Overview
Repository context lets you provide ZeroPath with information about your codebase that it cannot infer from code alone. These are natural language descriptions that ZeroPath factors into its analysis during scans. For example, you might tell ZeroPath that a particular endpoint sits behind an authentication gateway, that a seemingly dangerous function only runs in development, or that a specific module handles already-sanitized input. This additional knowledge helps make more accurate decisions and significantly reduces false positives.Why Use Repository Context
Reduce false positives
Eliminate recurring false alarms by giving ZeroPath the domain knowledge it needs to understand
your architecture.
Improve accuracy
Context about authentication layers, input validation, and deployment boundaries helps ZeroPath
focus on real risks.
Tailor to your stack
Target context to specific files, scan phases, and input types so it applies precisely where it
matters.
Creating Repository Context
From the Dashboard
- Navigate to Context in the ZeroPath dashboard.
- Click “Add Context”.
- Write a natural language description of what ZeroPath should know. For example:
- “All endpoints in this service require JWT authentication via the API gateway — unauthenticated access is not possible.”
- “The eval() call in src/sandbox/ runs inside a restricted Docker container with no network access.”
- “Rate limiting is enforced at the load balancer level for all public-facing routes.”
- Configure targeting options (see Targeting below).
- Assign the context to specific repositories and/or tags, or leave unassigned for organization-wide coverage.
- Save the context. Changes take effect on the next scan.
From a False Positive
When you mark a finding as a false positive, ZeroPath offers to automatically generate a repository context rule so the same pattern does not trigger again in future scans.Mark as false positive
On any finding, click False Positive and provide a reason explaining why it is not a real
issue.
Generate context
ZeroPath presents an option to Generate & Save Context. Click it to have ZeroPath AI create
a context rule based on your false positive reason and the details of the finding.
Context saved automatically
The context is immediately saved and targeted to the relevant repository and input type. There
is no additional review step — it takes effect on the next scan. You can edit or delete it later
from the Context page.
Targeting Context
Repository context supports three targeting axes that control when and where it is applied. The more precisely you target, the more effective the context is.File Patterns
Use glob patterns to limit which files the context applies to. The default is**, which matches all files.
| Pattern | Matches |
|---|---|
** | All files (default) |
src/api/** | All files under src/api/ |
**/*.controller.ts | All TypeScript controller files |
services/auth/** | All files in the auth service |
Scan Phases
Choose which stages of ZeroPath’s analysis should see this context. By default, context is available to all phases. Select specific phases when your context is only relevant to a particular type of analysis. ZeroPath’s scan pipeline runs through several phases. When creating context, you can select one or more of these to control when your context is applied:| Phase | What ZeroPath Is Doing |
|---|---|
| Application identification | Understanding what your code does — identifying services, modules, and entry points |
| Source identification | Finding where untrusted data enters your application (e.g., HTTP requests, file uploads) |
| Sink identification | Finding where data flows to sensitive operations (e.g., database queries, shell commands) |
| Vulnerability investigation | Evaluating whether potential issues are real, exploitable vulnerabilities |
| Logic analysis | Analyzing business logic for security issues beyond typical code patterns |
| Custom rule evaluation | Evaluating your custom rules against the codebase |
Input Types
Limit context to specific types of data entry points. This is useful when your context only applies to certain kinds of input handling. In the dashboard, these appear as checkboxes with the following labels:| Input Type | Description |
|---|---|
| HTTP_HANDLER | Web API endpoints and HTTP request handlers |
| FILE_HANDLER | File upload and file system input processing |
| STDIN_HANDLER | Command-line stdin and pipe input |
| BROWSER_DATA | Client-side browser input (cookies, local storage, DOM) |
| WEBSOCKET | WebSocket message handlers |
| SOCKET | Raw TCP/UDP socket connections |
| CLI_ARGUMENT | Command-line arguments and flags |
| MOBILE_INPUTS | Mobile application user input |
Context Scope
Context can be scoped at three levels, following the same inheritance model as scanner settings:| Scope | Applies To |
|---|---|
| Organization | All repositories in the organization (leave repos/tags unassigned) |
| Tag | All repositories with the selected tag(s) |
| Repository | Only the selected repository or repositories |
Managing Context
From the Context page you can:- View all context rules for your organization in a table showing the context text, file pattern, assigned tags, and a count of assigned repositories.
- Edit any context rule by clicking its row — update the text, targeting, or scope.
- Delete context rules individually or in bulk by selecting multiple rows.
Best Practices
- Be specific and factual — “The /admin endpoints require mTLS client certificates enforced by the Nginx ingress” is better than “admin is secure”. The more concrete your context, the better ZeroPath can use it.
- Use the false positive workflow — when you dismiss a finding, always generate a context rule. This creates a feedback loop that continuously improves scan quality.
- Target narrowly — apply context to specific file patterns, scan phases, and input types rather than leaving everything at the default. Narrow targeting prevents irrelevant context from adding noise.
- Use tags for shared architecture — if multiple repositories share the same authentication gateway or infrastructure pattern, create one context rule scoped to a tag instead of duplicating it per repository.
- Review periodically — as your codebase evolves, revisit context rules to ensure they still reflect reality. Outdated context can cause ZeroPath to miss real issues.