPath to enable Security Compass
The Security Compass integration is switched on per environment by ZeroPath. Once your tenant exists, ask your ZeroPath contact — or email support@zeropath.com — to enable the Security Compass integration for your organization. Until it’s enabled, the Security Compass option won’t appear under Settings → Integrations.Add teammates
Once you’re in, you can add teammates. Roles are Admin, Member, and Viewer — see Teams & Permissions for what each can do.- Ask your assistant
- Use the dashboard
Connect a repository
ZeroPath scans a Git repository, so connect one before you map it. Pick the provider you use; the full walkthrough for each lives in the Quick Start.- Ask your assistant
- Use the dashboard
- GitHub. Use the Install GitHub App button on the Add Repositories page. The GitHub App requests read access to code plus read/write on checks and pull requests so ZeroPath can post results and open fix PRs.
- GitLab. Create a group or project access token with the
apiscope and the Maintainer role, then set it up under Add Repositories → GitLab. See the Quick Start. - Bitbucket. Connect through Add Repositories → Bitbucket as described in the Quick Start.
- Azure Repos. Connect from the same Add Repositories page.
Set up your SD Elements project
You want to finish this section with an SD Elements project whose survey is complete and whose countermeasures are populated, ready to map. ZeroPath doesn’t change how you build a project in SD Elements — create the project, complete its survey, and review the resulting countermeasures using the SD Elements user guide. A typical project (for example, a Django or .NET web app profile) ends up with a few hundred countermeasures spread across phases like Requirements and Development.- Ask your assistant
- Use the SD Elements UI
Install the MCP servers
Two MCP servers drive the assistant side of this integration:- The ZeroPath MCP — github.com/ZeroPathAI/zeropath-mcp-server, installed locally. It covers the general ZeroPath tools (read repositories, run scans, inspect issues and rules) and the Security Compass tools (mapping projects to repositories, syncing rules, reading the audit) in one server. Its install steps are also mirrored in MCP Installation. It uses the four ZeroPath values you collected: base URL, organization ID, API token ID, and API token secret.
- The SD Elements MCP — hosted at
https://<your-sde-instance>.sdelements.com/mcp, authenticating with your SD Elements API key in thesde-api-keyheader. There’s nothing to install for it.
Claude Code
Claude Code’s recommended path is theclaude mcp add command (see the
Claude Code MCP docs). Run these two
commands, substituting your values:
-- separates the name from the
command that launches the server. If you prefer a file, the same two servers go
under the mcpServers key in .mcp.json.
Cursor
Cursor reads MCP servers from~/.cursor/mcp.json (global) or .cursor/mcp.json
(per project), under the mcpServers key (see the
Cursor MCP docs):
GitHub Copilot
GitHub Copilot in VS Code reads MCP servers from.vscode/mcp.json (per
workspace) or your user settings.json, under the servers key (see
GitHub’s MCP docs).
The SD Elements block here matches the configuration your SD Elements instance
hands you:
End-to-end workflow
This is the operating manual. Each step has an assistant prompt and, where one exists, the matching dashboard path. The dashboard side lives in Settings → Integrations: the Security Compass card shows the connection, its mappings, and each mapping’s sync status; its gear icon opens Manage Security Compass integration, where the mapping actions live.1. Connect your SD Elements instance
One-time per organization, and done in the ZeroPath dashboard. Get your API key from the SD Elements dashboard (see Credentials you need), then go to Settings → Integrations → Add Integration → Security Compass. In the dialog, enter the SD Elements Base URL and API Token, leave Enable Integration on, and click Create Integration.- Supply the API key only through the ZeroPath dashboard. Don’t paste it into an AI assistant — keep credentials out of chat.
- There is nothing to configure on the SD Elements side. You won’t find a ZeroPath integration on SD Elements’ integrations page, and you don’t need one; supplying the API key here is enough.
2. Test the connection
Confirm the credentials work and ZeroPath can see countermeasures on a project.- Ask your assistant
- Use the dashboard
3. Update credentials
When you rotate the SD Elements API key (or point at a different instance), re-save the connection. This overwrites the stored credentials and base URL but leaves your existing project mappings intact. Like the initial connection, this is done in the dashboard — get the new key from the SD Elements dashboard rather than handing it to an AI assistant. In Manage Security Compass integration → Connection Settings, update the Base URL or API Token and click Save Settings. Leaving the token blank keeps the current one.4. Map a project to a repository
A mapping links one SD Elements project to one repository. You can map several projects to one repository, and one project to several repositories.- Ask your assistant
- Use the dashboard
5. Sync rules from countermeasures
Syncing fetches the project’s countermeasures, classifies each one, and creates ZeroPath rules where they’re needed. The work runs in the background — it can take a few minutes for a large project. The mapping shows a running status while it fetches countermeasures, classifies coverage, and creates rules, then flips to a success summary when it finishes. A countermeasure that can’t be classified is skipped rather than failing the whole run.- Ask your assistant
- Use the dashboard
6. Review the mapping audit
The audit is the per-countermeasure breakdown: for each task, whether ZeroPath covers it with built-in analysis, covers it with an auto-generated natural-language rule, or doesn’t yet support it. This is the artifact most security reviewers care about.- Ask your assistant
- Use the dashboard
7. Trigger a scan
- Ask your assistant
- Use the dashboard
8. Check sync and scan history
- Ask your assistant
- Use the dashboard
9. Review findings
Findings appear in ZeroPath under Issues, filterable by repository.- Ask your assistant
- Use the dashboard
Run the whole pipeline at once
You don’t have to do the steps one at a time. With the ZeroPath MCP and the SD Elements MCP connected, a single prompt can carry the whole pipeline:“Set up <repo> with SD Elements project <ID>: create the mapping, sync rules, run the audit, kick off a full scan, and summarize what came back.”The assistant creates the mapping, runs the sync (and reports the SAST / natural-language-rule / unsupported breakdown), surfaces the audit, starts the scan, and summarizes the findings once the scan finishes.
