Skip to main content

How It Works

ZeroPath’s Software Composition Analysis (SCA) continuously analyzes your dependencies to understand your dependency graph, enrich it with application context, and keep inventories fresh:
  • Automated scanning runs whenever you push code or on a schedule you configure. Each scan parses manifests and lockfiles, builds the dependency graph, maps applications, and validates vulnerable packages with AI.
  • Scheduled inventory builder honors cron expressions you configure for each repository/tag/org. It only stages work when a branch’s head commit changes, so recurring scans track real code changes instead of reprocessing identical data.
  • Reporting layer converts any SCA inventory into CycloneDX, SPDX, or VEX artifacts on demand (see SBOM Exports). You can export SBOMs from any repository with SCA data, whether that data came from a dedicated SCA scan or a full scan with SCA enabled. Because SBOMs are generated from the same canonical inventory, exports match what the UI shows developers.

End-to-end Flow

1

Repository Selection

Choose a repo/branch (or rely on the default) and ensure SCA is enabled in its scanner settings.
2

Checkout & Normalization

The SCA pipeline clones the repo, pins the commit, and normalizes paths so results stay consistent across environments.
3

Application Discovery

An AI-assisted analyzer maps services/modules (e.g., /apps/payments) so each dependency can be tied back to its owning surface area.
4

Dependency Graphing

Manifests and lockfiles are parsed to build a graph containing direct and transitive packages, version ranges, dependency paths, and license signals. When a lockfile resolves dependencies declared in a manifest, findings link back to the original manifest file and line number rather than the lockfile, so you can navigate directly to where the dependency was declared.
5

License Enrichment

ZeroPath augments manifest-declared licenses with external data (e.g., deps.dev) and records the final SPDX-style license sets per package.
6

Reachability Analysis

For each vulnerable dependency, ZeroPath determines whether the vulnerable code paths are actually reachable in your application. This goes beyond checking if a package is imported — it analyzes whether the specific vulnerable functions or methods are called and whether user input can reach them. Transitive dependencies are triaged by an AI guard that evaluates whether the dependency chain exposes the vulnerability before committing investigation budget.Reachability status defaults to “unknown” until analysis completes, so you will never see a package incorrectly marked as reachable before ZeroPath has verified it. Each package receives a package-level reachability status indicating whether it is reachable, not reachable, or not yet tested, along with a summary explaining the assessment. You can view this status and summary in the package details panel, and filter the Inventory and Issues views by package reachability.
7

Issue Validation

The ZeroPath SCA engine scores each vulnerable package, adds severity/impact context, and produces remediation notes (upgrade target, risk summary, exploit rationale). When a linked SAST finding exists, the AI-derived score from that finding is used to determine severity, ensuring consistency between the Issues and Supply Chain pages.
8

Inventory + Findings

The normalized inventory, application map, and validated findings are stored so UI panels, APIs, SBOM exports, and alerts all draw from the same source of truth.

Running Scans

When SCA is enabled in your scanner settings, every full scan also analyzes manifests and lockfiles. Dependency findings from these scans appear on both the Issues page and the Supply Chain page, alongside your SAST and other finding types.

Where SCA Findings Appear

SCA vulnerabilities can come from two different scan sources, and understanding where each appears helps avoid confusion:
The Issues page shows vulnerabilities found during full scans. When SCA is enabled in your scanner settings, full scans analyze dependencies alongside your source code. SCA findings from these scans appear as issues in the global Issues list, mixed in with SAST and other finding types.What you’ll see: SCA vulnerabilities discovered during full scans only.
The Supply Chain page may show more SCA findings than the Issues page. This is expected — SCA scans run on their own schedule and may detect vulnerabilities that haven’t been picked up by a full scan yet. If you want the most comprehensive view of your dependency security posture, use the Supply Chain page.

