Skip to main content

Documentation Index

Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Overview

ZeroPath uses a fine-grained authorization (FGA) system to control access to resources within your organization. Teams group users together and can be assigned to specific repositories, letting you control who sees what.

Team Management

Creating Teams

  1. Navigate to Settings → Teams in the dashboard.
  2. Click “Create Team”.
  3. Give the team a name and optional description.
  4. Add members by email or username.
  5. Assign repositories the team should have access to.

Team Members

Teams can include:
  • Users — people with ZeroPath accounts in your organization
  • Contributors — code contributors identified from Git blame data (matched by email, name, or VCS username)
Contributors are automatically associated with teams when their git commit metadata matches a team member’s identity.

Linking Unmatched Contributors

When ZeroPath identifies code contributors that haven’t been matched to a user account, they appear in the Unmatched Contributors panel. From here you can:
  • Search contributors by name, username, or email to quickly find the person you want to link.
  • Search organization members within the assignment dropdown to find the right account.
  • Link contributors individually — each contributor can be linked independently without blocking other link operations.

Default Team Permissions

You can configure baseline permissions that are automatically applied to teams created by GitHub team sync. This is especially useful when enabling access control for the first time, since newly synced teams start with no permissions by default. From Settings → Teams:
  1. Click “Configure Defaults” to open the Default Team Permissions editor.
  2. Set the baseline permissions you want every new synced team to receive across three categories (see below).
  3. Click “Save Defaults” to persist your changes.
  4. Click “Apply to All Teams” to backfill the configured defaults onto all existing teams in your organization. Existing permissions are preserved — defaults are added on top.
When you first enable access control, a warning banner explains that teams without configured permissions will have no access. You can dismiss this banner after configuring permissions for your teams or applying defaults.

Permission Categories

The default permissions editor organizes permissions into three categories, each shown with a summary count of how many defaults are currently selected: Organization Permissions — Controls what synced teams can do at the organization level, grouped into:
GroupPermissions
Member ManagementEdit member roles, invite members, remove members
Team ManagementView teams, create teams, manage teams
InstallationsView, create, and delete VCS installations (GitHub, GitLab, etc.)
API TokensView, create, and delete API tokens
Alerts & MonitoringView, edit, create, and delete security alerts
Custom ReportsView, create, and delete saved custom reports
Repository Permissions — Default repository permissions are applied universally, meaning synced teams receive these permissions across every repository in the organization. Groups include:
GroupPermissions
Repository AccessView repository
Security ScansView scans, start scans, cancel scans
Issue ManagementArchive issues, mark as true/false positive, require context for false positives, open/close issues, edit priority, delete issues
Patches & FixesGenerate patches, create pull requests
PR Security ChecksBypass pull request security checks
Team Self-Management — Controls whether teams can manage their own settings and membership by default. Individual permissions include editing the team, adding members, removing members, and deleting the team. You can toggle entire permission groups at once by clicking the group header, or toggle individual permissions within a group. A Reset button lets you discard unsaved changes and revert to the last saved state.

Permissions

ZeroPath uses role-based permissions at the organization level. Key permission categories include:
CategoryPermissions
IssuesView, manage, mark as false positive, require context for false positives, archive
ScansStart scans, cancel scans, view scan history
RepositoriesAdd, remove, configure repositories
AgentView, manage, and run the AI AppSec Assistant
IntegrationsConnect and manage Jira, Linear, Slack, Wiz
API TokensCreate, view, delete API tokens
PatchesGenerate patches, approve patches, create PRs
SettingsManage organization settings, scanner settings
TeamsCreate, edit, delete teams
Custom ReportsView, create, delete saved custom reports

Repository Access

Teams can be scoped to specific repositories. When assigning repositories to a team, you can search for repositories by name and the list supports pagination, making it easy to find the right repositories even in organizations with a large number of connected repos. When a team is assigned to a repository:
  • Team members can view scan results and findings for that repository
  • Notifications and alerts are routed to the appropriate team
  • Git blame attribution links findings to team members who authored the affected code

Finding Details

When viewing a finding, ZeroPath displays contextual information to help your team triage effectively:
  • Exploit steps — a step-by-step breakdown of how the vulnerability could be exploited
  • Preconditions — conditions the scanner could not fully verify that may reduce exploitability. Each precondition includes a description and optional supporting evidence you can expand for more context. Preconditions help your team assess real-world risk by highlighting assumptions that must hold for the vulnerability to be exploitable.
  • SCA vulnerability and reachability data — for dependency findings, package details and whether the vulnerable code path is reachable from your application

Member Status

Organization members can be in an active or inactive state. Inactive members — for example, users deprovisioned through your identity provider — appear in the members list with an Inactive badge next to their name. Inactive members cannot have their role changed or be removed from the organization through the dashboard. This prevents accidental modifications to deprovisioned accounts while still giving admins visibility into who previously had access.

Issue Status Workflow

Findings follow a structured lifecycle that maps to team workflows. You can change a finding’s status directly from the issue detail view — status actions like marking as false positive, accepted risk, true positive, or resolved take effect immediately without a confirmation dialog, streamlining the triage process.
StatusMeaning
Pending ReviewNew finding, awaiting triage
ReviewingUnder active review by the team
PatchingFix is being developed
ResolvedFix has been applied (manually or via merged PR)
False PositiveConfirmed not a real vulnerability. Teams can optionally require that users provide a justification when marking findings as false positive (see Require Context for False Positives permission).
Accepted RiskKnown issue accepted by the team
Non-ExploitableTechnically present but not exploitable in context
BacklogAcknowledged but deferred for later