How ZeroPath turns countermeasures into rules
Whole-repository analysis
ZeroPath analyzes the whole repository. It identifies the applications inside it, maps sources, sinks, and the relationships among them, and builds a threat model per application. Traditional flaws are evaluated source-to-sink; higher-level controls are evaluated agentically against that threat model. For the deeper picture, see the SAST Overview and Custom Rules. When you sync a mapping, each countermeasure lands in one of three buckets:- Built-in coverage — ZeroPath’s standard analysis already detects this class of issue (for example, “Validate all forms of input” or “Set HttpOnly flag on session cookies”).
- Natural-language rule — the countermeasure maps to a policy ZeroPath enforces through an auto-generated custom rule scoped to the mapped repository (for example, an audit-logging or password-policy requirement).
- Not supported — the countermeasure isn’t related to code development, or it can’t be implemented or enforced through static analysis (for example, “Verify that penetration testing has been performed”). These are skipped during sync.
Where mapped findings show up
What that means for coverage
Out of the box, ZeroPath covers a large share of a project’s countermeasures directly, with much of the remainder covered by auto-generated rules and a smaller tail that a code scan can’t verify. The audit (step 6) is the per-countermeasure record of which is which for your project.PR vs. full-branch scanning
Full scans
The default mode. Full scans run on a schedule (commonly nightly) and build the repository cache that ZeroPath reuses across scan types. Configure the schedule in Scanner Settings.PR scans
Enabled per repository, PR scans check each pull request using the cache built by full scans. Most teams start with full scans onmain, get comfortable, then
turn on PR scans. See PR Scanning.
- Ask your assistant
- Use the dashboard
Security and trust
ZeroPath stores integration credentials and vulnerability records in an encrypted, per-tenant database. Source code is cloned only at scan time, inside a container, and removed when the scan finishes. ZeroPath runs external penetration tests and maintains a vulnerability disclosure program. SOC 2 reporting is in progress; a letter of intent is available on request. For the current compliance status and to request reports, see the resources below.- ZeroPath Trust Center: zeropath.com/trust-center
- ZeroPath Trust Portal: zeropath.trust.site
Troubleshooting
Rule sync fails fetching SD Elements tasks (404)
Rule sync fails fetching SD Elements tasks (404)
API key not visible in the dashboard
API key not visible in the dashboard
A repository behind a VPN can't be scanned
A repository behind a VPN can't be scanned
The integration is pointed at the wrong SD Elements instance
The integration is pointed at the wrong SD Elements instance
"Save connection settings (Base URL) first"
"Save connection settings (Base URL) first"
Rule sync says it's already running
Rule sync says it's already running
The mapping audit is empty
The mapping audit is empty
FAQ
Can one SD Elements project map to multiple repositories?
Can one SD Elements project map to multiple repositories?
Which version control providers are supported?
Which version control providers are supported?
Can ZeroPath run on-prem alongside an on-prem SD Elements?
Can ZeroPath run on-prem alongside an on-prem SD Elements?
Is there a ZeroPath app to install inside SD Elements?
Is there a ZeroPath app to install inside SD Elements?
Do I set up the SD Elements connection once, or per repository?
Do I set up the SD Elements connection once, or per repository?
Which countermeasures does ZeroPath sync?
Which countermeasures does ZeroPath sync?
Where do the generated rules live, and can I edit them?
Where do the generated rules live, and can I edit them?
Does ZeroPath change anything in SD Elements?
Does ZeroPath change anything in SD Elements?
My countermeasures changed in SD Elements. How do I update ZeroPath?
My countermeasures changed in SD Elements. How do I update ZeroPath?
Do the MCP servers need to stay running for scans?
Do the MCP servers need to stay running for scans?
Who can configure the integration and create mappings?
Who can configure the integration and create mappings?
Assistant prompts you’ll use most
Setup- “Show me the Security Compass integration configured for my ZeroPath organization.”
- “Test my Security Compass connection against project <SDE project ID>.”
- “Map SD Elements project <ID> to repository <repo> in ZeroPath.”
- “Sync rules for the <project> to <repo> mapping.”
- “Show me the mapping audit for project <ID>.”
- “Run a full scan on <repo>.”
- “Show recent Security Compass sync events.”
- “Summarize findings from the latest scan of <repo>.”