Two Sources of SCA Data

SourceTriggerWhere Results Appear
Full scan with SCA enabledRuns as part of a full scan when SCA is enabled in scanner settingsIssues page + Supply Chain page
SCA scanRuns on a schedule you configure (daily, weekly, etc.), independent of full scansSupply Chain page only
To ensure you catch vulnerabilities between full scans, enable a scheduled SCA scan. This keeps your dependency inventory fresh even when engineers aren’t actively pushing code.

Filtering & Sorting

The Issues and Inventory tabs on the Supply Chain page offer several filters to help you focus on what matters:
  • Severity — filter by Critical, High, Medium, Low, or Info severity levels.
  • Ecosystem — narrow results to specific package ecosystems (e.g., npm, PyPI, Go modules, Maven). The available ecosystems update dynamically based on your repository selection.
  • Reachability (vulnerability-level) — filter issues by exploitability status: Confirmed Exploitable, Needs Review, or No Path Detected.
  • Package Reachability — filter by whether the package itself is reachable, not reachable, or not yet tested in your application.
  • Source Type — distinguish between dependencies declared in source manifests and those embedded in compiled assets (JARs, WARs, Python wheels).
  • Transitivity — show only direct dependencies, only transitive dependencies, or both.
On the Issues tab, a sort dropdown is always available. When grouping is active, you can sort by highest severity or most findings per group. When grouping is off, you can sort by highest severity or newest. All filters are reflected in the URL, so you can bookmark or share a filtered view with teammates.

Inventory & License Coverage

package-lock, requirements, go.mod, pom.xml, Podfile, Cargo.lock, and other manifests are deduplicated and versioned per scan.
Each dependency includes its role (declared vs inherited) plus the chain of packages that led to it, making blast-radius analysis simple.
ZeroPath normalizes manifest-declared terms, enriches them with authoritative sources, and records the final SPDX expression per package, enabling legal/compliance workflows.
The UI exposes filters for high/medium/low-risk license groups, plus quick toggles for common families (GPL, LGPL, AGPL, Apache, MIT, BSD, Proprietary). Compliance teams can combine these filters with allow/deny lists to focus on the licenses that matter most.
Search for any license identifier (e.g., GPL-3.0-only, SSPL, Polyform) to instantly highlight the packages and applications affected, making it easy to enforce custom policies.
Binary artifacts committed to your repository — such as JARs, WARs, and Python wheels — are scanned for embedded packages. These packages appear in your inventory alongside source-declared dependencies, giving you visibility into vendored or pre-built libraries that would otherwise be invisible to manifest-only analysis.You can filter the inventory and dependency views by compiled vs. source-declared manifests using the Source Type filter, making it easy to isolate findings from binary artifacts. Compiled manifests are visually distinguished with a badge showing the asset type (e.g., JAR, WAR).
Dependency findings are linked to the applications/services discovered in your repo so teams immediately know who owns remediation.
Every SCA scan captures a point-in-time inventory, enabling diffs, SBOM exports, and retroactive investigations.

CVE Alerting

CVE alerting proactively notifies you when new vulnerabilities are discovered in your tracked packages — without waiting for a scan to run.
  • Enable per repository – toggle enableCVEAlerting in your repository’s scanner settings to start receiving alerts.
  • Alerts tab – all CVE alerts appear on the Alerts tab of the Supply Chain page, where you can filter by repository, severity, ecosystem, exploitability, and status (new / acknowledged).
  • Exploitability breakdown – each alert shows reachability counts (Confirmed Exploitable, Needs Review, No Path Detected) so you can prioritize triage. Exploitability is assessed by AI; for critical supply chain issues, human review is recommended.
  • Drill into findings – click an exploitability count on an alert to jump directly to the Issues tab filtered to that advisory and reachability status.
CVE alerting must be explicitly enabled in scanner settings for each repository. Repositories without alerting enabled will not generate alerts, even if SCA scanning is active.

