A security context layer for Claude. Your ZeroPath organization becomes a read/write surface Claude can reason over — findings, cross-repo code search, your team's triage history, custom rules — alongside the file in front of you.
This plugin bundles two pieces of existing ZeroPath tooling for use inside Claude Code:
- The
zeropath-mcp-serverfor read/write access to your org's findings, rules, and code. - The
zeropath-clifor local-diff scanning (SAST + secrets + SCA + IaC).
Both are wired in automatically — you only fill in a Token ID and Token Secret at install time.
Vanilla Claude can only read what you have open. With this plugin, Claude can also:
- Search and read code across every repo in your ZeroPath organization — not just what you have cloned locally.
- See every open, triaged, archived, and patched finding your team has ever worked on, with the reasoning attached.
- Run security scans against your local edits using your team's existing rule config, custom rules, and suppressions.
- Ask whether a finding is actually exploitable in your code, not just theoretically reachable.
- Query your dependency vulnerabilities and CVE database without leaving chat.
- List the API endpoints your scanners discovered for any repo.
- Author org-wide custom security rules from a plain-English description, with a dry-run preview.
- Verify a fix landed by re-scanning and matching fingerprints.
- Open a PR with the verified diff without dropping back to the terminal.
You don't have to remember new commands. Claude routes to the right capability when your intent matches.
> is this pattern flagged anywhere in our org?
> why was this finding marked false-positive last quarter?
> what does our team think about this class of bug?
ZeroPath is where your appsec team has already codified what's risky in your codebase - custom rules they wrote after real incidents, suppressions for noisy patterns that don't matter in your stack, severity overrides based on actual exploitability, investigations completed by senior reviewers, the patched/FP/archived history.
Without this plugin, Claude operates without any of that. It can
spot a generic eval( but has no idea your team decided three
months ago that the one in templates/admin.ts is fine because
the input is signed upstream.
With the plugin, every answer Claude gives starts from that institutional knowledge instead of trying to rediscover it.
> have we used this dangerous regex anywhere else?
> show me callers of this function across the org
Claude can search and read code across every repo your ZeroPath
org has onboarded — not just what you have cloned locally. Returns
file:line citations from repos you've never opened. When you ask
about a finding in another repo, it pulls the source from there to
ground the explanation in actual code.
> is this safe to ship?
/zeropath:scan runs ZeroPath's checks against your local diff in
seconds, using your team's existing rule config and suppressions —
not a one-off scan. If you try to git push or open a PR with
unscanned edits, the plugin gives a soft warning (never blocks).
> fix issue_abc123
/zeropath:fix explains the finding against your real call graph,
proposes a unified diff, applies it on your consent, then re-scans
to verify the issue is actually gone. Optionally opens a PR for
you.
> investigate the criticals
/zeropath:investigate asks ZeroPath whether a finding is actually
exploitable in your codebase — not just theoretically reachable.
> flag any direct eval() usage in our checkout service
/zeropath:rule drafts a rule, shows you how many existing files
it would flag before you commit, then creates it org-wide on your
say-so.
From inside Claude Code:
/plugin marketplace add ZeroPathAI/zeropath-agent-plugin
/plugin install zeropath@ZeroPathAI
Fill in Token ID and Token Secret in the form Claude Code opens. The input is masked and the secret goes to your system keychain. Get a key from Settings → API Keys.
Then fully quit Claude Code (Cmd+Q on macOS) and reopen. The new credentials take effect on the next launch.
Requires uvx on your PATH.
You don't run a separate setup or install step. After your
token is filled in and you reopen Claude Code:
- Credentials and CLI are wired up automatically.
- Your repo is matched against your ZeroPath organization in the background. If it's already onboarded, every read/triage/fix scopes to it without you saying so.
- On the first session in a fresh project, the banner asks once
whether to add a short ZeroPath usage block to your
CLAUDE.mdso future sessions know when to use which command:/zeropath:claude apply— add it/zeropath:claude decline— never re-ask/zeropath:claude preview— see it first/zeropath:claude remove— strip it later
You don't have to type these — Claude routes to them automatically
when your intent matches. ("Is what I just wrote safe?" lands on
/zeropath:scan. "What's open here?" lands on /zeropath:findings.)
| Command | What it does |
|---|---|
/zeropath:scan |
Scan files you edited this session. Drives a fix-and-rescan loop. |
/zeropath:findings |
List open issues, scoped to this repo by default. Also covers "any deps with CVEs?", "what endpoints do we expose?", "how are we doing overall?". |
/zeropath:explain |
Plain-language explanation of a finding — what it is, why it matters in this codebase. |
/zeropath:investigate |
Trigger ZeroPath's AI to assess whether a finding is actually exploitable. |
/zeropath:fix |
End-to-end remediation: explain, propose diff, apply, re-scan to verify, optional PR. |
/zeropath:triage |
Bulk archive / mark FP / update status. Scoped to this repo by default. Always confirms. |
/zeropath:rule |
Author a custom ZeroPath rule from a description. Dry-runs before committing. |
/zeropath:claude |
Apply / decline / preview / remove the ZeroPath usage block in your project CLAUDE.md. |
/zeropath:statusline |
Install or remove the persistent ZeroPath indicator at the bottom of Claude Code. Can extend an existing statusline. |
/zeropath:update |
Check for and apply plugin updates. |
To change your token later: /plugin → zeropath → Configure,
then fully quit and reopen Claude Code.
Behavioral toggles (which hooks fire, scan limits, etc.) live in
.zeropath/plugin.json (per-repo, checked in) or a per-user file.
See the
docs page
for the full schema.
v1.0.0 — initial public release.
- Docs: zeropath.com/docs/developer-tools/claude-code
- Plugin issues: GitHub
- Community: Discord
- Email: support@zeropath.com
MIT — see LICENSE.