Skip to main content
This integration is in beta. Day-to-day operations can be driven through your AI assistant (using ZeroPath’s MCP servers), with a matching dashboard path under Settings → Integrations wherever one exists. The one exception is connecting the integration itself: you supply the SD Elements API key in the ZeroPath dashboard, never through an AI assistant.

Overview

This integration connects a ZeroPath scan to an existing SD Elements project. Your SD Elements countermeasures are translated into ZeroPath scanning rules, and ZeroPath scans your repository against them. Three things sit in this relationship:
  • Your SD Elements project is the source of truth for countermeasures — the security requirements your application is expected to meet.
  • Your Git repository is what ZeroPath scans.
  • ZeroPath sits in the middle. It maps the project to the repository, classifies each countermeasure (covered by built-in analysis, covered by an auto-generated rule, or not supported), and scans the code against the resulting rules.
By the end of this page you will have an SD Elements project linked to a repository in ZeroPath, with its countermeasures synced into ZeroPath as scanning rules and scans running against them.

Before you start

Accounts you need

  • A ZeroPath tenant with admin access. If you don’t have one, talk to your Security Compass contact or email ZeroPath at support@zeropath.com. Provisioning a tenant typically takes about 24 hours.
  • An SD Elements deployment with API access, and at least one project you want to link.
  • A Git repository in GitHub, GitLab, Bitbucket, or Azure Repos that you can connect to ZeroPath.

Software you need

  • An AI assistant that supports MCP. The configuration below covers Claude Code, Cursor, and GitHub Copilot.
  • For the ZeroPath MCP server you install locally, the uv toolchain — it runs through uvx. The SD Elements MCP server is hosted by your SD Elements instance, so there is nothing to install for it.

Credentials you need

You will collect six values. Keep them somewhere safe while you set things up.
The host you visit to log in. For ZeroPath’s SaaS this is https://zeropath.com. Enterprise or dedicated tenants may use a different host — use whatever appears in your browser when you are signed in, with no trailing path.
The identifier for your ZeroPath organization (it looks like org_0123ABC…). Find it under Settings → General in the dashboard, or ask your AI assistant once the ZeroPath MCP is connected: “What is my ZeroPath organization ID?”
Go to Settings → API Tokens, click to create a key, name it, choose an expiry, and copy both the token ID and the token secret. The secret is shown only once. Creating a token requires the admin role. See API Tokens for the full reference.
The host you visit to use SD Elements, for example https://<your-sde-instance>.sdelements.com. Host only, no trailing path.
Create an API token inside SD Elements (under your user profile / API tokens) and copy it. Follow the SD Elements user guide and API documentation for their token flow rather than the ZeroPath one. Note that you won’t find a ZeroPath entry on SD Elements’ integrations page, and you don’t need one — creating this API key and supplying it to ZeroPath is all the SD Elements side requires.
The numeric ID shown in the project’s URL when you view it in SD Elements (for example, …/projects/8/). You’ll supply one project ID per mapping.

Network access

If your repository or your SD Elements instance sits behind a VPN or in a private network, allow ZeroPath’s outbound IP addresses through:
50.112.134.81
44.232.87.32
52.37.222.237

Provision your ZeroPath tenant

If you don’t have a tenant yet, request one through your Security Compass contact or at support@zeropath.com. Use one organization per proof-of-concept; separate customers get separate tenants for isolation.

Ask ZeroPath to enable Security Compass

The Security Compass integration is switched on per environment by ZeroPath. Once your tenant exists, ask your ZeroPath contact — or email support@zeropath.com — to enable the Security Compass integration for your organization. Until it’s enabled, the Security Compass option won’t appear under Settings → Integrations.

Add teammates

Once you’re in, you can add teammates. Roles are Admin, Member, and Viewer — see Teams & Permissions for what each can do.
“Invite alice@example.com as an admin to my ZeroPath organization.” The assistant adds the member and confirms the role it assigned.

Connect a repository

ZeroPath scans a Git repository, so connect one before you map it. Pick the provider you use; the full walkthrough for each lives in the Quick Start.
“Show me the GitHub installations available to my organization,” then “Connect the repository at https://github.com/acme/web to ZeroPath.” The assistant lists what it can reach and adds the repository you name.
Provider-specific notes:
  • GitHub. Use the Install GitHub App button on the Add Repositories page. The GitHub App requests read access to code plus read/write on checks and pull requests so ZeroPath can post results and open fix PRs.
  • GitLab. Create a group or project access token with the api scope and the Maintainer role, then set it up under Add Repositories → GitLab. See the Quick Start.
  • Bitbucket. Connect through Add Repositories → Bitbucket as described in the Quick Start.
  • Azure Repos. Connect from the same Add Repositories page.
You can also connect a repository by direct URL with an access token, which is how repositories are wired up in many SD Elements pilots. Token connections scan fine but don’t get the full set of GitHub App features (automatic PR checks, fix PRs). Use the GitHub App when you want those.
If the repository is behind a VPN, apply the same network allowlisting noted in Before you start.

