Skip to main content

Documentation Index

Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Custom rules let you define security policies in natural language that ZeroPath evaluates during full scans across your selected repositories. Instead of writing complex pattern-matching rules, describe what you want to check and ZeroPath’s AI applies it across your codebase.

Creating Rules

From the Dashboard

  1. Navigate to Rules in the ZeroPath dashboard and select the Custom Rules tab.
  2. Click “Add Rule”.
  3. Give the rule a descriptive name.
  4. Write your rule in natural language. For example:
    • “Flag any API endpoint that returns user email addresses without the caller having admin scope”
    • “Find logging statements that include request bodies which may contain passwords or tokens”
    • “Check that all database queries use parameterized queries instead of string concatenation”
    The rule editor includes clickable example rules you can use as a starting point.
  5. Optionally set a file scope using a glob pattern (e.g., src/api/**, *.py) to limit the rule to specific files. The default is all files.
  6. Choose the repository scope: apply the rule to all repositories (including any added in the future) or select specific repositories. You can also assign tags to organize your rules.
  7. Save the rule.

From the API

Rules can be managed via the v2 API: 
# Create a rule scoped to specific repositories
curl -X POST https://zeropath.com/api/v2/rules/create \
  -H "Content-Type: application/json" \
  -H "X-ZeroPath-API-Token-Id: your-token-id" \
  -H "X-ZeroPath-API-Token-Secret: your-token-secret" \
  -d '{
    "organizationId": "your-org-id",
    "name": "Require Auth on API Endpoints",
    "description": "All API endpoints must require authentication",
    "rule": "All API endpoints must require authentication before processing requests",
    "repositoryIds": ["repo-id-1", "repo-id-2"]
  }'
To apply a rule to all repositories in the organization, pass allRepositories: true instead of repositoryIds: 
# Create a rule that applies to all repositories
curl -X POST https://zeropath.com/api/v2/rules/create \
  -H "Content-Type: application/json" \
  -H "X-ZeroPath-API-Token-Id: your-token-id" \
  -H "X-ZeroPath-API-Token-Secret: your-token-secret" \
  -d '{
    "organizationId": "your-org-id",
    "name": "No Hardcoded Secrets",
    "rule": "No hardcoded credentials or API keys in source code",
    "allRepositories": true
  }'
You cannot combine allRepositories and repositoryIds in the same request. Use one or the other when creating or updating a rule.

How Rules Are Evaluated

During each scan, ZeroPath:
  1. Identifies applications in your repository (services, modules, entry points).
  2. Evaluates each custom rule against every application in context.
  3. Reports violations as findings alongside SAST, SCA, and other results.
Custom rule violations appear in the same findings stream as other scan results — with severity, confidence, affected file, and remediation guidance.

Rule Scope

Rules can be scoped at different levels:
ScopeApplies To
OrganizationAll repositories in the organization
TagAll repositories with a specific tag
RepositoryA single repository
Organization-scoped rules automatically apply to newly added repositories without any manual update. When you list rules via the API, each rule includes an allRepositories field indicating whether it applies organization-wide. Rules follow the same org → tag → repo inheritance cascade as scanner settings. Repository-level rules supplement (not replace) org and tag-level rules.

Managing Rules

From the dashboard or API, you can:
  • List all rules for your organization — rules that apply to all repositories display “All Repositories” instead of a numeric count
  • View a rule’s definition, scope, and metadata
  • Update a rule’s name, description, natural language definition, or scope (pass allRepositories: true to apply to all repos, or repositoryIds to scope to specific repos)
  • Delete rules that are no longer needed

Custom Rules Only Mode

For organizations or repositories that want to run only their custom rules, enable the Custom rules only toggle in your scanner settings. When enabled, ZeroPath disables all built-in scanning modules — including SAST, SCA, IaC, Secrets, and EOL — and evaluates only your custom natural-language rules against identified sources. This setting can be configured at the organization, tag, or individual repository level, following the standard settings inheritance cascade.

Rule Packs

In addition to custom rules, ZeroPath offers Rule Packs — curated bundles of pre-built rules published by ZeroPath that target common security patterns and compliance requirements. You can browse available rule packs from the Rule Packs tab on the Rules page and enable the ones relevant to your organization. Rule packs supplement your custom rules. When a rule pack is enabled, its rules are evaluated during scans alongside any custom rules you have defined.

Best Practices

  1. Be specific — “All API endpoints must validate the user’s session token before processing” is better than “APIs should be secure”.
  2. One policy per rule — create separate rules for separate concerns so violations are actionable.
  3. Start broad, then refine — begin with high-level policies and add detail based on the violations you see.
  4. Use tags for team-specific rules — different teams may have different security requirements; scope rules using tags.