Skip to main content
ZeroPath gives you two natural-language surfaces for tuning scans: Repository Context and Custom Rules. They sound similar but do different jobs, and most of the value comes from using them together. This page is a side-by-side reference for choosing between them.

Repository Context

A natural-language knowledge layer that tells ZeroPath things about your codebase it cannot infer from code alone. Refines existing findings — reduces false positives.

Custom Rules

Natural-language security policies ZeroPath evaluates during scans across your selected repositories. Generates new findings when violated.
Declarative vs. imperative is the cleanest mental split. Context says “X is already true in our stack.” Rules say “X must always hold; flag any violation.”

At a glance

DimensionRepository ContextCustom Rules
PurposeReduce false positives, teach ZeroPath your architectureEnforce org-specific security policy, cover gaps in built-in SAST
PhrasingDeclarative — facts about your stackImperative — policies that must hold
Effect on findingsRefines existing findings; reduces noiseGenerates new findings alongside SAST results
Visibility to engineersInvisible improvement — fewer false alarms in PRsVisible findings with severity, confidence, file, and remediation
Mental model”Onboarding doc for ZeroPath""Linter for security policy”
Best entry pointOne-click Generate & Save Context from a false positiveBrowse Rule Packs, then author custom rules for gaps

When to use each

Use Repository Context when ZeroPath is producing noise on patterns that are actually safe in your codebase — facts the code itself cannot reveal.Trigger signals
  • The same false positive keeps reappearing across scans
  • Findings on internal-only or dev-only paths that are not externally reachable
  • Code uses safe wrappers, sanitizers, or middleware that ZeroPath cannot recognize
  • Architectural facts hidden from the code (gateways, ingress, middleware, runtime sandboxes)
Typical examples
  • “All endpoints in this service sit behind a JWT gateway — anonymous access is not possible.”
  • “The eval() call in src/sandbox/ runs inside a restricted Docker container with no network access.”
  • “Rate limiting is enforced at the load balancer for all public-facing routes.”
Do not use Repository Context to suppress a finding you simply do not want to fix, or to paper over missing detection. Over-broad context — e.g. asserting org-wide JWT enforcement when one repo allows anonymous endpoints — silently hides real findings.

Targeting and scope

Both features support the same three-level scope cascade and glob-based file scoping, but only Repository Context lets you target individual scan phases and input types.

Shared: scope cascade

Both features follow the same org → tag → repo inheritance model as scanner settings.
ScopeApplies to
OrganizationAll repositories in the organization, including ones added later
TagAll repositories with the selected tag(s)
RepositoryOnly the selected repository or repositories
Scopes stack — a repository receives its own entries plus tag-level and org-level entries that apply to it. More specific scopes never replace broader ones.

Shared: file-level glob

Both features accept a glob pattern to limit which files they apply to. The default is all files.
PatternMatches
**All files (default)
src/api/**All files under src/api/
**/*.controller.tsAll TypeScript controller files
services/auth/**All files in the auth service

Context-only: scan phases and input types

Repository Context has two extra targeting dimensions — useful when a fact is only relevant to a particular kind of analysis. Custom rules are always evaluated in the natural-language rule phase against identified sources, so they do not expose phase selection.
Six phases are selectable under Advanced Settings when creating a context entry:
PhaseWhat ZeroPath is doing
Application identificationUnderstanding what your code does — services, modules, entry points
Source identificationFinding where untrusted data enters your application
Sink identificationFinding where data flows to sensitive operations
Vulnerability investigationEvaluating whether potential issues are real, exploitable vulnerabilities
Logic analysisAnalyzing business logic for issues beyond typical code patterns
Custom rule evaluationEvaluating your custom rules against the codebase
If you are unsure which to select, leave all phases enabled — ZeroPath applies your context wherever it is relevant.
Eight input types are selectable under Advanced Settings:
Input typeDescription
HTTP HandlerWeb API endpoints and HTTP request handlers
File HandlerFile upload and file system input processing
Stdin HandlerCommand-line stdin and pipe input
Browser DataClient-side browser input (cookies, local storage, DOM)
WebSocketWebSocket message handlers
SocketRaw TCP/UDP socket connections
CLI ArgumentCommand-line arguments and flags
Mobile InputsMobile application user input
All input types are selected by default. Deselect the ones that are not relevant to narrow the scope.

