Workspace

Process & Scanning

A transparent view of how scans run, how findings are normalized, and how evidence is produced.

Operational Transparency

Zero Branch is built for teams that need repeatable security workflows, clear ownership signals, and trustworthy outputs. This page summarizes scan workflow and scanner coverage at a practical level.

End-to-end workflow

Connect repository access
You authorize repository access through approved connectors or provide a public repository URL. Access is bounded by workspace permissions.
Inventory repository context
Zero Branch maps files, languages, dependency manifests, and infrastructure configuration surfaces before deeper analysis starts.
Execute selected scanners
Security modules run based on plan entitlements and scan configuration, then emit normalized finding records.
Deduplicate and prioritize
Findings are grouped, severity-ranked, and enriched with actionable guidance to reduce alert fatigue.
Publish reports and evidence
The final report can be reviewed in-app and exported as signed evidence artifacts where available.

Scanner coverage

Dependency intelligence

Dependency intelligence and software inventory analysis

Dependency and package risk analysis with vulnerability correlation.

Infrastructure as code

Infrastructure policy and configuration analysis

IaC and configuration misconfiguration detection.

Secrets and credentials

Current and historical secret detection

Token/secret leak detection in repository content (and optional history paths).

CI/CD workflow hardening

Workflow security analysis

GitHub Actions and workflow risk analysis.

Advisory enrichment

External vulnerability intelligence feeds

Additional vulnerability context and normalization signals.

Feature access and throughput vary by plan. See pricing for current limits.

Security commitments

Private repository scanning is restricted to repositories the authenticated user can access.
Personal and organization workspaces are isolated, including connectors, repositories, scans, and reports.
Plan limits and queue controls are enforced to protect service reliability and tenant fairness.
Sensitive paths validate ownership, workspace context, role permissions, and callback authenticity.
Report outputs include integrity metadata for verification workflows.

Findings are decision-support outputs and should be validated within your own threat model.

Attribution and notices

Third-party scanner and vulnerability-data notices are centralized on the public attribution page.

View data attribution →

Loading workspace data...

End-to-end workflow

Connect repository access

You authorize repository access through approved connectors or provide a public repository URL. Access is bounded by workspace permissions.

Inventory repository context

Zero Branch maps files, languages, dependency manifests, and infrastructure configuration surfaces before deeper analysis starts.

Execute selected scanners

Security modules run based on plan entitlements and scan configuration, then emit normalized finding records.

Deduplicate and prioritize

Findings are grouped, severity-ranked, and enriched with actionable guidance to reduce alert fatigue.

Publish reports and evidence

The final report can be reviewed in-app and exported as signed evidence artifacts where available.

Scanner coverage

Dependency intelligence

Dependency intelligence and software inventory analysis

Dependency and package risk analysis with vulnerability correlation.

Infrastructure as code

Infrastructure policy and configuration analysis

IaC and configuration misconfiguration detection.

Secrets and credentials

Current and historical secret detection

Token/secret leak detection in repository content (and optional history paths).

CI/CD workflow hardening

Workflow security analysis

GitHub Actions and workflow risk analysis.

Advisory enrichment

External vulnerability intelligence feeds

Additional vulnerability context and normalization signals.

Feature access and throughput vary by plan. See pricing for current limits.

Security commitments

Private repository scanning is restricted to repositories the authenticated user can access.

Personal and organization workspaces are isolated, including connectors, repositories, scans, and reports.

Plan limits and queue controls are enforced to protect service reliability and tenant fairness.

Sensitive paths validate ownership, workspace context, role permissions, and callback authenticity.

Report outputs include integrity metadata for verification workflows.

Findings are decision-support outputs and should be validated within your own threat model.

Process & Scanning

End-to-end workflow

Scanner coverage

Security commitments

Attribution and notices

Zero Branch Is In Controlled Rollout

Process & Scanning

End-to-end workflow

Scanner coverage

Security commitments

Attribution and notices