Skip to main content
The MCP server exposes tools that map to ZeroPath’s REST V2 API. Tools are loaded from ZeroPath’s MCP manifest at startup, so your AI assistant always has access to current capabilities.

Issues

10 tools — list, triage, investigate, update status and severity

Scans

2 tools — list scan history, get scan details

Repositories

1 tool — list repositories with filtering

Code Inspection

3 tools — search, read, and list files in connected repositories

Rules

5 tools — full CRUD for custom security rules

Organization Scoping

Every tool accepts organizationId. The MCP server handles this automatically:
  • If ZEROPATH_ORG_ID is set, the server injects it into every request — you never need to pass it yourself.
  • If ZEROPATH_ORG_ID is not set, you must pass organizationId explicitly. Most tools require it at the API level; a few (like issues.list) can resolve org context from your auth session.
Set ZEROPATH_ORG_ID during installation to avoid passing organizationId in every call.

Issue Tools

issues.list

List and filter security issues. Uses offset-based pagination via offset and limit.
ParameterTypeRequiredDescription
offsetintegerNoStarting index (default: 0)
limitintegerNoResults per page (default: 25, max: 100)
statusesstring[]NoFilter by status: PENDING_REVIEW, REVIEWING, PATCHING, RESOLVED, BACKLOG, INFORMATIONAL, NON_EXPLOITABLE, FALSE_POSITIVE, ACCEPTED_RISK
scoreLevelsstring[]NoFilter by severity level: CRITICAL, HIGH, MEDIUM, LOW, INFO
scoreRangeobjectNoFilter by numeric score range: { min: number, max: number } (0–100)
searchQuerystringNoFree-text search across issue titles and descriptions
scanIdstringNoFilter to issues from a specific scan
languagesstring[]NoFilter by programming language
vulnerabilityClassesstring[]NoFilter by vulnerability class (e.g., SQL Injection)
codeScanTypesstring[]NoFilter by scan type
detectionTypesstring[]NoFilter by detection category
repositoryBranchesobject[]NoFilter to specific repositories and branches
projectIdstringNoFilter to a specific project
sortBystringNoSort field: createdAt, score, title, repository, class, file, patch
sortOrderstringNoasc or desc
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "offset": 0,
  "limit": 25,
  "statuses": ["PENDING_REVIEW"],
  "scoreLevels": ["CRITICAL", "HIGH"],
  "sortBy": "score",
  "sortOrder": "desc"
}

issues.archive

Archive issues to remove them from active views.
ParameterTypeRequiredDescription
issueIdsstring[]YesIssue IDs to archive
reasonstringNoReason for archiving
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
{
  "issueIds": ["issue_123", "issue_456"],
  "reason": "Confirmed duplicate"
}

issues.unarchive

Restore archived issues back to active views.
ParameterTypeRequiredDescription
issueIdsstring[]YesIssue IDs to unarchive
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
{
  "issueIds": ["issue_123"]
}

issues.markFalsePositive

Mark issues as false positives. Removes them from active review.
ParameterTypeRequiredDescription
issueIdsstring[]YesIssue IDs to mark
reasonstringNoReason for the determination
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
{
  "issueIds": ["issue_789"],
  "reason": "Input is sanitized by middleware"
}

issues.markTruePositive

Confirm issues as true positives.
ParameterTypeRequiredDescription
issueIdsstring[]YesIssue IDs to confirm
reasonstringNoReason for confirmation
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
{
  "issueIds": ["issue_101", "issue_102"]
}

issues.updateStatus

Update the workflow status of one or more issues.
ParameterTypeRequiredDescription
issueIdsstring[]YesIssue IDs to update
issueStatusstringYesPENDING_REVIEW, REVIEWING, PATCHING, RESOLVED, BACKLOG, or INFORMATIONAL
reasonstringNoReason for the status change
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
The field name is issueStatus, not status. Using the wrong field name will cause a validation error.
{
  "issueIds": ["issue_123"],
  "issueStatus": "RESOLVED",
  "reason": "Fixed in PR #456"
}

issues.updateSeverity

Update the severity score of a single issue.
ParameterTypeRequiredDescription
issueIdstringYesSingle issue ID (not an array)
severitynumberYesScore from 0 to 10 (supports one decimal place)
reasonstringNoReason for the severity change
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
This tool takes a single issueId (string), not issueIds (array). The severity field is a number between 0 and 10, not a string enum.
{
  "issueId": "issue_123",
  "severity": 8.5,
  "reason": "Upgraded after confirming public exposure"
}

issues.requestInvestigation

Request an on-demand investigation of a finding using larger AI models for higher-confidence validation.
ParameterTypeRequiredDescription
issueIdstringYesIssue ID to investigate
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "issueId": "issue_123"
}
If an investigation is already in progress for the issue, the response returns the existing investigation with "status": "already_pending" instead of creating a duplicate.

