Skip to main content

Documentation Index

Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

How It Works

ZeroPath PR scanning analyzes the code changes in your pull requests and merge requests, catching security issues before they’re merged. Scans run automatically when a PR is opened or updated, and results appear directly in your VCS.

Diff-Focused Analysis

Only changed files and surrounding context are analyzed — fast and targeted.

Differential Comparison

Scans both target and PR branches, surfacing only new findings in the PR.

Parallel Security Tools

SAST, SCA, Secrets, and IaC run simultaneously on changed code.

AI Validation

Every finding is validated in the context of the diff to minimize false positives.

Supported Platforms

PlatformTriggerCheck StatusInline Comments
GitHub (Cloud & Enterprise Server)GitHub App webhookGitHub Check RunsYes
GitLab (Cloud & Self-hosted)Merge Request webhook / Pipeline webhookCommit Statuses / PipelineYes
Bitbucket (Cloud & Data Center)Pull Request webhookBuild StatusesYes
Azure DevOpsPull Request webhookBuild StatusesYes
All four platforms support the full PR scanning feature set: automatic triggering, status reporting, and inline code review comments.
Want to verify that your PR fixes a known vulnerability? See Fix Verification to learn how to reference issues in your PR description.

What Gets Analyzed

PR scanning is strictly diff-focused. It does not re-scan your entire codebase on every PR.
1

Fetch the Diff

Retrieves the unified diff from your VCS API (falls back to git diff if needed). When the PR branch shares no common ancestor with the target branch (for example, orphan branches or force-pushed histories), ZeroPath automatically falls back to a direct tree comparison so the scan can still proceed.
2

Identify Changed Files

Maps every changed hunk to its file and line numbers.
3

Run Security Tools in Parallel

On changed files only:
  • SAST — static analysis on both target and PR branches, surfacing only new findings
  • SCA — dependency analysis when manifests/lockfiles changed (AI pre-screen skips if not relevant)
  • Secrets — scans the diff for hardcoded credentials
  • IaC — checks changed infrastructure files
4

Filter to Changed Regions

Only findings that overlap with changed lines are reported. New files are included entirely; deleted files are excluded.
5

Validate & Report

AI validation removes false positives. When a previously reported issue is re-evaluated and determined to be a false positive, it can be automatically resolved. Results are posted to your VCS as check statuses and inline comments.When a PR is updated after a previous scan was skipped (for example, because the earlier diff was not security-relevant), ZeroPath excludes the skipped scan from the refresh baseline. This ensures the incremental comparison covers the full set of PR changes rather than only the most recent update.

Check Status & Feedback

Results are reported through multiple channels:
A pass/fail check status is posted on your PR. This integrates with branch protection rules so you can require ZeroPath checks to pass before merging.
StatusMeaning
SuccessNo security-relevant issues found (or only below threshold)
FailureConfirmed vulnerabilities found above configured threshold
NeutralScan timed out (does not block merges by default)
SkippedInfrastructure error (deliberately not a failure to avoid blocking merges). Error messages are specific to the failure type — for example, distinguishing repository access issues from transient service errors — for easier troubleshooting.

Bot Commands

You can interact with ZeroPath directly from your PR or merge request by mentioning the bot in a comment. In addition to triage commands like marking false positives or assigning issues, the following commands are available:
CommandWhat It Does
@bot rescanRe-run the scan on the current PR. If a scan for the current commit already exists, it is skipped.
@bot rescan forceForce a rescan even if a scan for the current commit already exists, bypassing the duplicate check.
@bot retriageRe-run AI validation on all issues in the current PR using a more thorough investigation. If the PR references specific vulnerabilities via ZP-ID tags or dashboard URLs, this re-runs fix verification against the latest PR code instead.
@bot retriage issue NRe-run AI validation on a specific issue. You can also use an issue URL as the target.
@bot retriage because ...Same as bare @bot retriage, but the text after because is passed as context for the all-issues investigation (for example, @bot retriage because we added input validation).
@bot retriage issue N because ...Same as @bot retriage issue N, but the text after because is passed as context for that issue’s re-evaluation.

