How It Works
ZeroPath PR scanning analyzes the code changes in your pull requests and merge requests, catching security issues before they’re merged. Scans run automatically when a PR is opened or updated, and results appear directly in your VCS.Diff-Focused Analysis
Only changed files and surrounding context are analyzed — fast and targeted.
Differential Comparison
Scans both target and PR branches, surfacing only new findings in the PR.
Parallel Security Tools
SAST, SCA, Secrets, and IaC run simultaneously on changed code.
AI Validation
Every finding is validated in the context of the diff to minimize false positives.
Supported Platforms
| Platform | Trigger | Check Status | Inline Comments |
|---|---|---|---|
| GitHub (Cloud & Enterprise Server) | GitHub App webhook | GitHub Check Runs | Yes |
| GitLab (Cloud & Self-hosted) | Merge Request webhook / Pipeline webhook | Commit Statuses / Pipeline | Yes |
| Bitbucket (Cloud & Data Center) | Pull Request webhook | Build Statuses | Yes |
| Azure DevOps | Pull Request webhook | Build Statuses | Yes |
All four platforms support the full PR scanning feature set: automatic triggering, status
reporting, and inline code review comments.
Want to verify that your PR fixes a known vulnerability? See Fix Verification to learn how to reference issues in your PR description.
What Gets Analyzed
PR scanning is strictly diff-focused. It does not re-scan your entire codebase on every PR.Fetch the Diff
Retrieves the unified diff from your VCS API (falls back to
git diff if needed). When the
PR branch shares no common ancestor with the target branch (for example, orphan branches or
force-pushed histories), ZeroPath automatically falls back to a direct tree comparison so the
scan can still proceed.Run Security Tools in Parallel
On changed files only:
- SAST — static analysis on both target and PR branches, surfacing only new findings
- SCA — dependency analysis when manifests/lockfiles changed (AI pre-screen skips if not relevant)
- Secrets — scans the diff for hardcoded credentials
- IaC — checks changed infrastructure files
Filter to Changed Regions
Only findings that directly overlap with actually changed lines in the diff are reported — there
is no proximity buffer, so nearby-but-unrelated findings are excluded. New files are included
entirely; deleted files are excluded.
Validate & Report
AI validation removes false positives. When a previously reported issue is re-evaluated and
determined to be a false positive, it can be automatically resolved. Results are posted to your
VCS as check statuses and inline comments.When a PR is updated after a previous scan was skipped (for example, because the earlier diff
was not security-relevant), ZeroPath excludes the skipped scan from the refresh baseline. This
ensures the incremental comparison covers the full set of PR changes rather than only the most
recent update.
Check Status & Feedback
Results are reported through multiple channels:- VCS Check Status
- Inline Comments
- PR Summary
- Merge Notifications
- Patch Status Tracking
A pass/fail check status is posted on your PR. This integrates with branch protection rules so you can require ZeroPath checks to pass before merging.
| Status | Meaning |
|---|---|
| Success | No security-relevant issues found (or only below threshold) |
| Failure | Confirmed vulnerabilities found above configured threshold |
| Neutral | Scan timed out (does not block merges by default). Timeout statuses are posted consistently across all supported VCS platforms, including for scans that time out while queued. |
| Skipped | Infrastructure error (deliberately not a failure to avoid blocking merges). Error messages are specific to the failure type — for example, distinguishing repository access issues from transient service errors — for easier troubleshooting. |
Blocking Pull Requests
The default ZeroPath check name isZeroPath Security Scan. If your organization uses a
custom or white-labeled integration, require the exact check name that appears on a test PR.GitHub
Use GitHub branch protection rules to require the ZeroPath check before merging.Create a ZeroPath check run
Enable PR scanning and Check status posting in ZeroPath, then open or update a test
pull request so GitHub has seen the
ZeroPath Security Scan check at least once.Open branch protection
In GitHub, go to your repository’s Settings > Branches, then add or edit the branch
protection rule for the branch you want to protect, such as
main.Require the ZeroPath check
Select Require status checks to pass before merging, search for
ZeroPath Security Scan, and select it. If GitHub asks for the expected source, choose
the ZeroPath GitHub App rather than “any source”.GitHub branch protection docs
See GitHub’s official steps for requiring status checks in a branch protection rule.
GitLab
Use GitLab’s merge checks to require the pipeline that contains the ZeroPath status to succeed before merging.Create a ZeroPath status
Enable PR scanning and Check status posting in ZeroPath, then open or update a test
merge request so GitLab shows
ZeroPath Security Scan in the merge request’s pipeline or
status area.Require successful pipelines
In Merge checks, select Pipelines must succeed, then save your changes. GitLab will
block the merge until the relevant pipeline, including the ZeroPath status, is successful.
Verify the gated pipeline
Push a commit to the test merge request and confirm the
ZeroPath Security Scan status
appears in the pipeline that GitLab evaluates for the merge request. If you run both branch
and merge request pipelines, make sure the ZeroPath status is attached to the merge request
pipeline GitLab uses for the merge gate.GitLab successful pipeline docs
See GitLab’s official steps for requiring a successful pipeline before merge.
GitLab external commit status docs
See how GitLab represents statuses from external systems inside pipelines.
