Skip to main content

How It Works

ZeroPath can automatically generate code fixes for detected vulnerabilities and open pull requests with the remediation. The system analyzes the vulnerability context, writes a targeted fix, and presents it for your review before any changes reach your codebase.
  • AI-generated patches — fixes are generated by an AI agent that understands the vulnerability, the surrounding code, and the appropriate remediation pattern.
  • Human-in-the-loop — by default, patches require explicit approval before a PR is created. You review the diff, approve it, and ZeroPath opens the PR.
  • Both SAST and SCA — code-level vulnerabilities get code fixes; dependency vulnerabilities get version bumps with proper lockfile updates.

Requesting a Patch

1

Navigate to a Finding

Open any finding in the ZeroPath dashboard.
2

Generate Patch

Click “Generate Patch” on the issue detail view. ZeroPath generates a git diff targeting the vulnerability.
3

Review Changes

Review the proposed changes in the dashboard.
4

Approve or Regenerate

Click “Approve Patch” to create a PR, or “Regenerate” to try again.

Automatic Pull Requests

When you approve a patch (or when auto-PR generation is enabled), ZeroPath:
  1. Creates a new branch from your repository’s default branch.
  2. Applies the fix as a commit with a descriptive message.
  3. Opens a pull request with:
    • A clear title describing the fix (e.g., “Fix SQL injection in user authentication handler”)
    • A description covering the vulnerability, the fix, the root cause, and the implementation approach.
  4. Links the PR back to the finding in ZeroPath for tracking.
Supported VCS platforms for auto-PR:
PlatformAuto-PR Support
GitHub (Cloud & Enterprise)Yes
GitLab (Cloud & Self-hosted)Yes
Bitbucket (Cloud & Data Center)Yes

PR Lifecycle Tracking

ZeroPath tracks the status of generated PRs:
  • Open — PR has been created and is awaiting review.
  • Accepted — PR was merged. The associated finding is automatically moved to Resolved.
  • Rejected — PR was closed without merging.

What Can Be Auto-Fixed

Code Vulnerabilities (SAST)

The AI agent can generate fixes for most code-level security issues, including:
  • SQL injection
  • XSS
  • Path traversal
  • Command injection
  • SSRF
  • Insecure cryptography
  • Missing authentication/authorization checks
  • and more…
Some vulnerability types are not auto-fixable and will be marked as such:
  • Hardcoded secrets (require manual rotation and migration to a secrets manager)
  • Complex business logic issues (race conditions, multi-system authorization)
  • Architectural issues where the root cause is outside the affected file

Dependency Vulnerabilities (SCA)

For vulnerable dependencies, ZeroPath:
  • Queries package registries for the latest non-vulnerable version.
  • For direct dependencies: updates the version in your manifest file and regenerates the lockfile using the appropriate package manager.
  • For transitive dependencies: updates the direct parent dependency that pulls in the vulnerable package.
Supported ecosystems for dependency patching:
  • npm / Node.js
  • Go modules
  • Rust / Cargo
  • Ruby / Bundler
  • Python / Poetry
  • Python / pip
  • Maven / Gradle
  • and more…

Configuration

Patch generation settings follow org/tag/repo-level inheritance:
SettingDefaultWhat It Controls
PR scan auto-patchingOnGenerate fix suggestions for PR scan findings
Full scan auto-patchingOffAuto-generate patches for qualifying full scan findings
Full scan auto-PR creationOffAutomatically open PRs without human approval
Full scan patch threshold80Minimum priority score (0–100) for auto-patching
Full scan PR threshold80Minimum priority score for auto-PR creation
PR title templateCustom template for generated PR titles
PR description templateCustom template for generated PR descriptions
Branch name formatCustom template for fix branch names
Commit message formatCustom template for fix commit messages

SCA-Specific Settings

SettingDefaultWhat It Controls
Auto-create direct dependency PRsOffAuto-open PRs for direct dependency CVE fixes
Direct dependency patch threshold0Score threshold for direct dep auto-PR
Auto-create transitive dependency PRsOffAuto-open PRs for transitive dependency CVE fixes
Transitive dependency patch threshold0Score threshold for transitive dep auto-PR

Adoption Guide

  1. Start with on-demand patching — click “Generate Patch” on individual findings to see the quality of generated fixes for your codebase.
  2. Enable PR scan suggestions — turn on prScanAutoPatching to get fix suggestions as inline comments on your pull requests.
  3. Tune thresholds — adjust the patch and PR thresholds to focus auto-patching on high-severity findings first.
  4. Enable full scan auto-patching — once comfortable with patch quality, enable automatic patch generation for full scans.
  5. Consider auto-PR creation — for teams with fast review cycles, enable auto-PR to get fix branches created automatically.