Auto-remediation

  • Direct dependency PRs – opt into automatic upgrade pull requests for direct dependencies by enabling autoCreateDirectPackagePRs and defining the score threshold that must be met before a fix is proposed. ZeroPath opens the branch, applies the version bump, and links it to the original finding.
  • Transitive remediation – manage inherited dependencies separately via autoCreateTransitivePackagePRs. Use a different threshold (or disable entirely) when indirect upgrades require more review. ZeroPath walks the dependency chain to find the nearest direct parent that can be upgraded, even through multi-hop transitive chains.
  • Remediation guidance for unpatchable findings – when a vulnerability cannot be auto-patched (e.g., no safe version exists, or the fix requires architectural changes), ZeroPath provides step-by-step remediation instructions so developers know exactly what to do manually.
  • Score-based gating – each PR setting has its own minimum score, so critical CVEs can auto-remediate immediately while lower-risk fixes stay manual.
  • Per-branch targeting – every scheduled scan stores the branch it was staged for, letting you run auto-remediation and alerting on release branches without touching experimental ones.

Key Capabilities

Unified Findings

Dependency issues appear in the same ZeroPath findings stream as your other scan data so remediation stays in one workflow.

Precise Application Mapping

Identifies which service/module (e.g., /apps/payments) owns the vulnerable package, not just the manifest file.

Direct vs Transitive Clarity

Every issue spells out whether you declared the package yourself or pulled it in indirectly, plus the chain of packages that introduced it.

License Visibility

Inventories capture manifest-declared licenses and enrich them with external sources so legal/compliance reviews see the same data the scanners used.

Deterministic Inventories

Manifests and packages are deduplicated and sorted, producing repeatable SBOMs, audit reports, and diff views.

AI-Backed Validation

The same reasoning engine that powers ZeroPath validation explains SCA impact, suggests upgrade paths, and prioritizes issues based on severity + exploitability.

Reachability Analysis

ZeroPath determines whether vulnerable code paths are actually reachable in your application, reducing noise from vulnerabilities that are imported but never invoked.

Compiled Asset Scanning

Binary artifacts committed to your repository (JARs, WARs, Python wheels) are scanned for embedded packages, extending inventory coverage beyond source-level manifests.

Ecosystem Coverage

ZeroPath’s SCA analyzers recognize the following ecosystems out of the box:

npm / Yarn

PyPI

Go modules

Maven / Gradle

https://mintcdn.com/zeropath/3LQWG-DWQmf_zR2q/icons/csharp.svg?fit=max&auto=format&n=3LQWG-DWQmf_zR2q&q=85&s=a369b07fdfa85a098eef35c035d7c098

NuGet

https://mintcdn.com/zeropath/3LQWG-DWQmf_zR2q/icons/ruby.svg?fit=max&auto=format&n=3LQWG-DWQmf_zR2q&q=85&s=e98ed481966bcbb1508f8d69e680b60e

RubyGems

crates.io (Cargo)

Packagist / Composer

https://mintcdn.com/zeropath/3LQWG-DWQmf_zR2q/icons/elixir.svg?fit=max&auto=format&n=3LQWG-DWQmf_zR2q&q=85&s=1561f8905cfcc6ab231dbcb15aaf5db3

Hex (Elixir)

https://mintcdn.com/zeropath/3LQWG-DWQmf_zR2q/icons/dart.svg?fit=max&auto=format&n=3LQWG-DWQmf_zR2q&q=85&s=c3fa2a0a3350a59c4f7fcd10cbeff84b

Pub (Dart/Flutter)

Swift

Haskell (Hackage)

R (CRAN)

Each dependency record tracks whether ZeroPath saw it declared directly or discovered it through the transitive graph, enabling policies that treat vendor libraries differently from first-party choices.

