Skip to main content

Overview

When you open a PR that fixes a known vulnerability, you can reference the issue in your PR description. ZeroPath will automatically verify whether your changes would resolve the vulnerability and report the results on the PR. When the PR is merged, ZeroPath re-verifies and updates the issue status in the dashboard.

Referencing Vulnerabilities

Add references to ZeroPath issues anywhere in your PR description using either of these formats:
Reference one or more issues by their UUID:
ZP-ID: 550e8400-e29b-41d4-a716-446655440000
Comma-separated for multiple issues:
ZP-ID: 550e8400-e29b-41d4-a716-446655440000, 6ba7b810-9dad-11d1-80b4-00c04fd430c8
Both formats are case-insensitive. You can mix them freely and include multiple references per PR.

Where to Find the Issue UUID

Navigate to the issue detail page in the ZeroPath dashboard. The UUID appears in the URL: 
https://zeropath.com/app/issues/{uuid}
You can also copy it from the issue detail view.

How It Works

1

Open a PR with References

Include one or more ZP-ID references or dashboard URLs in your PR description.
2

Pre-Merge Verification

ZeroPath checks whether each referenced vulnerability would be resolved by your PR’s changes and posts a comment with the results. This is informational only — issue status is not changed yet.
3

Iterate if Needed

If the check reports “still present”, push additional commits and reply @ZeroPath retriage to re-run the verification against the latest code.
4

Merge the PR

Once the verification confirms “would fix”, merge the PR as normal.
5

Post-Merge Verification

After the PR is merged, ZeroPath automatically re-runs the verification against the merged code on the target branch. If the fix is confirmed, the issue is marked as resolved in the dashboard.

Results

ZeroPath posts a comment on your PR at two points — before and after merge:

Pre-Merge (Informational)

ResultMeaning
Would fixThe vulnerability was not detected after applying your PR changes. Once merged, the issue will be marked as resolved.
Still presentThe vulnerability is still detected. The comment includes an explanation of why. Reply @ZeroPath retriage to re-check after pushing more commits.
Not foundThe UUID is invalid, the issue is already closed, or it does not belong to this repository.

Post-Merge (Status Update)

ResultMeaning
ResolvedThe vulnerability is confirmed as fixed on the target branch. The issue is marked as resolved in the dashboard with a link to the PR.
Still presentThe vulnerability persists after merge. The issue remains open.

Re-Investigation

If the initial check reports “still present” but you believe your fix is correct, push your updated code and reply with: 
@ZeroPath retriage
This re-runs the fix verification against the latest PR code. Unlike the initial check (which only runs on PR open), retriage can be triggered any time to re-check after new commits.

Important Notes

  • Pre-merge results are informational. Issue status is only updated after the PR merges and post-merge verification confirms the fix.
  • Works for both SAST and SCA issues. Any issue tracked in the ZeroPath dashboard can be referenced.
  • Self-correcting. If a fix is incorrectly marked as resolved, the next full scan will re-detect the vulnerability and reopen the issue automatically.
  • Supported on GitHub, GitLab, and Bitbucket. The ZP-ID format and dashboard URLs work on all supported VCS platforms.