Skip to main content

How It Works

ZeroPath PR scanning analyzes the code changes in your pull requests and merge requests, catching security issues before they’re merged. Scans run automatically when a PR is opened or updated, and results appear directly in your VCS.

Diff-Focused Analysis

Only changed files and surrounding context are analyzed — fast and targeted. Large diffs are handled gracefully: the AI agent can inspect specific file diffs through tools rather than requiring the entire diff inline, so even very large pull requests receive full agent-based analysis.

Differential Comparison

Scans both target and PR branches, surfacing only new findings in the PR.

Parallel Security Tools

SAST, SCA, Secrets, and IaC run simultaneously on changed code. If the AI analysis times out or encounters an error, findings from independently completed tools (such as secrets and SCA) are preserved.

AI Validation

Every finding is validated in the context of the diff to minimize false positives.

Supported Platforms

PlatformTriggerCheck StatusInline Comments
GitHub (Cloud & Enterprise Server)GitHub App webhookGitHub Check RunsYes
GitLab (Cloud & Self-hosted)Merge Request webhook / Pipeline webhookCommit Statuses / PipelineYes
Bitbucket (Cloud & Data Center)Pull Request webhookBuild StatusesYes
Azure DevOpsPull Request webhookBuild StatusesYes
All four platforms support the full PR scanning feature set: automatic triggering, status reporting, and inline code review comments.
Want to verify that your PR fixes a known vulnerability? See Fix Verification to learn how to reference issues in your PR description.

What Gets Analyzed

PR scanning is strictly diff-focused. It does not re-scan your entire codebase on every PR.
1

Fetch the Diff

Retrieves the unified diff from your VCS API (falls back to git diff if needed). When the PR branch shares no common ancestor with the target branch (for example, orphan branches or force-pushed histories), ZeroPath automatically falls back to a direct tree comparison so the scan can still proceed.
2

Identify Changed Files

Maps every changed hunk to its file and line numbers.
3

Run Security Tools in Parallel

On changed files only:
  • SAST — static analysis on both target and PR branches, surfacing only new findings. If your organization has configured custom natural-language SAST rules, those rules are also enforced on the changed code — the same rules that run during full scans are applied to the files touched by the PR, so violations are caught before merge.
  • SCA — dependency analysis when manifests/lockfiles changed (AI pre-screen skips if not relevant)
  • Secrets — scans the diff for hardcoded credentials
  • IaC — checks changed infrastructure files
4

Filter to Changed Regions

Only findings that directly overlap with actually changed lines in the diff are reported — there is no proximity buffer, so nearby-but-unrelated findings are excluded. New files are included entirely; deleted files are excluded.
5

Validate & Report

AI validation removes false positives. When a previously reported issue is re-evaluated and determined to be a false positive, it can be automatically resolved. Results are posted to your VCS as check statuses and inline comments.When a PR is updated after a previous scan was skipped (for example, because the earlier diff was not security-relevant), ZeroPath excludes the skipped scan from the refresh baseline. This ensures the incremental comparison covers the full set of PR changes rather than only the most recent update.

Check Status & Feedback

Results are reported through multiple channels:
A pass/fail check status is posted on your PR. This integrates with branch protection rules so you can require ZeroPath checks to pass before merging.
StatusMeaning
SuccessNo security-relevant issues found (or only below threshold)
FailureConfirmed vulnerabilities found above configured threshold
NeutralScan timed out (does not block merges by default). Timeout statuses are posted consistently across all supported VCS platforms, including for scans that time out while queued.
SkippedInfrastructure error (deliberately not a failure to avoid blocking merges). Error messages are specific to the failure type — for example, distinguishing repository access issues from transient service errors — for easier troubleshooting.
When you triage an issue (for example, marking it as false positive or resolved) on a PR that has been updated and rescanned, ZeroPath refreshes the check status on the PR’s current head commit rather than the scan where the issue was originally detected. This ensures that triage actions immediately reflect in the branch protection check your team sees, even after subsequent commits have been pushed to the PR.

Blocking Pull Requests

The default ZeroPath check name is ZeroPath Security Scan. If your organization uses a custom or white-labeled integration, require the exact check name that appears on a test PR.

GitHub

Use GitHub branch protection rules to require the ZeroPath check before merging.
1

Create a ZeroPath check run

Enable PR scanning and Check status posting in ZeroPath, then open or update a test pull request so GitHub has seen the ZeroPath Security Scan check at least once.
2

Open branch protection

In GitHub, go to your repository’s Settings > Branches, then add or edit the branch protection rule for the branch you want to protect, such as main.
3

Require the ZeroPath check

Select Require status checks to pass before merging, search for ZeroPath Security Scan, and select it. If GitHub asks for the expected source, choose the ZeroPath GitHub App rather than “any source”.
4

Save and test

Save the rule, push a commit to the test PR, and confirm GitHub blocks the merge until the ZeroPath check reports success.