How they work together

Context and Custom Rules are most useful in combination. Without context, a rule that says “must check auth” has no idea what an auth check looks like in your stack. Without rules, context only reduces noise on built-in detections — it cannot enforce your own policies.

Worked example: enforcing auth on PII endpoints

1

Org-level Repository Context

Define what “authenticated” means across the organization.
Authentication = a request that carries a valid JWT validated by the requireAuth() middleware, or presents an mTLS client certificate at ingress.
2

Repo-level Repository Context (e.g. payments-api)

Define what “PII” means in this repository.
PII fields include card_last4, billing_email, customer_phone.
3

Org-scoped Custom Rule

State the policy.
All endpoints exposing PII must require authentication.
4

Result

ZeroPath now flags only endpoints that handle PII fields and bypass one of the two recognized auth mechanisms. Endpoints behind requireAuth() or mTLS are correctly treated as safe; everything else surfaces as a high-signal finding.
Without the context entries, the same rule would produce lower-confidence findings everywhere the model wasn’t sure how your stack handles authentication or what counts as PII. Pairing rules with context is what makes findings actionable.

Lifecycle and management

Where to manage: Context page in the dashboard. Table view with title (or body preview), file pattern, tags, and repository scope.Creation paths
  • Manual creation in the dashboard
  • One-click Generate & Save Context from any false positive — no review step, takes effect on the next scan
Editing and deletion
  • Click a row to edit text, targeting, or scope
  • Individual or bulk delete with confirmation
  • Changes take effect on the next scan
Review cadence: quarterly. Architecture drifts; stale context can hide real issues. Delete entries that no longer reflect reality.
Custom Rules Only mode — the Custom rules only toggle in scanner settings disables every built-in scanning module (SAST, SCA, IaC, Secrets, EOL) and evaluates only your natural-language rules. This is rarely the right choice; enable it only when you intentionally want ZeroPath to run as a pure custom-rule engine.

Pitfalls to avoid

The single most dangerous mistake. Saying “all endpoints require JWT” at org scope is fine only if it is literally true everywhere. One legacy service with an anonymous endpoint and you have just taught ZeroPath to ignore a real finding. Start narrow; widen only when the statement is provably true across the broader scope.
“APIs should be secure” is not enforceable. Rules need a concrete, testable assertion: a specific behavior that either holds or doesn’t. If you cannot describe how a reviewer would check the rule by hand, ZeroPath cannot enforce it consistently either.
Context is for facts that are true in your codebase, not for hiding findings you don’t want to triage. If the underlying claim isn’t true, the entry will eventually hide a real bug.
Standalone rules produce findings, but ZeroPath has to guess what “auth check” or “sanitized input” means in your stack. Pair every non-trivial rule with the context it needs to recognize the safe pattern.
Default targeting is intentionally permissive. When you know a context entry only applies to HTTP handlers during source identification, narrow it. Over-broad targeting makes irrelevant context bleed into unrelated analysis.

Suggested rollout

1

Week 1 — Baseline

Connect repos, run full scans, and enable the relevant Rule Packs. No custom work yet — let the baseline surface where the noise is.
2

Week 2 — Triage into context

For every false positive, use the one-click Generate & Save Context workflow. Aim to convert roughly 80% of FPs into context entries. This is the highest-ROI step.
3

Week 3 — Author rules for policy gaps

Identify org-specific policies not covered by built-in SAST or Rule Packs. Write 3–5 custom rules. For each, add the supporting context entries that describe the safe patterns the rule must recognize.
4

Week 4 — Tag, review, and own

Tag rules and context entries by team or compliance framework. Assign a quarterly review owner so entries don’t go stale as the codebase evolves.

Quick reference

SituationUse
Same false positive keeps appearingRepository Context
Internal-only service flagged as publicRepository Context
Safe wrapper or helper not recognizedRepository Context
Architectural fact every engineer knows but the code doesn’t showRepository Context
Compliance policy needs code-level enforcementCustom Rule
Org-wide coding standard to enforceCustom Rule
Built-in SAST misses a pattern specific to your stackCustom Rule
Need to enforce a policy and teach ZeroPath what safe looks likeBoth, paired

Repository Context docs

Targeting axes, false-positive workflow, scope inheritance, and best practices.

Custom Rules docs

Authoring rules, the v2 API, Rule Packs, and Custom Rules Only mode.