Bitbucket
Use Bitbucket merge checks to require successful build statuses before merging.Create a ZeroPath build status
Enable PR scanning and Check status posting in ZeroPath, then open or update a test
pull request so Bitbucket shows the
ZeroPath Security Scan build status on the latest
commit.Open branch restrictions or merge checks
For Bitbucket Cloud, open the repository settings and go to Branch restrictions under
Workflow. For Bitbucket Data Center, open Repository settings > Merge checks or
Repository settings > Required builds.
Require successful builds
In Bitbucket Cloud, add a branch restriction for the protected branch and enable
Minimum number of successful builds for the last commit with no failed builds. Set the
minimum to at least
1.Enforce the merge check on Bitbucket Cloud
On Bitbucket Cloud Premium, enable Prevent a merge with unresolved merge checks so the
successful-build requirement blocks merging. Without that setting, Bitbucket warns users
about unresolved merge checks but may still allow the merge.
Require the ZeroPath build on Data Center
In Bitbucket Data Center, enable Minimum successful builds or add a Required builds
rule for the ZeroPath build key if your instance supports required builds.
Bitbucket Cloud merge check docs
See Bitbucket Cloud’s official steps for requiring successful builds before merge.
Bitbucket Data Center merge check docs
See Bitbucket Data Center’s official merge check and required build documentation.
Bot Commands
You can drive ZeroPath directly from your PR or merge request by mentioning the bot in a comment — triage findings, assign tickets, generate patches, rescan, or ask natural-language questions. The bot acknowledges immediately and updates the same comment in-place when the action completes. A few common examples:PR comment
because modifier, RBAC requirements, and platform support — see Bot Commands.
When you change an issue’s status via a bot command, a vulnerability status changed notification is sent through your configured notification channels. The notification includes the previous status, new status, and who made the change, so your team has full visibility into triage decisions made from PR comments.
Bot commands are supported on GitHub and GitLab. Bitbucket and Azure DevOps support PR scanning but not bot commands yet. Use
@ZeroPath as a universal alias, or replace it with your environment’s configured bot username.ZP-ID tags or dashboard issue URLs (see Fix Verification), retriage re-runs fix verification against the latest PR code instead of the standard investigation flow. This checks whether the current PR changes actually resolve the referenced issues. If a fix verification is already in progress for the PR, the bot will let you know rather than creating a duplicate.
Configuration
All PR scanning settings follow an Organization → Tag → Repository inheritance cascade.
Repository-level overrides take precedence.
| Setting | Default | What It Controls |
|---|---|---|
| PR scanning enabled | Off | Master on/off switch for PR scanning on a repository. The current status is visible in the repository detail view and API response. |
| Inline review comments | On | Post inline comments on affected diff lines |
| PR summary (issues found) | On | Post a summary comment when the scan finds issues |
| PR summary (clean scan) | On | Post a summary comment when the scan finds no issues |
| Detailed vulnerability info | Not set | Include vulnerability descriptions, severity scores, and remediation details in PR summary comments. When not explicitly set, downstream settings apply. |
| Check status posting | On | Post pass/fail check status to VCS |
| Result inclusion threshold | 0 | Minimum score for a finding to appear in PR feedback |
| Check failure threshold | 75 | Priority score at which the check is marked as failing. Must be greater than or equal to the result inclusion threshold. |
| Scan timeout | 10 min | Maximum time before the scan is marked as timed out |
| Auto-patching on PR scans | On | Generate fix suggestions for findings in the PR |
| Scan draft MRs | Off | Whether to scan GitLab draft merge requests |
| Scan bot PRs | Off | Whether to scan PRs opened by automation/bots |
| Tool toggles | All on | Enable/disable SAST, SCA, Secrets, and IaC individually for PR scans |
Automatic Repository Sync (GitHub)
ZeroPath automatically keeps your repository metadata in sync when changes happen on GitHub. The following events are detected and handled in real time via webhooks:| Event | What Happens |
|---|---|
| Repository renamed | The repository name is updated across ZeroPath, including all linked scan configurations |
| Repository transferred | Ownership and URL are updated to reflect the new organization or user |
| Repository archived | The repository is marked as archived in ZeroPath — no new scans will be triggered |
| Repository unarchived | The repository is restored to active status and scans resume normally |
| Repository deleted | The repository and its associated data are removed from ZeroPath |
No manual action is required — these changes propagate automatically as long as the ZeroPath GitHub App is installed.
How PR Scanning Differs From Full Scans
| Aspect | PR Scan | Full Scan |
|---|---|---|
| Scope | Changed files only (diff-focused) | Entire repository |
| Trigger | Automatic on PR open/update | Manual, scheduled, or on push |
| Speed | Fast (minutes) | Thorough (longer) |
| Differential | Yes — subtracts existing target-branch findings | No |
| Results | VCS check + inline comments + dashboard | Dashboard only |
| SCA gate | AI decides if dependency files changed | Always runs |
| Timeout | 10 minutes (configurable) | Longer timeouts |
Adoption Guide
Install the VCS Integration
Ensure your GitHub App, GitLab installation, Bitbucket integration, or Azure DevOps connection is configured.
Configure Branch Protection
Add the ZeroPath check as a required status check in your VCS branch protection rules.
Tune Thresholds
Adjust the check failure threshold and result inclusion threshold to match your team’s
tolerance.