ZeroPath for Claude Code
A security context layer for Claude. Your ZeroPath organization
becomes a read/write surface Claude can reason over — findings,
cross-repo code search, your team's triage history, custom rules —
alongside the file in front of you.
This plugin bundles two pieces of existing ZeroPath tooling for use
inside Claude Code:
- The
zeropath-mcp-server
for read/write access to your org's findings, rules, and code.
- The
zeropath-cli
for local-diff scanning (SAST + secrets + SCA + IaC).
Both are wired in automatically — you only fill in a Token ID and
Token Secret at install time.
What Claude can do with the plugin installed
Vanilla Claude can only read what you have open. With this plugin,
Claude can also:
- Search and read code across every repo in your ZeroPath
organization — not just what you have cloned locally.
- See every open, triaged, archived, and patched finding your
team has ever worked on, with the reasoning attached.
- Run security scans against your local edits using your team's
existing rule config, custom rules, and suppressions.
- Ask whether a finding is actually exploitable in your code,
not just theoretically reachable.
- Query your dependency vulnerabilities and CVE database
without leaving chat.
- List the API endpoints your scanners discovered for any repo.
- Author org-wide custom security rules from a plain-English
description, with a dry-run preview.
- Verify a fix landed by re-scanning and matching fingerprints.
- Open a PR with the verified diff without dropping back to
the terminal.
You don't have to remember new commands. Claude routes to the
right capability when your intent matches.
What you actually get
Your appsec team's context, in chat
> is this pattern flagged anywhere in our org?
> why was this finding marked false-positive last quarter?
> what does our team think about this class of bug?
ZeroPath is where your appsec team has already codified what's
risky in your codebase - custom rules they wrote after real
incidents, suppressions for noisy patterns that don't matter in
your stack, severity overrides based on actual exploitability,
investigations completed by senior reviewers, the
patched/FP/archived history.
Without this plugin, Claude operates without any of that. It can
spot a generic eval( but has no idea your team decided three
months ago that the one in templates/admin.ts is fine because
the input is signed upstream.
With the plugin, every answer Claude gives starts from that
institutional knowledge instead of trying to rediscover it.
Cross-repo reach
> have we used this dangerous regex anywhere else?
> show me callers of this function across the org
Claude can search and read code across every repo your ZeroPath
org has onboarded — not just what you have cloned locally. Returns
file:line citations from repos you've never opened. When you ask
about a finding in another repo, it pulls the source from there to
ground the explanation in actual code.
A scanner that runs where you write
> is this safe to ship?
/zeropath:scan runs ZeroPath's checks against your local diff in
seconds, using your team's existing rule config and suppressions —
not a one-off scan. If you try to git push or open a PR with
unscanned edits, the plugin gives a soft warning (never blocks).
Verified fixes, not guesses
> fix issue_abc123
/zeropath:fix explains the finding against your real call graph,
proposes a unified diff, applies it on your consent, then re-scans
to verify the issue is actually gone. Optionally opens a PR for
you.
Deep-dive on exploitability
> investigate the criticals
/zeropath:investigate asks ZeroPath whether a finding is actually
exploitable in your codebase — not just theoretically reachable.
Custom rules from chat
> flag any direct eval() usage in our checkout service
/zeropath:rule drafts a rule, shows you how many existing files
it would flag before you commit, then creates it org-wide on your
say-so.
Install
From inside Claude Code:
/plugin marketplace add ZeroPathAI/zeropath-agent-plugin
/plugin install zeropath@ZeroPathAI
