Resolution coverage
Every scan reports, per ecosystem, how many manifests it discovered versus how many it fully resolved. The Supply Chain page rolls this up into:- Scan coverage — the overall share of discovered manifests that resolved, across all measured repositories.
- Coverage by ecosystem — resolved-manifest share for each ecosystem, so you can spot a uniformly weak ecosystem (e.g. “no Gradle lockfiles anywhere”).
- Coverage by repository — least-covered repositories first.
- Coverage blind spots — active warnings, split by severity (blocker / warning / info).
Repositories whose latest scan predates coverage measurement are omitted from the
rollups, so an unmeasured repository is never shown as fully covered.
Resolution fidelity
Coverage also reports the fidelity ZeroPath achieved per ecosystem, the kind of resolution behind the numbers:- Deterministic — resolved from a committed lockfile (or a fully
==-pinnedrequirements.txt, which is treated as a lockfile-equivalent), so the inventory reflects the exact pinned versions your build is locked to. - Build-less — full transitive graph resolved directly from the manifest, no lockfile required. See Supported ecosystems for the per-ecosystem matrix.
- Degraded (direct-only) — only your direct dependencies were resolved, because a required lockfile is missing. Direct-dependency findings still surface; only the transitive tail is absent. This is the state to fix.
Coverage warnings
Manifests that couldn’t be fully analyzed are flagged with a specific warning, so you can see exactly which part of the graph may be incomplete and why. You can click any warning row to expand it and see the full warning message, type, repository, and file path inline. Filter the warnings list by severity, type, or repository, and export a coverage report (CSV) for tracking.The first three warnings concern dependency resolution and clear when you
commit a lockfile or fix the manifest. The infrastructure variant of
dependency resolution failure requires no action on your part — it is a transient
platform-side issue that resolves on the next scan. A zero dependencies
anomaly is an advisory signal to re-check and re-scan, not necessarily a
lockfile fix. The last three are transient data-source warnings that generally
clear on the next scan on their own.
Why findings don’t vanish on a failed scan
When a manifest can’t be resolved during a scan, ZeroPath carries forward the existing SCA findings for it instead of marking them resolved. This keeps a confirmed vulnerability from silently disappearing because of a transient resolution failure. A finding is auto-resolved only when its manifest was successfully analyzed and the vulnerability is genuinely gone.Generate lockfiles before scanning
Closing a Transitive dependencies unresolved or Missing lockfile warning almost always means committing the lockfile for that ecosystem. The commands below produce the file ZeroPath looks for:==-pinned requirements.txt
(which ZeroPath treats as a lockfile-equivalent for deterministic resolution),
no lockfile is required for full coverage — see Supported ecosystems.
Operational notes
Deterministic output
Deterministic output
Inventories, alerts, and SBOMs are generated from the same sorted dataset, so
diffs and reviews stay stable scan to scan.
Historical snapshots
Historical snapshots
Every scan captures a point-in-time inventory, enabling scan-to-scan diffs,
SBOM exports, and retroactive investigations.
Exposure dating
Exposure dating
SCA captures the earliest git commit that introduced an affected manifest
entry, so you can see how long a vulnerability has lived in your history.
Automatic recovery
Automatic recovery
Scans resume after interruptions, repeated failures are throttled, stale jobs
are cleaned up, and completed inventories are reused where possible.