What ZeroPath SCA gives you
Supported ecosystems & coverage
Dependency resolution across 13 ecosystems, and exactly what each one needs
for full transitive coverage.
Reachability & exploit signals
Whether the vulnerable code path is really invoked, plus CISA KEV and FIRST
EPSS exploit intelligence for prioritization.
Coverage & warnings
How completely your supply chain was scanned, and how to clear remaining gaps.
License compliance
Per-package SPDX licenses, enriched and grouped into informational obligation
categories, so legal and compliance reviews start from the same data the
scanners used.
AI Inventory (AI-BOM)
A bill of materials for the AI in your codebase: SDKs, agent frameworks,
MCP servers, model files, and agent configs.
Auto-remediation & alerts
Automatic upgrade PRs with safe-version selection, plus proactive CVE alerts
for packages you already depend on.
Blast radius
Which call sites in your code an upgrade actually touches, classified by
risk, attached to each patch.
SBOM exports
CycloneDX, SPDX, and VEX artifacts generated from the same inventory the UI
shows.
How dependency data gets in
ZeroPath builds its inventory from your scans. There are three ways a dependency ends up analyzed:- Full scan with SCA
- Scheduled SCA scan
- Pull request scan
SCA is enabled in scanner settings by default, so every full scan also parses
manifests and lockfiles. Dependency findings appear on both the Issues
page and the Supply Chain page, alongside your SAST and other results.
The Supply Chain page can show more dependency findings than the Issues page.
That is expected: scheduled SCA scans run on their own cadence and may surface
issues a full scan hasn’t picked up yet. For the most complete view of your
dependency posture, use the Supply Chain page.
The Supply Chain page
The Supply Chain page is the dedicated SCA dashboard. It is organized around four questions, and the deep-dive pages above map onto them:- Where do I stand? — a posture summary: scan coverage, exploitability, and what to fix first.
- What should I fix? — dependency findings, viewable as individual occurrences or grouped per CVE across every affected repository. Filter by severity, ecosystem, and reachability. When a Wiz integration is connected, you can also filter by cloud exposure to prioritize packages in internet-facing applications. Filter state is reflected in the URL, so any view can be bookmarked or shared.
- What’s in my supply chain? — the inventory: dependencies, licenses, and AI components.
- How complete was the scan? — coverage: which manifests resolved, which didn’t, and the warnings that explain any gaps.
The Supply Chain dashboard is in Early Access and its layout is still
evolving; this guide refers to capabilities rather than specific tab names.
End to end, per scan
Application discovery
An AI-assisted analyzer maps your services and modules (e.g.
/apps/payments)
so each dependency is attributed to the application that uses it.Dependency resolution
Manifests and lockfiles are parsed into a graph of direct and transitive
packages, with versions, dependency paths, and license signals. See
Supported ecosystems for what each ecosystem needs.
License enrichment
Manifest-declared licenses are enriched and recorded as a normalized SPDX
license string per package. See License compliance.
Reachability analysis
For each vulnerable package, ZeroPath assesses whether the vulnerable code
path is actually reachable. See Reachability.
Inventory, findings & exports
The normalized inventory, application map, and validated findings are stored
once, so the UI, APIs, SBOM exports, and alerts all draw
from a single source of truth.
Getting started
Keep SCA enabled
Scanner settings include SCA by default — leave it on so every full scan
collects dependency findings.
Add a recurring SCA scan
Schedule a dependency-only scan (daily/weekly) so your inventory stays current
between full scans, and point it at the branches you actually deploy.
Close coverage gaps
Check the coverage view and commit any missing lockfiles so
transitive dependencies are fully resolved.
Turn on remediation where it fits
Enable auto-remediation and CVE alerting with thresholds
aligned to your risk tolerance.
Wire up SBOMs
Once inventories exist, generate CycloneDX/SPDX/VEX exports
for procurement, compliance, or downstream tooling.