Skip to main content
The MCP server exposes 15 tools that map to ZeroPath’s REST V2 API. Tools are loaded from ZeroPath’s MCP manifest at startup, so your AI assistant always has access to current capabilities.

Issues

7 tools — list, triage, update status and severity

Scans

2 tools — list scan history, get scan details

Repositories

1 tool — list repositories with filtering

Rules

5 tools — full CRUD for custom security rules

Organization Scoping

Every tool accepts organizationId. The MCP server handles this automatically:
  • If ZEROPATH_ORG_ID is set, the server injects it into every request — you never need to pass it yourself.
  • If ZEROPATH_ORG_ID is not set, you must pass organizationId explicitly. Most tools require it at the API level; a few (like issues.list) can resolve org context from your auth session.
Set ZEROPATH_ORG_ID during installation to avoid passing organizationId in every call.

Issue Tools

issues.list

List and filter security issues. Uses offset-based pagination via offset and limit.
ParameterTypeRequiredDescription
offsetintegerNoStarting index (default: 0)
limitintegerNoResults per page (default: 25, max: 100)
statusesstring[]NoFilter by status: PENDING_REVIEW, REVIEWING, PATCHING, RESOLVED, BACKLOG, NON_EXPLOITABLE, FALSE_POSITIVE, ACCEPTED_RISK
scoreLevelsstring[]NoFilter by severity level: CRITICAL, HIGH, MEDIUM, LOW, INFO
scoreRangeobjectNoFilter by numeric score range: { min: number, max: number } (0–100)
searchQuerystringNoFree-text search across issue titles and descriptions
scanIdstringNoFilter to issues from a specific scan
languagesstring[]NoFilter by programming language
vulnerabilityClassesstring[]NoFilter by vulnerability class (e.g., SQL Injection)
codeScanTypesstring[]NoFilter by scan type
detectionTypesstring[]NoFilter by detection category
repositoryBranchesobject[]NoFilter to specific repositories and branches
projectIdstringNoFilter to a specific project
sortBystringNoSort field: createdAt, score, title, repository, class, file, patch
sortOrderstringNoasc or desc
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "offset": 0,
  "limit": 25,
  "statuses": ["PENDING_REVIEW"],
  "scoreLevels": ["CRITICAL", "HIGH"],
  "sortBy": "score",
  "sortOrder": "desc"
}

issues.archive

Archive issues to remove them from active views.
ParameterTypeRequiredDescription
issueIdsstring[]YesIssue IDs to archive
reasonstringNoReason for archiving
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
{
  "issueIds": ["issue_123", "issue_456"],
  "reason": "Confirmed duplicate"
}

issues.unarchive

Restore archived issues back to active views.
ParameterTypeRequiredDescription
issueIdsstring[]YesIssue IDs to unarchive
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
{
  "issueIds": ["issue_123"]
}

issues.markFalsePositive

Mark issues as false positives. Removes them from active review.
ParameterTypeRequiredDescription
issueIdsstring[]YesIssue IDs to mark
reasonstringNoReason for the determination
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
{
  "issueIds": ["issue_789"],
  "reason": "Input is sanitized by middleware"
}

issues.markTruePositive

Confirm issues as true positives.
ParameterTypeRequiredDescription
issueIdsstring[]YesIssue IDs to confirm
reasonstringNoReason for confirmation
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
{
  "issueIds": ["issue_101", "issue_102"]
}

issues.updateStatus

Update the workflow status of one or more issues.
ParameterTypeRequiredDescription
issueIdsstring[]YesIssue IDs to update
issueStatusstringYesPENDING_REVIEW, REVIEWING, PATCHING, RESOLVED, or BACKLOG
reasonstringNoReason for the status change
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
The field name is issueStatus, not status. Using the wrong field name will cause a validation error.
{
  "issueIds": ["issue_123"],
  "issueStatus": "RESOLVED",
  "reason": "Fixed in PR #456"
}

issues.updateSeverity

Update the severity score of a single issue.
ParameterTypeRequiredDescription
issueIdstringYesSingle issue ID (not an array)
severitynumberYesScore from 0 to 10 (supports one decimal place)
reasonstringNoReason for the severity change
organizationIdstringYesInjected from ZEROPATH_ORG_ID; pass explicitly if not configured
This tool takes a single issueId (string), not issueIds (array). The severity field is a number between 0 and 10, not a string enum.
{
  "issueId": "issue_123",
  "severity": 8.5,
  "reason": "Upgraded after confirming public exposure"
}

Scan Tools

scans.list

List scans with cursor-based pagination. Pass the nextCursor from a previous response to paginate forward.
ParameterTypeRequiredDescription
cursorobjectNoCursor from previous response: { createdAt: string, id: string }
limitnumberNoResults per page (default: 20, max: 100)
repositoryIdsstring[]NoFilter to specific repositories
scanTypesstring[]NoFullScan, PrScan (defaults to both)
searchQuerystringNoSearch by scan name
projectIdstringNoFilter by project ID
scoreRangeobjectNoFilter by vulnerability score: { min: number, max: number } (0–100)
showEphemeralbooleanNoInclude CLI/ephemeral scans (default: false)
getCountsbooleanNoInclude vulnerability counts (default: true)
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "limit": 10,
  "repositoryIds": ["repo_123"],
  "scanTypes": ["FullScan"]
}

scans.get

Get details for a specific scan.
ParameterTypeRequiredDescription
scanIdstringYesScan ID
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "scanId": "scan_abc123"
}