issues.requestBulkInvestigation

Request investigations for multiple issues at once.
ParameterTypeRequiredDescription
issueIdsstring[]YesIssue IDs to investigate
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "issueIds": ["issue_123", "issue_456", "issue_789"]
}
Issues that already have a pending or in-progress investigation are skipped. Issues that do not belong to your organization are counted as unauthorized.

issues.getInvestigationStatus

Get the latest investigation result for an issue.
ParameterTypeRequiredDescription
issueIdstringYesIssue ID
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "issueId": "issue_123"
}
Returns null if no investigation has been requested for the issue. The status field can be PENDING, PROCESSING, COMPLETED, or FAILED.

Scan Tools

scans.list

List scans with cursor-based pagination. Pass the nextCursor from a previous response to paginate forward.
ParameterTypeRequiredDescription
cursorobjectNoCursor from previous response: { createdAt: string, id: string }
limitnumberNoResults per page (default: 20, max: 100)
repositoryIdsstring[]NoFilter to specific repositories
scanTypesstring[]NoFullScan, PrScan (defaults to both)
searchQuerystringNoSearch by scan name
projectIdstringNoFilter by project ID
scoreRangeobjectNoFilter by vulnerability score: { min: number, max: number } (0–100)
showEphemeralbooleanNoInclude CLI/ephemeral scans (default: false)
getCountsbooleanNoInclude vulnerability counts (default: true)
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "limit": 10,
  "repositoryIds": ["repo_123"],
  "scanTypes": ["FullScan"]
}

scans.get

Get details for a specific scan.
ParameterTypeRequiredDescription
scanIdstringYesScan ID
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "scanId": "scan_abc123"
}

Repository Tools

repositories.list

List repositories with cursor-based pagination (string cursor).
ParameterTypeRequiredDescription
cursorstringNoCursor from previous response nextCursor
limitintegerNoResults per page (default: 20, max: 100)
sortBystringNoname or issues (default: name)
sortDirectionstringNoasc or desc (default: asc)
getCountsbooleanNoInclude issue counts (default: true, may impact performance)
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "limit": 50,
  "sortBy": "issues",
  "sortDirection": "desc",
  "getCounts": true
}

Code Inspection Tools

These tools allow you to browse and search source code directly in connected GitHub and GitLab repositories without cloning. Search for code within a repository.
ParameterTypeRequiredDescription
repositoryIdstringYesRepository ID to search in
querystringYesSearch query (1–512 characters)
refstringNoGit ref (branch/tag/commit). GitLab only — GitHub always searches the default branch
pathPrefixstringNoRestrict results to a directory subtree
limitintegerNoMax results (default: 10, max: 50)
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "repositoryId": "repo_123",
  "query": "password",
  "pathPrefix": "src/auth",
  "limit": 5
}

code.read

Read the contents of a file in a repository.
ParameterTypeRequiredDescription
repositoryIdstringYesRepository ID
pathstringYesFile path within the repository
refstringNoGit ref (branch/tag/commit)
startLineintegerNoFirst line to return (1-based)
endLineintegerNoLast line to return (must be >= startLine)
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "repositoryId": "repo_123",
  "path": "src/auth/login.ts",
  "startLine": 40,
  "endLine": 50
}
Responses are capped at 1,000 lines and 200 KB. The truncatedByLineRange and truncatedByByteLimit flags indicate whether the response was truncated.

code.listFiles

List files and directories within a repository path.
ParameterTypeRequiredDescription
repositoryIdstringYesRepository ID
pathstringNoDirectory path (defaults to repository root)
refstringNoGit ref (branch/tag/commit)
cursorstringNoPagination cursor (GitLab only)
limitintegerNoMax results (default: 100, max: 200)
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "repositoryId": "repo_123",
  "path": "src/auth"
}
Code inspection is currently supported for GitHub and GitLab repositories. Bitbucket, generic Git, and uploaded repositories are not yet supported.