GitHub branch protection docs

See GitHub’s official steps for requiring status checks in a branch protection rule.

GitLab

Use GitLab’s merge checks to require the pipeline that contains the ZeroPath status to succeed before merging.
1

Create a ZeroPath status

Enable PR scanning and Check status posting in ZeroPath, then open or update a test merge request so GitLab shows ZeroPath Security Scan in the merge request’s pipeline or status area.
2

Open merge request settings

In GitLab, go to the project and select Settings > Merge requests.
3

Require successful pipelines

In Merge checks, select Pipelines must succeed, then save your changes. GitLab will block the merge until the relevant pipeline, including the ZeroPath status, is successful.
4

Verify the gated pipeline

Push a commit to the test merge request and confirm the ZeroPath Security Scan status appears in the pipeline that GitLab evaluates for the merge request. If you run both branch and merge request pipelines, make sure the ZeroPath status is attached to the merge request pipeline GitLab uses for the merge gate.

GitLab successful pipeline docs

See GitLab’s official steps for requiring a successful pipeline before merge.

GitLab external commit status docs

See how GitLab represents statuses from external systems inside pipelines.

Bitbucket

Use Bitbucket merge checks to require successful build statuses before merging.
1

Create a ZeroPath build status

Enable PR scanning and Check status posting in ZeroPath, then open or update a test pull request so Bitbucket shows the ZeroPath Security Scan build status on the latest commit.
2

Open branch restrictions or merge checks

For Bitbucket Cloud, open the repository settings and go to Branch restrictions under Workflow. For Bitbucket Data Center, open Repository settings > Merge checks or Repository settings > Required builds.
3

Require successful builds

In Bitbucket Cloud, add a branch restriction for the protected branch and enable Minimum number of successful builds for the last commit with no failed builds. Set the minimum to at least 1.
4

Enforce the merge check on Bitbucket Cloud

On Bitbucket Cloud Premium, enable Prevent a merge with unresolved merge checks so the successful-build requirement blocks merging. Without that setting, Bitbucket warns users about unresolved merge checks but may still allow the merge.
5

Require the ZeroPath build on Data Center

In Bitbucket Data Center, enable Minimum successful builds or add a Required builds rule for the ZeroPath build key if your instance supports required builds.
6

Save and test

Push a commit to the test PR and confirm Bitbucket blocks the merge until the latest commit has a successful ZeroPath build status.

Bitbucket Cloud merge check docs

See Bitbucket Cloud’s official steps for requiring successful builds before merge.

Bitbucket Data Center merge check docs

See Bitbucket Data Center’s official merge check and required build documentation.

Bot Commands

You can drive ZeroPath directly from your PR or merge request by mentioning the bot in a comment — triage findings, assign tickets, generate patches, rescan, or ask natural-language questions. The bot acknowledges immediately and updates the same comment in-place when the action completes. When the job finishes, ZeroPath also posts a follow-up reply in the same thread with a summary of the result (or an error message if the job failed), so the outcome is visible inline without navigating to the dashboard. A few common examples:
PR comment
@ZeroPath fp issue 2 because input is sanitized upstream
@ZeroPath assign issue 3 to alice@example.com
@ZeroPath generate patch issue 2
@ZeroPath rescan force
@ZeroPath retriage because we added input validation
When a command includes an explicit target (such as issue 2), that target always takes priority — even if the command is posted as a reply under a different finding’s comment thread. The thread context is used as a fallback only when no target is written in the command text. For example, @ZeroPath fp issue 2 posted as a reply under issue 5’s thread will act on issue 2, not issue 5. For the full command reference — every keyword, alias, target form, the because modifier, RBAC requirements, and platform support — see Bot Commands. When you change an issue’s status via a bot command, a vulnerability status changed notification is sent through your configured notification channels. The notification includes the previous status, new status, and who made the change, so your team has full visibility into triage decisions made from PR comments.
Bot commands are supported on GitHub and GitLab. Bitbucket and Azure DevOps support PR scanning but not bot commands yet. Use @ZeroPath as a universal alias, or replace it with your environment’s configured bot username.
Comments that appear to contain prompt injection content are automatically blocked. If you receive a rejection message, rephrase your question as a direct inquiry about the reported issue.
Bot commands must come from a human account. Comments from bot accounts (including other GitHub Apps) are automatically ignored to prevent feedback loops and ensure that every command is attributable to a real user.
When the bot answers questions about secrets findings, the raw secret value is automatically masked in its reply. The assistant receives and posts only the redacted form, so cleartext credentials are never echoed back into your pull request comments.
Bot commands require your VCS account to be linked to a ZeroPath user. On GitHub, you can link your account by setting your GitHub public email (Settings → Public profile) to match your ZeroPath account email, then commenting on a PR. The link is saved permanently, so you can switch the email back to private afterward. On GitLab, contact your org admin to link your account.
If the PR references specific vulnerabilities using ZP-ID tags or dashboard issue URLs (see Fix Verification), retriage re-runs fix verification against the latest PR code instead of the standard investigation flow. This checks whether the current PR changes actually resolve the referenced issues. If a fix verification is already in progress for the PR, the bot will let you know rather than creating a duplicate.