Repository Tools

repositories.list

List repositories with cursor-based pagination (string cursor).
ParameterTypeRequiredDescription
cursorstringNoCursor from previous response nextCursor
limitintegerNoResults per page (default: 20, max: 100)
sortBystringNoname or issues (default: name)
sortDirectionstringNoasc or desc (default: asc)
getCountsbooleanNoInclude issue counts (default: true, may impact performance)
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "limit": 50,
  "sortBy": "issues",
  "sortDirection": "desc",
  "getCounts": true
}

Rule Tools

rules.list

List custom security rules. Uses offset-based pagination.
ParameterTypeRequiredDescription
offsetintegerNoStarting index (default: 0)
limitintegerNoResults per page (default: 20, max: 100)
repositoryIdstringNoFilter rules by repository
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "offset": 0,
  "limit": 25
}

rules.get

Get details for a specific rule, including associated repository names.
ParameterTypeRequiredDescription
ruleIdstringYesRule ID
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "ruleId": "rule_xyz789"
}

rules.create

Create a custom security rule.
ParameterTypeRequiredDescription
namestringYesRule name
rulestringYesNatural language rule definition
globPatternstringNoFile pattern (default: **/*)
sourceTypesstring[]NoHTTP_HANDLER, FILE_HANDLER, STDIN_HANDLER, BROWSER_DATA, WEBSOCKET, SOCKET, CLI_ARGUMENT, MOBILE_INPUTS
repositoryIdsstring[]NoLimit to specific repositories
tagIdsstring[]NoTag IDs to associate with the rule
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "name": "Detect unsafe eval",
  "rule": "Detect any use of eval() on user input",
  "globPattern": "**/*.{js,ts}",
  "sourceTypes": ["HTTP_HANDLER", "FILE_HANDLER"],
  "repositoryIds": ["repo_123"],
  "tagIds": ["tag_1"]
}

rules.update

Update an existing rule. Only the fields you include will be modified.
ParameterTypeRequiredDescription
ruleIdstringYesRule ID to update
namestringNoUpdated name
rulestringNoUpdated definition
globPatternstringNoUpdated file pattern
sourceTypesstring[]NoUpdated source types
repositoryIdsstring[]NoUpdated repository scope
tagIdsstring[]NoUpdated tag associations
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "ruleId": "rule_xyz789",
  "name": "Detect unsafe eval (updated)",
  "globPattern": "**/*.{js,ts,jsx,tsx}"
}

rules.delete

Delete a custom rule.
ParameterTypeRequiredDescription
ruleIdstringYesRule ID to delete
organizationIdstringNoInjected from ZEROPATH_ORG_ID when configured
{
  "ruleId": "rule_xyz789"
}

Common Workflows

  1. List pending issues — call issues.list with statuses: ["PENDING_REVIEW"] sorted by score descending.
  2. Review each issue — ask your AI assistant to summarize the vulnerability and affected code.
  3. Classify — use issues.markTruePositive or issues.markFalsePositive with a reason.
  4. Update status — move confirmed issues to REVIEWING or PATCHING with issues.updateStatus.
  5. Adjust severity — if the auto-assigned score doesn’t match your assessment, use issues.updateSeverity with a value from 0 to 10.
  1. List existing rules — call rules.list to see what’s already configured.
  2. Create a rule — use rules.create with a natural language description. ZeroPath’s scanner will match this pattern during future scans.
  3. Scope it — use repositoryIds to limit the rule to specific repos, globPattern to limit to specific file types, and sourceTypes to target specific entry points.
  4. Tag it — use tagIds to associate the rule with tags for organization.
  5. Iterate — update with rules.update as you refine the pattern.
  1. List recent scans — call scans.list to see scan history. Filter with scanTypes: ["FullScan"] for scheduled scans or ["PrScan"] for PR scans.
  2. Get scan details — use scans.get with a specific scanId to see status, branch, and issue counts.
  3. Drill into findings — call issues.list with a scanId filter to see only issues from that scan.

Error Handling

Failed tool calls return structured errors:
Returned when input validation fails. Check the data.issues array for field-level details.
{
  "error": {
    "code": "BAD_REQUEST",
    "message": "Input validation failed",
    "data": {
      "issues": [
        { "path": "issueIds", "message": "Required" }
      ]
    }
  }
}
Verify your ZEROPATH_TOKEN_ID and ZEROPATH_TOKEN_SECRET are correct and the API key is active.
The API key does not have the required permissions for this operation. Check your key’s role in ZeroPath Settings.
The specified ID (issue, scan, rule, or repository) was not found. Verify the ID is correct and belongs to your organization.

Tips

  • Paginate — always paginate large result sets. Use offset/limit for issues and rules, cursor/limit for scans and repositories.
  • Filter early — use status, severity, and repository filters to reduce response size.
  • Batch updates — pass multiple IDs in a single call when archiving, marking, or updating status.
  • Include reasons — add a reason when archiving, marking false/true positives, or changing status for audit trails.
  • Set org context — configure ZEROPATH_ORG_ID during installation so the server injects organizationId into every request automatically.