How It Works
ZeroPath’s Static Application Security Testing (SAST) uses a multi-stage AI-powered analysis pipeline to discover vulnerabilities that traditional pattern-matching scanners miss:Automated Scanning
Runs on push, PR, or schedule. Builds an architecture model, analyzes code, and validates every
finding with AI.
Application-Aware
Identifies services and modules in your repo (e.g.,
/apps/payments) so findings are tied to
the right team.AI Validated
Reviews every candidate for exploitability and context, reducing false positives by up to 75%.
End-to-end Flow
Repository Checkout
ZeroPath clones your repository and pins the exact commit, ensuring repeatable results.
Application Discovery
An AI-powered analyzer maps your codebase’s services, modules, and entry points so each finding
can be attributed to the right application and team.
Multi-Stage Pattern Analysis
Broad static analysis rules run across all supported languages, producing an initial set of
candidate findings.
AI Validation & False-Positive Filtering
Each candidate is reviewed in context. The AI evaluates exploitability, code flow, and
surrounding logic to filter out false positives, reducing noise by up to 75%.A secondary validation pass then reviews all remaining true-positive findings before they
are recorded. This pass can mark non-exploitable findings (dead code, test fixtures,
sanitized inputs) and correct inaccurate details such as title, description, or severity,
further improving signal quality.
Deep Codebase Analysis
A context-aware AI agent performs deeper analysis, examining authentication flows, authorization
logic, business rules, and custom security policies.
Custom Rule Evaluation
Any natural-language rules you’ve defined are evaluated per-application, catching
organization-specific security policies.
Deduplication & Scoring
Findings are deduplicated across tools and historical scans. Each confirmed finding receives a
CVSS 4.0 severity score with AI-generated reasoning and step-by-step attack exploitation steps.Findings with an unknown validation state (where exploitability cannot be determined) are
categorized as Informational rather than non-exploitable, giving you clearer signal about
which findings need further investigation.
Running Scans
- Full Scans
- PR Scans
Comprehensive analysis of your entire codebase. Triggered manually, on schedule, or when code is pushed to monitored branches.On subsequent scans of the same branch, ZeroPath intelligently reuses results for unchanged files and focuses deep analysis only on changed files, significantly reducing scan time.When the changes since the last scan are small, ZeroPath can use a smart rescan mode that
evaluates only the diff. An AI agent reviews whether existing issues are still present and
whether the new code introduces any vulnerabilities, delivering results significantly faster
than a full pipeline run. The rescan agent inspects issues on a per-file basis and resolves
them by exact line range and behavior, so if one vulnerability in a file is fixed while
another remains, only the fixed issue is marked as resolved.ZeroPath uses a three-tier regression detection pipeline to efficiently determine whether
previously reported issues are still present after code changes:
- Deterministic fast-path — if none of the files relevant to a finding changed between commits, the finding is carried forward instantly with no AI call.
- Structured diff review — when relevant files did change, a single AI review examines the bounded diff and code evidence to decide whether the issue persists or was fixed.
- Deep-agent escalation — only when the bounded evidence is insufficient does ZeroPath escalate to a full agentic investigation, keeping costs and latency low for the common case.
