Workspace

Data Attribution

Transparent attributions and non-endorsement disclaimers for third‑party scanner modules and security data sources.

Last updated: February 14, 2026

Important notes

This page is provided for transparency. It is a best‑effort list of key third‑party scanner modules and security data sources. Some components are optional and plan-gated.

We do not publish deployment-provider or infrastructure details here. Attributions below refer to software packages, tools, and data sources used by the product.

Security findings are decision‑support outputs and can include false positives/negatives. You should validate results before remediation decisions.

Key disclosures

NVD API notice

This product uses the NVD API but is not endorsed or certified by the NVD.

OSV transparency

Zero Branch may use OSV data and OSV tooling for dependency vulnerability intelligence. Zero Branch is not endorsed by OSV or its maintainers.

OWASP ASVS attribution

Zero Branch can map findings to OWASP ASVS control areas to improve remediation context. This product is not endorsed or certified by OWASP.

Security data sources

NVD (National Vulnerability Database) API →

This product uses the NVD API but is not endorsed or certified by the NVD.
NVD data is provided by NIST under their terms. Zero Branch may normalize and enrich vulnerability records for display.

OSV (Open Source Vulnerabilities) →

Zero Branch may use OSV data and OSV tooling for dependency vulnerability intelligence.
Zero Branch is not endorsed by OSV or its maintainers.

OWASP ASVS (Application Security Verification Standard) →

Zero Branch can map findings to OWASP ASVS control areas to improve remediation context.
This product is not endorsed or certified by OWASP. Mappings are guidance and do not represent formal certification.

Trademarks, service marks, and logos are the property of their respective owners. Use of third‑party names does not imply endorsement, sponsorship, or affiliation.

Scanner modules and tools

Trivy →

Used for misconfiguration and license scanning where enabled.

Syft →

Used to generate SBOM inventory where enabled.

Grype →

Used for vulnerability scanning of SBOM packages where enabled.

Checkov →

Used for IaC scanning where enabled.

gitleaks →

Used for secret detection signals (including optional history scans) where enabled.

zizmor →

Used for GitHub Actions/workflow risk analysis where enabled.

OSV-Scanner →

Used for dependency vulnerability intelligence where enabled.

Trademarks, service marks, and logos are the property of their respective owners. Use of third‑party names does not imply endorsement, sponsorship, or affiliation.

For a narrative explanation of the scan pipeline and what each module does, see Process & Scanning.

← Back to home

Loading workspace data...

Important notes

This page is provided for transparency. It is a best‑effort list of key third‑party scanner modules and security data sources. Some components are optional and plan-gated.

We do not publish deployment-provider or infrastructure details here. Attributions below refer to software packages, tools, and data sources used by the product.

Security findings are decision‑support outputs and can include false positives/negatives. You should validate results before remediation decisions.

Key disclosures

NVD API notice

This product uses the NVD API but is not endorsed or certified by the NVD.

OSV transparency

Zero Branch may use OSV data and OSV tooling for dependency vulnerability intelligence. Zero Branch is not endorsed by OSV or its maintainers.

OWASP ASVS attribution

Zero Branch can map findings to OWASP ASVS control areas to improve remediation context. This product is not endorsed or certified by OWASP.

Security data sources

NVD (National Vulnerability Database) API →

This product uses the NVD API but is not endorsed or certified by the NVD.
NVD data is provided by NIST under their terms. Zero Branch may normalize and enrich vulnerability records for display.

OSV (Open Source Vulnerabilities) →

Zero Branch may use OSV data and OSV tooling for dependency vulnerability intelligence.
Zero Branch is not endorsed by OSV or its maintainers.

OWASP ASVS (Application Security Verification Standard) →

Zero Branch can map findings to OWASP ASVS control areas to improve remediation context.
This product is not endorsed or certified by OWASP. Mappings are guidance and do not represent formal certification.

Trademarks, service marks, and logos are the property of their respective owners. Use of third‑party names does not imply endorsement, sponsorship, or affiliation.

Scanner modules and tools

Trivy →

Used for misconfiguration and license scanning where enabled.

Syft →

Used to generate SBOM inventory where enabled.

Grype →

Used for vulnerability scanning of SBOM packages where enabled.

Checkov →

Used for IaC scanning where enabled.

gitleaks →

Used for secret detection signals (including optional history scans) where enabled.

zizmor →

Used for GitHub Actions/workflow risk analysis where enabled.

OSV-Scanner →

Used for dependency vulnerability intelligence where enabled.

Trademarks, service marks, and logos are the property of their respective owners. Use of third‑party names does not imply endorsement, sponsorship, or affiliation.

Data Attribution

Important notes

Key disclosures

Security data sources

Scanner modules and tools

More

Zero Branch Is In Controlled Rollout

Data Attribution

Important notes

Key disclosures

Security data sources

Scanner modules and tools

More