Set up your SD Elements project

You want to finish this section with an SD Elements project whose survey is complete and whose countermeasures are populated, ready to map. ZeroPath doesn’t change how you build a project in SD Elements — create the project, complete its survey, and review the resulting countermeasures using the SD Elements user guide. A typical project (for example, a Django or .NET web app profile) ends up with a few hundred countermeasures spread across phases like Requirements and Development.
With the SD Elements MCP connected you can explore without leaving chat: “List my SD Elements business units,” “Find the project named ‘Payment Service’ in SD Elements,” or “Show the countermeasures for SD Elements project Payment Service.” The assistant returns the matching business units, the project (with its numeric ID), and the countermeasure list with titles, phases, and status.

Install the MCP servers

Two MCP servers drive the assistant side of this integration:
  • The ZeroPath MCPgithub.com/ZeroPathAI/zeropath-mcp-server, installed locally. It covers the general ZeroPath tools (read repositories, run scans, inspect issues and rules) and the Security Compass tools (mapping projects to repositories, syncing rules, reading the audit) in one server. Its install steps are also mirrored in MCP Installation. It uses the four ZeroPath values you collected: base URL, organization ID, API token ID, and API token secret.
  • The SD Elements MCP — hosted at https://<your-sde-instance>.sdelements.com/mcp, authenticating with your SD Elements API key in the sde-api-key header. There’s nothing to install for it.
The three subsections below give a copy-paste configuration for both servers together, in each client’s own format.

Claude Code

Claude Code’s recommended path is the claude mcp add command (see the Claude Code MCP docs). Run these two commands, substituting your values:
# ZeroPath MCP (local)
claude mcp add --scope user zeropath \
  --env ZEROPATH_BASE_URL=https://zeropath.com \
  --env ZEROPATH_TOKEN_ID=<your-token-id> \
  --env ZEROPATH_TOKEN_SECRET=<your-token-secret> \
  --env ZEROPATH_ORG_ID=<your-org-id> \
  -- uvx --from git+https://github.com/ZeroPathAI/zeropath-mcp-server zeropath-mcp-server

# SD Elements MCP (remote HTTP)
claude mcp add --scope user --transport http sde-mcp-server \
  https://<your-sde-instance>.sdelements.com/mcp \
  --header "sde-api-key: <your-sde-api-key>"
All options come before the server name, and the -- separates the name from the command that launches the server. If you prefer a file, the same two servers go under the mcpServers key in .mcp.json.

Cursor

Cursor reads MCP servers from ~/.cursor/mcp.json (global) or .cursor/mcp.json (per project), under the mcpServers key (see the Cursor MCP docs):
{
  "mcpServers": {
    "zeropath": {
      "command": "uvx",
      "args": ["--from", "git+https://github.com/ZeroPathAI/zeropath-mcp-server", "zeropath-mcp-server"],
      "env": {
        "ZEROPATH_BASE_URL": "https://zeropath.com",
        "ZEROPATH_TOKEN_ID": "<your-token-id>",
        "ZEROPATH_TOKEN_SECRET": "<your-token-secret>",
        "ZEROPATH_ORG_ID": "<your-org-id>"
      }
    },
    "sde-mcp-server": {
      "url": "https://<your-sde-instance>.sdelements.com/mcp",
      "headers": {
        "sde-api-key": "<your-sde-api-key>"
      }
    }
  }
}

GitHub Copilot

GitHub Copilot in VS Code reads MCP servers from .vscode/mcp.json (per workspace) or your user settings.json, under the servers key (see GitHub’s MCP docs). The SD Elements block here matches the configuration your SD Elements instance hands you:
{
  "servers": {
    "zeropath": {
      "command": "uvx",
      "args": ["--from", "git+https://github.com/ZeroPathAI/zeropath-mcp-server", "zeropath-mcp-server"],
      "env": {
        "ZEROPATH_BASE_URL": "https://zeropath.com",
        "ZEROPATH_TOKEN_ID": "<your-token-id>",
        "ZEROPATH_TOKEN_SECRET": "<your-token-secret>",
        "ZEROPATH_ORG_ID": "<your-org-id>"
      }
    },
    "sde-mcp-server": {
      "url": "https://<your-sde-instance>.sdelements.com/mcp",
      "headers": {
        "sde-api-key": "<your-sde-api-key>"
      }
    }
  }
}
Sanity check. Once a client is configured, ask your assistant: “Show me the Security Compass integration currently configured for my ZeroPath organization.” You’ll either see the existing integration and its mappings, or a confirmation that none is set up yet.