Vulnerability Categories
- Technical Vulnerabilities
- Business Logic Vulnerabilities
| Category | Examples |
|---|---|
| Injection | SQL injection, command injection, LDAP injection |
| Cross-Site Scripting (XSS) | Reflected XSS, stored XSS, DOM-based XSS |
| Server-Side Request Forgery (SSRF) | Internal service access, cloud metadata exfiltration |
| File Operations | Path traversal, local file inclusion, arbitrary file read/write |
| Insecure Deserialization | Object injection, remote code execution via deserialization |
| XML External Entity (XXE) | External entity expansion, SSRF via XML |
| Template Injection | Server-side template injection (SSTI) |
| Cryptography | Weak algorithms, hardcoded keys, insufficient key length |
| Open Redirect | Unvalidated redirect targets |
| CORS Misconfiguration | Overly permissive cross-origin policies |
| CSRF | Missing or bypassable cross-site request forgery protections |
| Denial of Service | ReDoS, resource exhaustion, algorithmic complexity |
| Information Disclosure | Sensitive data in responses, error message leakage |
| Reflection | Reflected input flaws, unsafe reflection |
| Memory Safety | Buffer overflows, use-after-free, out-of-bounds access |
| Input Validation | Missing or improper input validation |
| Configuration | Insecure defaults, debug mode in production |
Severity Scoring
ZeroPath uses CVSS 4.0 as its scoring standard. Every confirmed finding receives a structured score with AI-generated reasoning tied directly to the code.CVSS 4.0 Metrics Evaluated
CVSS 4.0 Metrics Evaluated
| Metric | Values | What It Captures |
|---|---|---|
| Attack Vector | Network / Local | Whether exploitable remotely or requires local access |
| Attack Complexity | Low / High | Reliability of exploit; whether special conditions are needed |
| Attack Requirements | None / Present | Whether prerequisites (specific config/state) are required |
| Privileges Required | None / Low / High | Privilege level the attacker needs |
| User Interaction | None / Passive / Active | Whether a user must take action for exploitation |
| Confidentiality Impact | None / Low / High | Impact on data secrecy |
| Integrity Impact | None / Low / High | Impact on data or system integrity |
| Availability Impact | None / Low / High | Impact on system availability |
Priority Score Calculation
Priority Score Calculation
The overall finding priority score combines severity with confidence:
severity (0–10) × confidence (0–10) = a 0–100 scale for ranking and filtering.This means a high-severity finding with low confidence ranks lower than a medium-severity finding with high confidence — helping you focus on issues that are both impactful and reliably identified.Language Coverage
Python
JavaScript / TypeScript
Java
Go
Ruby
PHP
C / C++
C#
Rust
Swift / Objective-C
Kotlin
Scala
Dart
Elixir
Nim
AL (Business Central)
Key Capabilities
75% Fewer False Positives
AI validation reviews every finding in context, filtering out issues that aren’t actually
exploitable.
Novel Vulnerability Detection
Deep AI analysis discovers vulnerabilities that pattern-matching alone cannot find, including
business logic flaws.
Application-Aware Findings
Each finding is tied to the specific service or module it affects, with tech stack and
architecture context.
Data Flow Visualization
Source-to-sink traces show exactly how tainted data reaches vulnerable operations. Every
exploitable finding includes a mandatory data flow path.
Attack Step Breakdown
Each finding includes a step-by-step description of how an attacker would exploit the
vulnerability, from prerequisites through impact — helping AppSec engineers quickly assess risk.
An expandable Exploit Walkthrough shows the ordered sequence of actions an attacker would take.
These attack steps are also available as structured data in the issue detail API response,
making them easy to consume in automated workflows and integrations.
Deterministic Results
Same codebase at the same commit produces the same findings, enabling reliable audits and
compliance tracking.
Auto-Fix Capable
Qualifying findings can be automatically patched with AI-generated code fixes.
Multi-Engine Secrets Detection
Secrets scanning runs multiple detection engines in parallel, cross-referencing results to
maximize coverage while deduplicating overlapping findings from different engines.
On-Demand Investigation
Request a deeper re-investigation of any finding using larger AI models for higher-confidence
validation results. You can trigger investigations from the issue detail view — including via the
Reinvestigate action in the issue actions menu — and monitor progress in real time.
Investigation
You can request on-demand investigation of any finding to get a deeper, higher-confidence assessment. When you trigger an investigation, ZeroPath re-evaluates the finding using more powerful AI models:- SAST findings are re-validated with a larger model that examines exploitability with more context and nuance.
- SCA direct dependency findings undergo reachability analysis to determine whether the vulnerable code path is actually reachable in your project. Results are labeled as “Likely Reachable” or “Likely Not Reachable” to reflect the probabilistic nature of the analysis, and include a detailed reachability summary explaining the reasoning.
- SCA transitive dependency findings go through a two-phase process: first a triage step determines whether exploitability can even be assessed, and if so, a full reachability analysis traces the dependency chain to see if the vulnerability is reachable through parent packages.
Adoption Checklist
Connect Your Repository
Add your repo via GitHub App, GitLab, Bitbucket, or direct URL. See Quick Start.
Review Findings
Browse findings in the dashboard, grouped by severity, application, and category. You can filter
findings by type — including SAST, SCA, Secrets, IaC, CI/CD, and EoL — to focus on what matters
most to your team.
Configure Thresholds
Adjust confidence filtering and PR check failure thresholds to match your team’s tolerance.
Define Custom Rules
Add natural-language rules for organization-specific security policies. See Custom
Rules.