> ## Documentation Index
> Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Fix Verification

> Verify that your PR fixes a known vulnerability by referencing it in the PR description

## Overview

When you open a PR that fixes a known vulnerability, you can reference the issue in your PR description. ZeroPath will automatically verify whether your changes would resolve the vulnerability and report the results on the PR. When the PR is merged, ZeroPath re-verifies and updates the issue status in the dashboard.

## Referencing Vulnerabilities

Add references to ZeroPath issues anywhere in your PR description using either of these formats:

<Tabs>
  <Tab title="ZP-ID Format">
    Reference one or more issues by their UUID:

    ```
    ZP-ID: 550e8400-e29b-41d4-a716-446655440000
    ```

    Comma-separated for multiple issues:

    ```
    ZP-ID: 550e8400-e29b-41d4-a716-446655440000, 6ba7b810-9dad-11d1-80b4-00c04fd430c8
    ```
  </Tab>

  <Tab title="Dashboard URL">
    Paste the issue URL directly from the ZeroPath dashboard. All URL formats are supported:

    ```
    https://zeropath.com/app/issues/550e8400-e29b-41d4-a716-446655440000
    ```

    ```
    https://zeropath.com/app/issues?issueId=550e8400-e29b-41d4-a716-446655440000
    ```

    ```
    https://zeropath.com/app/repositories/repo-id?issueId=550e8400-e29b-41d4-a716-446655440000
    ```
  </Tab>
</Tabs>

Both formats are case-insensitive. You can mix them freely and include multiple references per PR.

## Where to Find the Issue UUID

Navigate to the issue detail page in the ZeroPath dashboard. The UUID appears in the URL:

```
https://zeropath.com/app/issues/{uuid}
```

You can also copy it from the issue detail view.

## How It Works

<Steps>
  <Step title="Open a PR with References">
    Include one or more `ZP-ID` references or dashboard URLs in your PR description.
  </Step>

  <Step title="Pre-Merge Verification">
    ZeroPath checks whether each referenced vulnerability would be resolved by your PR's changes and posts a comment with the results. This is **informational only** — issue status is not changed yet.
  </Step>

  <Step title="Iterate if Needed">
    If the check reports "still present", push additional commits and reply `@ZeroPath retriage` to re-run the verification against the latest code.
  </Step>

  <Step title="Merge the PR">
    Once the verification confirms "would fix", merge the PR as normal.
  </Step>

  <Step title="Post-Merge Verification">
    After the PR is merged, ZeroPath automatically re-runs the verification against the merged code on the target branch. If the fix is confirmed, the issue is marked as **resolved** in the dashboard.
  </Step>
</Steps>

## Results

ZeroPath posts a comment on your PR and updates a check status at two points — before and after merge.

### PR Comment

#### Pre-Merge (Informational)

| Result            | Meaning                                                                                                                                             |
| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Would fix**     | The vulnerability was not detected after applying your PR changes. Once merged, the issue will be marked as resolved.                               |
| **Still present** | The vulnerability is still detected. The comment includes an explanation of why. Reply `@ZeroPath retriage` to re-check after pushing more commits. |
| **Not found**     | The UUID is invalid, the issue is already closed, or it does not belong to this repository.                                                         |

#### Post-Merge (Status Update)

| Result            | Meaning                                                                                                                               |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
| **Resolved**      | The vulnerability is confirmed as fixed on the target branch. The issue is marked as resolved in the dashboard with a link to the PR. |
| **Still present** | The vulnerability persists after merge. The issue remains open.                                                                       |

### Check Status

A dedicated **Fix Verification** check status is posted on the PR commit alongside the comment. You can use this check in branch protection rules to require fix verification to pass before merging.

| Status      | Meaning                                                                                 |
| ----------- | --------------------------------------------------------------------------------------- |
| **Success** | All referenced vulnerabilities appear to be resolved.                                   |
| **Failure** | One or more referenced vulnerabilities are still present.                               |
| **Neutral** | Some referenced vulnerabilities could not be found, or no vulnerabilities were checked. |

## Re-Investigation

If the initial check reports "still present" but you believe your fix is correct, push your updated code and reply with:

```
@ZeroPath retriage
```

This re-runs the fix verification against the latest PR code. Unlike the initial check (which only runs on PR open), retriage can be triggered any time to re-check after new commits.

## Important Notes

* **Pre-merge results are informational.** Issue status is only updated after the PR merges and post-merge verification confirms the fix.
* **Works for both SAST and SCA issues.** Any issue tracked in the ZeroPath dashboard can be referenced.
* **Self-correcting.** If a fix is incorrectly marked as resolved, the next full scan will re-detect the vulnerability and reopen the issue automatically.
* **Supported on GitHub, GitLab, and Bitbucket.** The `ZP-ID` format and dashboard URLs work on all supported VCS platforms.