Lockfile Requirement

ZeroPath requires lockfiles for accurate dependency analysis. Without a lockfile, ZeroPath can only parse version ranges from your manifest (e.g., ^1.2.3 in package.json or >=2.0.0 in requirements.txt), which means:
  • Transitive dependencies are invisible – ZeroPath won’t see any packages your direct dependencies pull in.
  • Version resolution is ambiguous – range specifiers don’t tell us which exact version is installed, so vulnerability matching becomes unreliable.
  • Incomplete SBOM exports – CycloneDX and SPDX artifacts will be missing most of your actual dependency tree.
Generate lockfiles before scanning to ensure ZeroPath captures your full dependency graph: 
# npm / Yarn
npm install          # creates package-lock.json
yarn install         # creates yarn.lock

# Python (all formats supported: requirements.txt, Pipfile, pyproject.toml)
pip freeze > requirements.txt           # if using pip directly
pipenv lock                             # creates Pipfile.lock
poetry lock                             # creates poetry.lock
uv lock                                 # creates uv.lock

# Go
go mod tidy                             # updates go.sum

# Maven
mvn dependency:tree                     # validates your pom.xml dependencies

# Gradle
./gradlew dependencies --write-locks   # creates gradle.lockfile

# Ruby
bundle lock                             # creates Gemfile.lock

# Rust
cargo build                             # creates Cargo.lock

# PHP
composer install                        # creates composer.lock

# Elixir
mix deps.get                            # creates mix.lock

# Dart / Flutter
flutter pub get                         # creates pubspec.lock
dart pub get                            # creates pubspec.lock

# Swift
swift package resolve                   # creates Package.resolved
Commit these lockfiles to version control so every scan analyzes the exact dependency versions your application uses.

Python Manifest Formats

ZeroPath supports all common Python dependency declaration formats:
  • requirements.txt — standard pip format
  • Pipfile — Pipenv format (with [packages] and [dev-packages] sections)
  • pyproject.toml (Poetry)[tool.poetry.dependencies], [tool.poetry.dev-dependencies], and Poetry 1.2+ group dependencies ([tool.poetry.group.<name>.dependencies])
  • pyproject.toml (PEP 621) — the [project] table used by uv, hatch, flit, setuptools, pdm, and other modern build backends. Both dependencies and optional-dependencies are parsed.

Gradle Version Catalogs

ZeroPath automatically resolves dependencies declared using Gradle version catalogs (libs.versions.toml). When your build.gradle or build.gradle.kts references dependencies via libs.foo.bar accessors, ZeroPath locates the corresponding version catalog file and resolves the package name and version from its [libraries] section. Findings are linked back to the exact line in your build file where the dependency is referenced, so you can navigate directly to the relevant code. Supported version catalog entry formats include string shorthand ("group:artifact:version"), module references with version.ref, group/name pairs with inline or referenced versions, and dict-style version constraints (strictly, require, prefer).

Adoption Checklist

1

Confirm SCA Is Enabled

Repository scanner settings include SCA by default; keep it enabled so every full scan collects dependency findings.
2

Add Recurring Coverage

Create an SCA schedule with the cadence you need (daily, weekly, etc.) so inventory snapshots stay current even when engineers aren’t running full repo scans.
3

Set Branch Preferences

Point schedules at the branches that matter (release, staging, services) so SCA always reflects the code you deploy.
4

Enable Alerting Where Needed

Flip enableCVEAlerting on schedules that should raise proactive notifications; keep it off for test repos.
5

Decide on Auto-Remediation

Turn on direct and/or transitive auto-PRs with thresholds aligned to your risk tolerance.
6

Plan SBOM Consumption

Once inventories exist, request CycloneDX/SPDX/VEX exports and wire them into procurement, compliance, or downstream tooling.
7

Route Findings

Configure notifications, dashboards, or ticketing automations so dependency issues reach the right service owners.

Operational Notes

  • Deterministic output – inventories, alerts, and SBOMs are generated from the same sorted dataset, which keeps diffs and reviews stable.
  • Exposure dating – SCA captures the earliest git commit that introduced an affected manifest entry so you can see how long a vulnerability has lived in production.
  • Automatic recovery – scans are resilient to interruptions and automatically resume. Repeated failures are throttled, stale jobs are cleaned up, and completed inventories are reused whenever possible.