Overview
Scanner settings control how ZeroPath scans your repositories — which tools run, how findings are filtered, how PRs are handled, and when scheduled scans execute. Settings follow a cascading inheritance model.
Settings Inheritance
Settings are applied in a three-level cascade:
Organization (lowest priority)
↓
Tag (medium priority)
↓
Repository (highest priority)
- Organization settings apply to all repositories as the default baseline.
- Tag settings override organization defaults for repositories with that tag. Tags have a priority order — higher priority tags override lower ones.
- Repository settings override everything for a specific repository.
Only explicitly set values override — unset fields fall through to the next level.
Scan Module Toggles
Each scanning module can be enabled or disabled independently for full scans and PR scans:
| Module | What It Scans |
|---|
| SAST | Static code analysis across all supported languages |
| SCA | Dependency vulnerability scanning (runs as part of full scans; SCA scans are configured separately via scan scheduling) |
| IaC | Infrastructure-as-code misconfiguration detection |
| Secrets | Hardcoded credentials and API keys |
| EOL | End-of-life / unsupported dependency detection |
Key Settings
Full Scan Settings
| Setting | Default | Description |
|---|
| Confidence filter | Strict | Threshold for including findings: Strict (fewer, higher confidence), Balanced, or Permissive (more findings) |
| Auto-patching | Off | Automatically generate patches for qualifying findings |
| Auto-PR creation | Off | Automatically open PRs for generated patches |
| Patch threshold | 80 | Minimum score (0–100) for auto-patching |
| PR threshold | 80 | Minimum score for auto-PR creation |
| Custom rules only | Off | Disable built-in scanning; only evaluate custom rules |
PR Scan Settings
| Setting | Default | Description |
|---|
| PR scanning enabled | Off | Master toggle for PR scanning |
| Inline review comments | On | Post inline comments on affected diff lines |
| PR summary comment | On | Post a summary comment on the PR |
| Check failure threshold | 75 | Score at which the VCS check is marked as failing |
| Result inclusion threshold | 0 | Minimum score for a finding to appear in PR feedback |
| Scan timeout | 10 min | Maximum time before the scan times out |
| Auto-patching | On | Generate fix suggestions for PR scan findings |
| Confidence filter | Strict | Same as full scan, applied to PR scans |
| Scan draft MRs | Off | Whether to scan GitLab draft merge requests |
| Scan bot PRs | Off | Whether to scan PRs opened by automation |
PR Templates
Customize the appearance of auto-generated fix PRs:
| Template | Description |
|---|
| PR title template | Custom format for generated PR titles |
| PR description template | Custom format for PR descriptions |
| Branch name format | Custom format for fix branch names |
| Commit message format | Custom format for fix commit messages |
Scan Scheduling
Configure recurring scans using cron expressions:
- Navigate to your repository’s scanner settings.
- Under Scan Schedule, enter a cron expression (e.g.,
0 2 * * 1 for every Monday at 2 AM).
- Optionally specify a target branch (defaults to the repository’s default branch).
The scheduler only creates new work when the branch’s head commit has changed since the last scan, avoiding redundant processing.
SCA scans configured via scheduling run independently of full scans. Their results appear on the Supply Chain page but not on the Issues page. If you notice more SCA findings on the Supply Chain page than on Issues, this is expected — scheduled SCA scans may detect vulnerabilities between full scans.
Scan Scope Controls
Directory Partitions (Monorepo Support)
For monorepos, configure directory partitions to scan specific sub-directories as independent applications:
- Each partition is analyzed separately with its own application discovery.
- PR scans route to the correct partition based on changed files.
Path Whitelist / Blacklist
Use glob patterns to focus or exclude specific paths from scanning:
- Whitelist patterns — only scan files matching these patterns.
- Blacklist patterns — exclude files matching these patterns.
Configuring Settings
From the Dashboard
- Navigate to Scanner in the ZeroPath dashboard.
- Select the Organization, Tag, or Repository level.
- Modify settings as needed.
- Changes take effect on the next scan.
From the API
Scanner settings can be read and updated via the v2 API:
# Get settings for a repository
curl -X POST https://zeropath.com/api/v2/scannerSettings/get \
-H "Content-Type: application/json" \
-H "X-ZeroPath-API-Token-Id: your-token-id" \
-H "X-ZeroPath-API-Token-Secret: your-token-secret" \
-d '{"organizationId": "your-org-id", "repositoryId": "your-repo-id"}'
