Overview
ZeroPath uses a fine-grained authorization (FGA) system to control access to resources within your organization. Teams group users together and can be assigned to specific repositories, letting you control who sees what.Team Management
Creating Teams
- Navigate to Settings → Teams in the dashboard.
- Click “Create Team”.
- Give the team a name and optional description.
- Add members by email or username.
- Assign repositories the team should have access to.
Team Members
Teams can include:- Users — people with ZeroPath accounts in your organization
- Contributors — code contributors identified from Git blame data (matched by email, name, or VCS username)
Permissions
ZeroPath uses role-based permissions at the organization level. Key permission categories include:| Category | Permissions |
|---|---|
| Issues | View, manage, mark as false positive, archive |
| Scans | Start scans, cancel scans, view scan history |
| Repositories | Add, remove, configure repositories |
| Integrations | Connect and manage Jira, Linear, Slack, Wiz |
| API Tokens | Create, view, delete API tokens |
| Patches | Generate patches, approve patches, create PRs |
| Settings | Manage organization settings, scanner settings |
| Teams | Create, edit, delete teams |
Repository Access
Teams can be scoped to specific repositories. When a team is assigned to a repository:- Team members can view scan results and findings for that repository
- Notifications and alerts are routed to the appropriate team
- Git blame attribution links findings to team members who authored the affected code
Issue Status Workflow
Findings follow a structured lifecycle that maps to team workflows:| Status | Meaning |
|---|---|
| Pending Review | New finding, awaiting triage |
| Reviewing | Under active review by the team |
| Patching | Fix is being developed |
| Resolved | Fix has been applied (manually or via merged PR) |
| False Positive | Confirmed not a real vulnerability |
| Accepted Risk | Known issue accepted by the team |
| Non-Exploitable | Technically present but not exploitable in context |
| Backlog | Acknowledged but deferred for later |