Natural Language Questions

If your comment does not match a structured command, the bot treats it as a natural language question and responds with an AI-generated reply. You can ask about specific findings, request explanations of vulnerabilities, or ask general security questions about the PR — and the bot will respond directly in the comment thread. For example:
  • @bot Is this finding exploitable given our input validation?
  • @bot Can you explain what this vulnerability means for our authentication flow?
  • @bot What’s the risk of merging this PR with these open issues?
The bot posts a “Thinking…” placeholder and then updates it in-place with the full response once ready.
Replace @bot with your ZeroPath bot’s actual username (e.g., @zeropath-ai). You can also use @ZeroPath as a universal alias regardless of your environment’s configured bot account name. Bot commands are supported on GitHub and GitLab. Bitbucket support for bot commands is not yet available.
When you send a bot command, ZeroPath posts an acknowledgment comment immediately and then updates that same comment in-place once the result is ready. This keeps your PR conversation clean by avoiding duplicate replies. When you change an issue’s status via a bot command (for example, marking it as false positive, accepted risk, or resolved), a vulnerability status changed notification is sent through your configured notification channels. The notification includes the previous status, new status, and who made the change, so your team has full visibility into triage decisions made from PR comments.
Comments that appear to contain prompt injection content are automatically blocked. If you receive a rejection message, rephrase your question as a direct inquiry about the reported issue.
The rescan command is useful when you want to re-check a PR after making configuration changes or if you believe a previous scan result was incomplete. The retriage command triggers a deeper AI investigation of findings, which can help confirm or dismiss borderline results. You can append a because ... clause to either bare @bot retriage (all issues in the PR) or @bot retriage issue N (one issue); the explanation after because is passed through as context in both cases. When the investigation completes, the bot updates its initial acknowledgment comment in-place with a structured summary showing each issue’s verdict (Confirmed or Disconfirmed) along with a security assessment and a link to the issue in the ZeroPath dashboard. If the PR references specific vulnerabilities using ZP-ID tags or dashboard issue URLs (see Fix Verification), retriage re-runs fix verification against the latest PR code instead of the standard investigation flow. This checks whether the current PR changes actually resolve the referenced issues. If a fix verification is already in progress for the PR, the bot will let you know rather than creating a duplicate.

Configuration

All PR scanning settings follow an Organization → Tag → Repository inheritance cascade. Repository-level overrides take precedence.
SettingDefaultWhat It Controls
PR scanning enabledOffMaster on/off switch for PR scanning on a repository. The current status is visible in the repository detail view and API response.
Inline review commentsOnPost inline comments on affected diff lines
PR summary (issues found)OnPost a summary comment when the scan finds issues
PR summary (clean scan)OnPost a summary comment when the scan finds no issues
Detailed vulnerability infoNot setInclude vulnerability descriptions, severity scores, and remediation details in PR summary comments. When not explicitly set, downstream settings apply.
Check status postingOnPost pass/fail check status to VCS
Result inclusion threshold0Minimum score for a finding to appear in PR feedback
Check failure threshold75Priority score at which the check is marked as failing. Must be greater than or equal to the result inclusion threshold.
Scan timeout10 minMaximum time before the scan is marked as timed out
Auto-patching on PR scansOnGenerate fix suggestions for findings in the PR
Scan draft MRsOffWhether to scan GitLab draft merge requests
Scan bot PRsOffWhether to scan PRs opened by automation/bots
Tool togglesAll onEnable/disable SAST, SCA, Secrets, and IaC individually for PR scans

Automatic Repository Sync (GitHub)

ZeroPath automatically keeps your repository metadata in sync when changes happen on GitHub. The following events are detected and handled in real time via webhooks:
EventWhat Happens
Repository renamedThe repository name is updated across ZeroPath, including all linked scan configurations
Repository transferredOwnership and URL are updated to reflect the new organization or user
Repository archivedThe repository is marked as archived in ZeroPath — no new scans will be triggered
Repository unarchivedThe repository is restored to active status and scans resume normally
Repository deletedThe repository and its associated data are removed from ZeroPath
No manual action is required — these changes propagate automatically as long as the ZeroPath GitHub App is installed.

How PR Scanning Differs From Full Scans

AspectPR ScanFull Scan
ScopeChanged files only (diff-focused)Entire repository
TriggerAutomatic on PR open/updateManual, scheduled, or on push
SpeedFast (minutes)Thorough (longer)
DifferentialYes — subtracts existing target-branch findingsNo
ResultsVCS check + inline comments + dashboardDashboard only
SCA gateAI decides if dependency files changedAlways runs
Timeout10 minutes (configurable)Longer timeouts

Adoption Guide

1

Enable PR Scanning

Toggle it on in your repository’s scanner settings.
2

Install the VCS Integration

Ensure your GitHub App, GitLab installation, Bitbucket integration, or Azure DevOps connection is configured.
3

Open a PR

ZeroPath will automatically scan it and post results.
4

Configure Branch Protection

Add the ZeroPath check as a required status check in your VCS branch protection rules.
5

Tune Thresholds

Adjust the check failure threshold and result inclusion threshold to match your team’s tolerance.
6

Review Inline Comments

Address findings directly in your code review workflow.