How It Works
ZeroPath PR scanning analyzes the code changes in your pull requests and merge requests, catching security issues before they’re merged. Scans run automatically when a PR is opened or updated, and results appear directly in your VCS.Diff-Focused Analysis
Only changed files and surrounding context are analyzed — fast and targeted.
Differential Comparison
Scans both target and PR branches, surfacing only new findings in the PR.
Parallel Security Tools
SAST, SCA, Secrets, and IaC run simultaneously on changed code.
AI Validation
Every finding is validated in the context of the diff to minimize false positives.
Supported Platforms
| Platform | Trigger | Check Status | Inline Comments |
|---|---|---|---|
| GitHub (Cloud & Enterprise Server) | GitHub App webhook | GitHub Check Runs | Yes |
| GitLab (Cloud & Self-hosted) | Merge Request webhook / Pipeline webhook | Commit Statuses / Pipeline | Yes |
| Bitbucket (Cloud & Data Center) | Pull Request webhook | Build Statuses | Yes |
All three platforms support the full PR scanning feature set: automatic triggering, status
reporting, and inline code review comments.
What Gets Analyzed
PR scanning is strictly diff-focused. It does not re-scan your entire codebase on every PR.Run Security Tools in Parallel
On changed files only:
- SAST — static analysis on both target and PR branches, surfacing only new findings
- SCA — dependency analysis when manifests/lockfiles changed (AI pre-screen skips if not relevant)
- Secrets — scans the diff for hardcoded credentials
- IaC — checks changed infrastructure files
Filter to Changed Regions
Only findings that overlap with changed lines are reported. New files are included entirely;
deleted files are excluded.
Check Status & Feedback
Results are reported through multiple channels:- VCS Check Status
- Inline Comments
- PR Summary
- Merge Notifications
- Patch Status Tracking
A pass/fail check status is posted on your PR. This integrates with branch protection rules so you can require ZeroPath checks to pass before merging.
| Status | Meaning |
|---|---|
| Success | No security-relevant issues found (or only below threshold) |
| Failure | Confirmed vulnerabilities found above configured threshold |
| Neutral | Scan timed out (does not block merges by default) |
| Skipped | Infrastructure error (deliberately not a failure to avoid blocking merges). Error messages are specific to the failure type — for example, distinguishing repository access issues from transient service errors — for easier troubleshooting. |
Configuration
All PR scanning settings follow an Organization → Tag → Repository inheritance cascade.
Repository-level overrides take precedence.
| Setting | Default | What It Controls |
|---|---|---|
| PR scanning enabled | Off | Master on/off switch for PR scanning on a repository. The current status is visible in the repository detail view and API response. |
| Inline review comments | On | Post inline comments on affected diff lines |
| PR summary comment | On | Post a summary comment listing all findings |
| Check status posting | On | Post pass/fail check status to VCS |
| Result inclusion threshold | 0 | Minimum score for a finding to appear in PR feedback |
| Check failure threshold | 75 | Priority score at which the check is marked as failing. Must be greater than or equal to the result inclusion threshold. |
| Scan timeout | 10 min | Maximum time before the scan is marked as timed out |
| Auto-patching on PR scans | On | Generate fix suggestions for findings in the PR |
| Scan draft MRs | Off | Whether to scan GitLab draft merge requests |
| Scan bot PRs | Off | Whether to scan PRs opened by automation/bots |
| Tool toggles | All on | Enable/disable SAST, SCA, Secrets, and IaC individually for PR scans |
Automatic Repository Sync (GitHub)
ZeroPath automatically keeps your repository metadata in sync when changes happen on GitHub. The following events are detected and handled in real time via webhooks:| Event | What Happens |
|---|---|
| Repository renamed | The repository name is updated across ZeroPath, including all linked scan configurations |
| Repository transferred | Ownership and URL are updated to reflect the new organization or user |
| Repository archived | The repository is marked as archived in ZeroPath — no new scans will be triggered |
| Repository unarchived | The repository is restored to active status and scans resume normally |
| Repository deleted | The repository and its associated data are removed from ZeroPath |
No manual action is required — these changes propagate automatically as long as the ZeroPath GitHub App is installed.
How PR Scanning Differs From Full Scans
| Aspect | PR Scan | Full Scan |
|---|---|---|
| Scope | Changed files only (diff-focused) | Entire repository |
| Trigger | Automatic on PR open/update | Manual, scheduled, or on push |
| Speed | Fast (minutes) | Thorough (longer) |
| Differential | Yes — subtracts existing target-branch findings | No |
| Results | VCS check + inline comments + dashboard | Dashboard only |
| SCA gate | AI decides if dependency files changed | Always runs |
| Timeout | 10 minutes (configurable) | Longer timeouts |
Adoption Guide
Install the VCS Integration
Ensure your GitHub App, GitLab installation, or Bitbucket integration is connected.
Configure Branch Protection
Add the ZeroPath check as a required status check in your VCS branch protection rules.
Tune Thresholds
Adjust the check failure threshold and result inclusion threshold to match your team’s
tolerance.