Rule Tools

rules.list

List custom security rules. Uses offset-based pagination.
ParameterTypeRequiredDescription
offsetintegerNoStarting index (default: 0)
limitintegerNoResults per page (default: 20, max: 100)
repositoryIdstringNoFilter rules by repository
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "offset": 0,
  "limit": 25
}

rules.get

Get details for a specific rule, including associated repository names.
ParameterTypeRequiredDescription
ruleIdstringYesRule ID
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "ruleId": "rule_xyz789"
}

rules.create

Create a custom security rule.
ParameterTypeRequiredDescription
namestringYesRule name
rulestringYesNatural language rule definition
globPatternstringNoFile pattern (default: **/*)
sourceTypesstring[]NoHTTP_HANDLER, FILE_HANDLER, STDIN_HANDLER, BROWSER_DATA, WEBSOCKET, SOCKET, CLI_ARGUMENT, MOBILE_INPUTS
repositoryIdsstring[]NoLimit to specific repositories
tagIdsstring[]NoTag IDs to associate with the rule
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "name": "Detect unsafe eval",
  "rule": "Detect any use of eval() on user input",
  "globPattern": "**/*.{js,ts}",
  "sourceTypes": ["HTTP_HANDLER", "FILE_HANDLER"],
  "repositoryIds": ["repo_123"],
  "tagIds": ["tag_1"]
}

rules.update

Update an existing rule. Only the fields you include will be modified.
ParameterTypeRequiredDescription
ruleIdstringYesRule ID to update
namestringNoUpdated name
rulestringNoUpdated definition
globPatternstringNoUpdated file pattern
sourceTypesstring[]NoUpdated source types
repositoryIdsstring[]NoUpdated repository scope
tagIdsstring[]NoUpdated tag associations
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "ruleId": "rule_xyz789",
  "name": "Detect unsafe eval (updated)",
  "globPattern": "**/*.{js,ts,jsx,tsx}"
}

rules.delete

Delete a custom rule.
ParameterTypeRequiredDescription
ruleIdstringYesRule ID to delete
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "ruleId": "rule_xyz789"
}

Common Workflows

  1. List pending issues — call issues.list with statuses: ["PENDING_REVIEW"] sorted by score descending.
  2. Review each issue — ask your AI assistant to summarize the vulnerability and affected code.
  3. Classify — use issues.markTruePositive or issues.markFalsePositive with a reason.
  4. Update status — move confirmed issues to REVIEWING or PATCHING with issues.updateStatus.
  5. Adjust severity — if the auto-assigned score doesn’t match your assessment, use issues.updateSeverity with a value from 0 to 10.
  1. List existing rules — call rules.list to see what’s already configured.
  2. Create a rule — use rules.create with a natural language description. ZeroPath’s scanner will match this pattern during future scans.
  3. Scope it — use repositoryIds to limit the rule to specific repos, globPattern to limit to specific file types, and sourceTypes to target specific entry points.
  4. Tag it — use tagIds to associate the rule with tags for organization.
  5. Iterate — update with rules.update as you refine the pattern.
  1. List recent scans — call scans.list to see scan history. Filter with scanTypes: ["FullScan"] for scheduled scans or ["PrScan"] for PR scans.
  2. Get scan details — use scans.get with a specific scanId to see status, branch, and issue counts.
  3. Drill into findings — call issues.list with a scanId filter to see only issues from that scan.

Error Handling

Failed tool calls return structured errors:
Returned when input validation fails. Check the data.issues array for field-level details.
{
  "error": {
    "code": "BAD_REQUEST",
    "message": "Input validation failed",
    "data": {
      "issues": [
        { "path": "issueIds", "message": "Required" }
      ]
    }
  }
}
Verify your ZEROPATH_TOKEN_ID and ZEROPATH_TOKEN_SECRET are correct and the API key is active.
The API key does not have the required permissions for this operation. Check your key’s role in ZeroPath Settings.
The specified ID (issue, scan, rule, or repository) was not found. Verify the ID is correct and belongs to your organization.

Tips

  • Paginate — always paginate large result sets. Use offset/limit for issues and rules, cursor/limit for scans and repositories.
  • Filter early — use status, severity, and repository filters to reduce response size.
  • Batch updates — pass multiple IDs in a single call when archiving, marking, or updating status.
  • Include reasons — add a reason when archiving, marking false/true positives, or changing status for audit trails.
  • Set org context — configure ZEROPATH_ORG_ID during installation so the server injects organizationId into every request automatically.