End-to-end workflow

This is the operating manual. Each step has an assistant prompt and, where one exists, the matching dashboard path. The dashboard side lives in Settings → Integrations: the Security Compass card shows the connection, its mappings, and each mapping’s sync status; its gear icon opens Manage Security Compass integration, where the mapping actions live.

1. Connect your SD Elements instance

One-time per organization, and done in the ZeroPath dashboard. Get your API key from the SD Elements dashboard (see Credentials you need), then go to Settings → Integrations → Add Integration → Security Compass. In the dialog, enter the SD Elements Base URL and API Token, leave Enable Integration on, and click Create Integration.
Two things to know about this step:
  • Supply the API key only through the ZeroPath dashboard. Don’t paste it into an AI assistant — keep credentials out of chat.
  • There is nothing to configure on the SD Elements side. You won’t find a ZeroPath integration on SD Elements’ integrations page, and you don’t need one; supplying the API key here is enough.

2. Test the connection

Confirm the credentials work and ZeroPath can see countermeasures on a project.
“Test my Security Compass connection against project <SDE project ID>.” The assistant reports success and how many countermeasures it sees on that project.

3. Update credentials

When you rotate the SD Elements API key (or point at a different instance), re-save the connection. This overwrites the stored credentials and base URL but leaves your existing project mappings intact. Like the initial connection, this is done in the dashboard — get the new key from the SD Elements dashboard rather than handing it to an AI assistant. In Manage Security Compass integration → Connection Settings, update the Base URL or API Token and click Save Settings. Leaving the token blank keeps the current one.

4. Map a project to a repository

A mapping links one SD Elements project to one repository. You can map several projects to one repository, and one project to several repositories.
“Map SD Elements project <ID> to repository <repo name> in ZeroPath.” The assistant creates the mapping and confirms it.

5. Sync rules from countermeasures

Syncing fetches the project’s countermeasures, classifies each one, and creates ZeroPath rules where they’re needed. The work runs in the background — it can take a few minutes for a large project. The mapping shows a running status while it fetches countermeasures, classifies coverage, and creates rules, then flips to a success summary when it finishes. A countermeasure that can’t be classified is skipped rather than failing the whole run.
“Sync rules for the <project> to <repo> mapping.” The assistant starts the sync (it runs in the background) and, once it finishes, reports a summary along the lines of: 356 countermeasures — 274 covered by built-in analysis, a set covered by newly created natural-language rules, and 51 not currently supported.
Only one sync runs per mapping at a time. If you ask for another while one is in progress, ZeroPath tells you a sync is already running rather than starting a second one.

6. Review the mapping audit

The audit is the per-countermeasure breakdown: for each task, whether ZeroPath covers it with built-in analysis, covers it with an auto-generated natural-language rule, or doesn’t yet support it. This is the artifact most security reviewers care about.
“Show me the mapping audit for project <ID>.” The assistant lists each countermeasure with its coverage category.

7. Trigger a scan

“Run a full scan on <repo>.” The assistant starts the scan and confirms it’s queued.

8. Check sync and scan history

“Show recent Security Compass sync events” and “Show recent scans on <repo>.” The assistant returns the sync log (started, fetched, completed entries with counts) and the scan history.

9. Review findings

Findings appear in ZeroPath under Issues, filterable by repository.
“Summarize findings from the latest scan of <repo>.”

Run the whole pipeline at once

You don’t have to do the steps one at a time. With the ZeroPath MCP and the SD Elements MCP connected, a single prompt can carry the whole pipeline:
“Set up <repo> with SD Elements project <ID>: create the mapping, sync rules, run the audit, kick off a full scan, and summarize what came back.”
The assistant creates the mapping, runs the sync (and reports the SAST / natural-language-rule / unsupported breakdown), surfaces the audit, starts the scan, and summarizes the findings once the scan finishes.