Configuration

All PR scanning settings follow an Organization → Tag → Repository inheritance cascade. Repository-level overrides take precedence.
SettingDefaultWhat It Controls
PR scanning enabledOffMaster on/off switch for PR scanning on a repository. The current status is visible in the repository detail view and API response.
Inline review commentsOnPost inline comments on affected diff lines
PR summary (issues found)OnPost a summary comment when the scan finds issues
PR summary (clean scan)OnPost a summary comment when the scan finds no issues
Detailed vulnerability infoNot setInclude vulnerability descriptions, severity scores, and remediation details in PR summary comments. When not explicitly set, downstream settings apply.
Check status postingOnPost pass/fail check status to VCS
Result inclusion threshold0Minimum score for a finding to appear in PR feedback
Check failure threshold75Priority score at which the check is marked as failing. Must be greater than or equal to the result inclusion threshold.
Scan timeout10 minMaximum time before the scan is marked as timed out. When the scan runs out of time before the AI agent can complete, ZeroPath preserves any findings already produced by other tools (such as secrets and SCA) rather than discarding the entire scan.
Auto-patching on PR scansOnGenerate fix suggestions for findings in the PR
Scan draft MRsOffWhether to scan draft pull requests and merge requests. By default, drafts are skipped and scanned automatically once marked ready for review. Enable to scan them immediately when opened or updated.
Scan bot PRsOffWhether to scan PRs opened by automation/bots
Allow PR check bypassOnWhen enabled, a Bypass Check button appears on failing PR security checks, allowing authorized developers to override a blocking result. Disable this to remove the button entirely and prevent any bypass. In monorepo or multi-repository setups where a single PR triggers scans for more than one repository, the button is shown only when every repository involved in the PR allows bypass — if any repository has bypass disabled, the button is suppressed across all partitions of that PR check.
Tool togglesAll onEnable/disable SAST, SCA, Secrets, and IaC individually for PR scans

Automatic Repository Sync (GitHub)

ZeroPath automatically keeps your repository metadata in sync when changes happen on GitHub. The following events are detected and handled in real time via webhooks:
EventWhat Happens
Repository renamedThe repository name is updated across ZeroPath, including all linked scan configurations
Repository transferredOwnership and URL are updated to reflect the new organization or user
Repository archivedThe repository is marked as archived in ZeroPath — no new scans will be triggered
Repository unarchivedThe repository is restored to active status and scans resume normally
Repository deletedThe repository and its associated data are removed from ZeroPath
No manual action is required — these changes propagate automatically as long as the ZeroPath GitHub App is installed.

How PR Scanning Differs From Full Scans

AspectPR ScanFull Scan
ScopeChanged files only (diff-focused)Entire repository
TriggerAutomatic on PR open/updateManual, scheduled, or on push
SpeedFast (minutes)Thorough (longer)
DifferentialYes — subtracts existing target-branch findingsNo
ResultsVCS check + inline comments + dashboardDashboard only
SCA gateAI decides if dependency files changedAlways runs
Timeout10 minutes (configurable)Longer timeouts

Adoption Guide

1

Enable PR Scanning

Toggle it on in your repository’s scanner settings.
2

Install the VCS Integration

Ensure your GitHub App, GitLab installation, Bitbucket integration, or Azure DevOps connection is configured.
3

Open a PR

ZeroPath will automatically scan it and post results.
4

Configure Branch Protection

Add the ZeroPath check as a required status check in your VCS branch protection rules.
5

Tune Thresholds

Adjust the check failure threshold and result inclusion threshold to match your team’s tolerance.
6

Review Inline Comments

Address findings directly in your code review workflow.