How It Works
ZeroPath’s Static Application Security Testing (SAST) uses a multi-stage AI-powered analysis pipeline to discover vulnerabilities that traditional pattern-matching scanners miss:Automated Scanning
Runs on push, PR, or schedule. Builds an architecture model, analyzes code, and validates every
finding with AI.
Application-Aware
Identifies services and modules in your repo (e.g.,
/apps/payments) so findings are tied to
the right team.AI Validated
Reviews every candidate for exploitability and context, reducing false positives by up to 75%.
End-to-end Flow
Repository Checkout
ZeroPath clones your repository and pins the exact commit, ensuring repeatable results.
Application Discovery
An AI-powered analyzer maps your codebase’s services, modules, and entry points so each finding
can be attributed to the right application and team.
Multi-Stage Pattern Analysis
Broad static analysis rules run across all supported languages, producing an initial set of
candidate findings.
AI Validation & False-Positive Filtering
Each candidate is reviewed in context. The AI evaluates exploitability, code flow, and
surrounding logic to filter out false positives, reducing noise by up to 75%.
Deep Codebase Analysis
A context-aware AI agent performs deeper analysis, examining authentication flows, authorization
logic, business rules, and custom security policies.
Custom Rule Evaluation
Any natural-language rules you’ve defined are evaluated per-application, catching
organization-specific security policies.
Deduplication & Scoring
Findings are deduplicated across tools and historical scans. Each confirmed finding receives a
CVSS 4.0 severity score with AI-generated reasoning.
Running Scans
- Full Scans
- PR Scans
Comprehensive analysis of your entire codebase. Triggered manually, on schedule, or when code is pushed to monitored branches.On subsequent scans of the same branch, ZeroPath intelligently reuses results for unchanged files and focuses deep analysis only on changed files, significantly reducing scan time.
Vulnerability Categories
- Technical Vulnerabilities
- Business Logic Vulnerabilities
| Category | Examples |
|---|---|
| Injection | SQL injection, command injection, LDAP injection |
| Cross-Site Scripting (XSS) | Reflected XSS, stored XSS, DOM-based XSS |
| Server-Side Request Forgery (SSRF) | Internal service access, cloud metadata exfiltration |
| File Operations | Path traversal, local file inclusion, arbitrary file read/write |
| Insecure Deserialization | Object injection, remote code execution via deserialization |
| XML External Entity (XXE) | External entity expansion, SSRF via XML |
| Template Injection | Server-side template injection (SSTI) |
| Cryptography | Weak algorithms, hardcoded keys, insufficient key length |
| Open Redirect | Unvalidated redirect targets |
| CORS Misconfiguration | Overly permissive cross-origin policies |
| CSRF | Missing or bypassable cross-site request forgery protections |
| Denial of Service | ReDoS, resource exhaustion, algorithmic complexity |
| Information Disclosure | Sensitive data in responses, error message leakage |
| Reflection | Reflected input flaws, unsafe reflection |
| Memory Safety | Buffer overflows, use-after-free, out-of-bounds access |
| Input Validation | Missing or improper input validation |
| Configuration | Insecure defaults, debug mode in production |
Severity Scoring
ZeroPath uses CVSS 4.0 as its scoring standard. Every confirmed finding receives a structured score with AI-generated reasoning tied directly to the code.CVSS 4.0 Metrics Evaluated
CVSS 4.0 Metrics Evaluated
| Metric | Values | What It Captures |
|---|---|---|
| Attack Vector | Network / Local | Whether exploitable remotely or requires local access |
| Attack Complexity | Low / High | Reliability of exploit; whether special conditions are needed |
| Attack Requirements | None / Present | Whether prerequisites (specific config/state) are required |
| Privileges Required | None / Low / High | Privilege level the attacker needs |
| User Interaction | None / Passive / Active | Whether a user must take action for exploitation |
| Confidentiality Impact | None / Low / High | Impact on data secrecy |
| Integrity Impact | None / Low / High | Impact on data or system integrity |
| Availability Impact | None / Low / High | Impact on system availability |
Priority Score Calculation
Priority Score Calculation
The overall finding priority score combines severity with confidence:
severity (0–10) × confidence (0–10) = a 0–100 scale for ranking and filtering.This means a high-severity finding with low confidence ranks lower than a medium-severity finding with high confidence — helping you focus on issues that are both impactful and reliably identified.Language Coverage
Python
JavaScript / TypeScript
Java
Go
Ruby
PHP
C / C++
C#
Rust
Swift / Objective-C
Kotlin
Scala
Dart
Elixir
Nim
Key Capabilities
75% Fewer False Positives
AI validation reviews every finding in context, filtering out issues that aren’t actually
exploitable.
Novel Vulnerability Detection
Deep AI analysis discovers vulnerabilities that pattern-matching alone cannot find, including
business logic flaws.
Application-Aware Findings
Each finding is tied to the specific service or module it affects, with tech stack and
architecture context.
Data Flow Visualization
Source-to-sink traces show exactly how tainted data reaches vulnerable operations.
Deterministic Results
Same codebase at the same commit produces the same findings, enabling reliable audits and
compliance tracking.
Auto-Fix Capable
Qualifying findings can be automatically patched with AI-generated code fixes.
Adoption Checklist
Connect Your Repository
Add your repo via GitHub App, GitLab, Bitbucket, or direct URL. See Quick Start.
Configure Thresholds
Adjust confidence filtering and PR check failure thresholds to match your team’s tolerance.
Define Custom Rules
Add natural-language rules for organization-specific security policies. See Custom
Rules.