Skip to main content
When ZeroPath finds a vulnerable dependency, it can open an upgrade pull request that selects a version which resolves the issue without making your posture worse, and it can alert you when a new advisory lands on a package you already ship.

Auto-remediation

ZeroPath can open dependency-upgrade PRs automatically, gated by a score threshold you control.
  • Direct dependency PRs — enable autoCreateDirectPackagePRs and set the minimum score that must be met before a fix is proposed. ZeroPath opens the branch, applies the version bump, and links it to the originating finding.
  • Transitive remediation — manage indirect dependencies separately with autoCreateTransitivePackagePRs and its own threshold. ZeroPath walks the dependency chain to the nearest direct parent it can upgrade, even through multi-hop transitive chains.
  • Score-based gating — because each setting has its own minimum score, critical CVEs can auto-remediate immediately while lower-risk fixes stay manual.
  • Per-branch targeting — every scheduled scan records the branch it ran on, so you can target remediation at release branches without touching experimental ones.

Choosing a safe upgrade

ZeroPath selects an upgrade target rather than always taking the latest version. It first looks for the nearest version with zero known CVEs. If none exists, it falls back to the nearest version that fixes the specific vulnerability without introducing any new CVEs you aren’t already exposed to. It avoids impractical major-version jumps. Selection is against current advisory data, so it cannot account for vulnerabilities disclosed after the upgrade is proposed.
Every upgrade PR is paired with blast radius analysis, which classifies the call sites in your code that the new version touches, so reviewers can focus on the ones most likely to break before merging. Blast radius is static and has known blind spots; see the page for details.

When a clean upgrade doesn’t exist

  • Remediation guidance — when a vulnerability can’t be auto-patched (no safe version, or the fix needs architectural changes), ZeroPath provides step-by-step instructions so a developer knows exactly what to do manually.
  • Force-generate — for a finding marked unpatchable, you can override the verdict and ask the patch agent for the smallest-blast-radius compensating control it can produce — an authorization check, a feature flag, or a defensive guard around your use of the package. This reduces exposure but does not remove the vulnerable dependency; the advisory remains in your inventory until a real upgrade exists.
  • Reliable delivery — if a patch run completes without writing any edits, ZeroPath automatically retries it once, so an empty patch doesn’t reach your review queue.

Linking to your tracker

If findings are linked to Jira issues, you can use {jira_id}, {jira_url}, and {jira_title} placeholders in your custom PR title, description, branch name, and commit message templates. ZeroPath fills them in automatically, so each remediation PR links back to the corresponding tracker issue.

CVE alerting

CVE alerting proactively notifies you when a new vulnerability is discovered in a package you already depend on, without waiting for the next scan to run.
  • Enable per repository — toggle enableCVEAlerting in a repository’s scanner settings to start receiving alerts.
  • Grouped per advisory — alerts surface on the Supply Chain page’s by-advisory view, where the same advisory is collapsed across every affected repository. Most advisories carry a CVE, and advisories without one are included too.
  • Affected repositories — each alert shows where the vulnerable package was detected (the first repository inline, with a +N badge for the rest).
  • Reachability breakdown — each alert groups affected findings by whether ZeroPath could reach the vulnerable code from your application (Likely exploitable / Needs review / Likely not exploitable). Reachability is a strong prioritization signal, not a proof of exploitability — a reachable finding may still need specific inputs to trigger, and a not-reachable one is lower-risk, not zero-risk. Click a count to jump to the matching findings.
  • Triage status — filter alerts by status (new / acknowledged) as you work through them.
CVE alerting must be explicitly enabled per repository. Repositories without it won’t generate alerts, even when SCA scanning is active.
Reachability and exploitability assessments are AI-assisted and probabilistic. For critical supply-chain vulnerabilities, confirm the assessment before relying on it to deprioritize a finding or auto-merge a fix.

Accuracy safeguards

  • Cross-package advisory filtering — when an advisory covers multiple packages, ZeroPath verifies its affected entry matches your package before raising an alert, removing the false positives that broad multi-package advisories would otherwise produce.
  • Noise control — the pipeline skips metadata-only advisory updates (a CVSS tweak or a new reference URL) and only re-processes a CVE when its affected packages or version ranges actually change. Transient processing failures are retried automatically and do not stall alerting for other advisories.