> ## Documentation Index
> Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Auto-remediation & Alerts

> Automatic upgrade PRs with safe-version selection, and proactive CVE alerts for packages you already depend on

When ZeroPath finds a vulnerable dependency, it can open an upgrade pull request
that selects a version which resolves the issue without making your posture worse,
and it can alert you when a new advisory lands on a package you already ship.

## Auto-remediation

ZeroPath can open dependency-upgrade PRs automatically, gated by a score
threshold you control.

* **Direct dependency PRs** — enable `autoCreateDirectPackagePRs` and set the
  minimum score that must be met before a fix is proposed. ZeroPath opens the
  branch, applies the version bump, and links it to the originating finding.
* **Transitive remediation** — manage indirect dependencies separately with
  `autoCreateTransitivePackagePRs` and its own threshold. ZeroPath walks the
  dependency chain to the nearest direct parent it can upgrade, even through
  multi-hop transitive chains.
* **Score-based gating** — because each setting has its own minimum score,
  critical CVEs can auto-remediate immediately while lower-risk fixes stay manual.
* **Per-branch targeting** — every scheduled scan records the branch it ran on,
  so you can target remediation at release branches without touching experimental
  ones.

### Choosing a safe upgrade

ZeroPath selects an upgrade target rather than always taking the latest version.
It first looks for the nearest version with **zero known CVEs**. If none exists, it
falls back to the nearest version that fixes the specific vulnerability **without
introducing any new CVEs** you aren't already exposed to. It avoids impractical
major-version jumps. Selection is against current advisory data, so it cannot
account for vulnerabilities disclosed after the upgrade is proposed.

<Tip>
  Every upgrade PR is paired with [blast radius](/sca/blast-radius) analysis, which
  classifies the call sites in your code that the new version touches, so reviewers
  can focus on the ones most likely to break before merging. Blast radius is static
  and has known blind spots; see the page for details.
</Tip>

### When a clean upgrade doesn't exist

* **Remediation guidance** — when a vulnerability can't be auto-patched (no safe
  version, or the fix needs architectural changes), ZeroPath provides step-by-step
  instructions so a developer knows exactly what to do manually.
* **Force-generate** — for a finding marked unpatchable, you can override the
  verdict and ask the patch agent for the smallest-blast-radius compensating
  control it can produce — an authorization check, a feature flag, or a defensive
  guard around your use of the package. This reduces exposure but does not remove
  the vulnerable dependency; the advisory remains in your inventory until a real
  upgrade exists.
* **Reliable delivery** — if a patch run completes without writing any edits,
  ZeroPath automatically retries it once, so an empty patch doesn't reach your
  review queue.

### Linking to your tracker

If findings are linked to Jira issues, you can use `{jira_id}`, `{jira_url}`, and
`{jira_title}` placeholders in your custom PR title, description, branch name, and
commit message templates. ZeroPath fills them in automatically, so each
remediation PR links back to the corresponding tracker issue.

## CVE alerting

CVE alerting proactively notifies you when a new vulnerability is discovered in a
package you already depend on, without waiting for the next scan to run.

* **Enable per repository** — toggle `enableCVEAlerting` in a repository's scanner
  settings to start receiving alerts.
* **Grouped per advisory** — alerts surface on the Supply Chain page's
  by-advisory view, where the same advisory is collapsed across every affected
  repository. Most advisories carry a CVE, and advisories without one are included
  too.
* **Affected repositories** — each alert shows where the vulnerable package was
  detected (the first repository inline, with a `+N` badge for the rest).
* **Reachability breakdown** — each alert groups affected findings by whether
  ZeroPath could reach the vulnerable code from your application (Likely
  exploitable / Needs review / Likely not exploitable). Reachability is a strong
  prioritization signal, not a proof of exploitability — a reachable finding may
  still need specific inputs to trigger, and a not-reachable one is lower-risk,
  not zero-risk. Click a count to jump to the matching findings.
* **Triage status** — filter alerts by status (new / acknowledged) as you work
  through them.

<Info>
  CVE alerting must be explicitly enabled per repository. Repositories without it
  won't generate alerts, even when SCA scanning is active.
</Info>

<Note>
  Reachability and exploitability assessments are AI-assisted and probabilistic. For
  critical supply-chain vulnerabilities, confirm the assessment before relying on it
  to deprioritize a finding or auto-merge a fix.
</Note>

### Accuracy safeguards

* **Cross-package advisory filtering** — when an advisory covers multiple
  packages, ZeroPath verifies its affected entry matches your package before
  raising an alert, removing the false positives that broad multi-package
  advisories would otherwise produce.
* **Noise control** — the pipeline skips metadata-only advisory updates (a CVSS
  tweak or a new reference URL) and only re-processes a CVE when its affected
  packages or version ranges actually change. Transient processing failures are
  retried automatically and do not stall alerting for other advisories.