How ZeroPath turns countermeasures into rules

Whole-repository analysis

ZeroPath analyzes the whole repository. It identifies the applications inside it, maps sources, sinks, and the relationships among them, and builds a threat model per application. Traditional flaws are evaluated source-to-sink; higher-level controls are evaluated agentically against that threat model. For the deeper picture, see the SAST Overview and Custom Rules. When you sync a mapping, each countermeasure lands in one of three buckets:
  • Built-in coverage — ZeroPath’s standard analysis already detects this class of issue (for example, “Validate all forms of input” or “Set HttpOnly flag on session cookies”).
  • Natural-language rule — the countermeasure maps to a policy ZeroPath enforces through an auto-generated custom rule scoped to the mapped repository (for example, an audit-logging or password-policy requirement).
  • Not supported — the countermeasure isn’t related to code development, or it can’t be implemented or enforced through static analysis (for example, “Verify that penetration testing has been performed”). These are skipped during sync.

Where mapped findings show up

A dedicated dashboard view that ties scan findings back to the specific SD Elements countermeasures they relate to is a work in progress. For now, review coverage through the mapping audit (step 6) and review findings in the standard Issues view.

What that means for coverage

Out of the box, ZeroPath covers a large share of a project’s countermeasures directly, with much of the remainder covered by auto-generated rules and a smaller tail that a code scan can’t verify. The audit (step 6) is the per-countermeasure record of which is which for your project.

PR vs. full-branch scanning

Full scans

The default mode. Full scans run on a schedule (commonly nightly) and build the repository cache that ZeroPath reuses across scan types. Configure the schedule in Scanner Settings.

PR scans

Enabled per repository, PR scans check each pull request using the cache built by full scans. Most teams start with full scans on main, get comfortable, then turn on PR scans. See PR Scanning.
“Turn on PR scanning for <repo>.”

Security and trust

ZeroPath stores integration credentials and vulnerability records in an encrypted, per-tenant database. Source code is cloned only at scan time, inside a container, and removed when the scan finishes. ZeroPath runs external penetration tests and maintains a vulnerability disclosure program. SOC 2 reporting is in progress; a letter of intent is available on request. For the current compliance status and to request reports, see the resources below.

Troubleshooting

The SD Elements project ID in the mapping no longer exists in the connected SD Elements tenant. Confirm the project exists in SD Elements and re-add the mapping with the correct ID.
Creating a ZeroPath API token requires the admin role. If you have the Viewer or Member role, ask an org admin to create the token for you. See API Tokens.
ZeroPath’s outbound traffic needs to reach the repository. Allowlist ZeroPath’s outbound IPs (see Network access).
If you run more than one SD Elements deployment, update the connection’s base URL and API key (step 3) to point at the right one. Existing mappings are preserved.
In the dashboard, save the connection settings (base URL and token) before you test a project or add a mapping. Test Connection runs against the saved base URL.
Only one sync runs per mapping at a time. Wait for the in-progress run to finish, then start it again.
The audit is available only after a successful sync. Run sync for the mapping first, then view or export the audit.

FAQ

Yes — and multiple projects can map to one repository.
GitHub, GitLab, Bitbucket, and Azure Repos.
The recommended setup today is SaaS. For on-prem requirements, talk to ZeroPath support.
No. There is no ZeroPath entry on SD Elements’ integrations page, and none is needed. Create an SD Elements API key and supply it to ZeroPath (in the ZeroPath dashboard, under Settings → Integrations) — that completes the connection.
Once per organization. You save one connection (base URL and API key), then add a mapping for each SD Elements project and repository pair.
The countermeasures SD Elements marks relevant for the project — the ones produced by completing the project survey. Finish the survey before you sync so the full set is available.
Each rule ZeroPath creates from a countermeasure is a standard custom rule scoped to the mapped repository. View, edit, or disable them on the Rules page or through your assistant, the same as any other custom rule.
No. Today the integration reads countermeasures from SD Elements; it does not write back to your SD Elements project.
Re-run the sync for the mapping. ZeroPath reads countermeasures at sync time, so a fresh sync picks up additions, edits, and removals.
No. Scans run on ZeroPath’s infrastructure, on a schedule or on demand. The MCP servers are only how you drive setup and queries from your assistant.
Managing the connection and mappings is gated by your organization’s permissions, and creating a ZeroPath API token requires the admin role. See Teams & Permissions.

Assistant prompts you’ll use most

Setup
  • “Show me the Security Compass integration configured for my ZeroPath organization.”
  • “Test my Security Compass connection against project <SDE project ID>.”
Mapping and sync
  • “Map SD Elements project <ID> to repository <repo> in ZeroPath.”
  • “Sync rules for the <project> to <repo> mapping.”
  • “Show me the mapping audit for project <ID>.”
Scanning and results
  • “Run a full scan on <repo>.”
  • “Show recent Security Compass sync events.”
  • “Summarize findings from the latest scan of <repo>.”