Pull request security review

Catch security regressions while the author still remembers why the code changed.

Trigger a ZeroQuarry source review from GitHub Actions, focus the investigation on the diff and adjacent data flow, then route validated results into tickets or reviewable fix pull requests.

GitHub ActionsDelta-aware reviewNon-blocking to gated rollout

Make CI raise a useful security signal.

The best PR security process flags consequential changes early, preserves the report outside ephemeral CI logs, and escalates only when the risk justifies deeper work.

01

Risk-aware triggers

Run on authentication, authorization, billing, tenant, upload, webhook, parser, networking, and release-branch changes.

02

Changed-code context

Use Git history to focus agents on the diff while allowing investigation into callers, sinks, and business boundaries around it.

03

Explicit scan notes

Tell ZeroQuarry what the change is meant to do, which boundary matters, and what failure would be consequential.

04

Adversarial review

Challenge critical or expensive claims before asking engineering to stop the line.

05

Progressive gating

Begin with visibility, then gate on the severity and confidence threshold your team has learned to operate.

06

Fix and retest

Open tickets or bot-created PRs, preserve CI controls, and verify the finding after merge.

A concrete path through the work.

ZeroQuarry automates investigation and coordination. Your team keeps control of authorization, risk ownership, and production changes.

STEP 01

Trigger

Dispatch a source scan with the repository URL, project identity, notes, and auto-delta enabled.

STEP 02

Investigate

Review changed files and follow nearby data flow into the product’s sensitive boundaries.

STEP 03

Validate

Confirm evidence and product context before the result becomes a merge or release decision.

STEP 04

Close

Route the fix, merge through normal controls, rescan, and record a verified retest.

What the team gets back.

Useful coverage should lead to faster decisions, cleaner remediation, and evidence that holds up when someone asks for it later.

Faster security feedback

Review a risky change before context is spread across later releases and unrelated refactors.

Fewer disruptive gates

Tune policy around validated findings instead of blocking on every model suggestion.

Persistent change history

Keep scans, findings, discussions, fixes, and retests with the product project instead of losing them in an individual CI run.

Questions that come up in evaluation.

These are the product boundaries, controls, and operating details teams usually want to understand first.

Can ZeroQuarry scan private GitHub repositories?

Yes. Store a scoped Git credential in the account and reference its ID from the workflow. The generated workflow explains the setup.

What happens if the same scan is triggered twice?

Identical in-progress Git dispatches can be deduplicated, returning the existing scan so CI can follow it instead of starting duplicate work.

Should auto-fix branches trigger another scan?

Exclude the ZeroQuarryBot branch namespace from the scan trigger to avoid a feedback loop. The product and docs provide the branch filter.

Start with one real security boundary.

Use the free trial on your own product, then decide whether the resulting security work is useful enough to keep.