Zcodee Documentation

Zcodee is an AI-powered security analysis platform that scans your entire codebase and delivers a prioritized, actionable vulnerability report — with zero configuration required. Point it at your project and get results in seconds.

Zero setup. No config files, no rules to write, no false-positive tuning. Zcodee works out of the box across all major languages and frameworks. Start scanning in under a minute.

Why Zcodee

Traditional security scanners look at files in isolation. Zcodee understands how data flows across your entire codebase — catching vulnerabilities that only appear when multiple files interact. It finds what others miss.

Every finding comes with a plain-English explanation of the risk, the exact file and line where it lives, and a concrete fix suggestion. No cryptic rule IDs, no noise — just clear, actionable results your team can act on immediately.

What you get

Instant results

Scans complete in seconds. Get your full security report before your next commit.

Cross-file analysis

Detects vulnerabilities that span multiple files and service layers — not just single-file issues.

Actionable fixes

Every finding includes a plain-English explanation and a concrete code fix.

Smart rescans

Only changed files are re-analyzed. Rescans are fast and cost a fraction of the first scan.

How It Works

Zcodee combines deep code parsing with an AI engine trained on security patterns. It understands your code the way a security engineer would — tracing how data moves, where trust boundaries are crossed, and where assumptions break down.

The scan flow

Submit your code

Your CLI, VS Code extension, or GitHub Action sends your project files to Zcodee. Files are transmitted over TLS and never stored after the scan completes.

Smart filtering

Zcodee automatically focuses on security-relevant source files, skipping generated code, dependencies, and build artifacts. You only pay for what matters.

Incremental diff

Files that haven't changed since your last scan reuse cached results at zero cost. Only new and modified files go through full analysis.

Deep analysis

The AI engine parses your code's structure, traces data flows across files, and identifies vulnerabilities — including complex multi-file attack chains.

Prioritized report

Findings are ranked by severity and exploitability. A 0–100 risk score gives you an at-a-glance view of your project's security posture.

Risk score

Every scan produces a 0–100 risk score calculated from the severity and exploitability of findings. A score above 70 indicates critical issues that should be resolved before deployment. The score updates automatically as you fix issues and rescan.

Installation

CLI

The Zcodee CLI is the fastest way to scan a local project from your terminal.

Install from repo

cd UI/zcodee-CLI
npm install
node bin/zcode.js login

Scan a project

zcodee scan ./your-project
zcodee scan ./your-project --force   # ignore cache, full rescan

VS Code Extension

Search for Zcodee Security in the VS Code Extensions marketplace, or install directly from the terminal:

code --install-extension zcodee.zcode-security

Once installed, Zcodee runs in the background as you code. Vulnerabilities appear inline as diagnostics — hover any highlighted line to see the full description and fix.

GitHub Action

Add Zcodee to your CI pipeline to automatically scan every push and pull request. Create .github/workflows/zcodee.yml:

.github/workflows/zcodee.yml

name: Zcodee Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Zcodee Scan
        uses: ./.github/actions/zcodee-scan
        with:
          api-key: ${{ secrets.ZCODEE_API_KEY }}
          api-url: ${{ vars.ZCODEE_API_URL }}
          fail-on-critical: 'true'

API key setup

All delivery methods authenticate with an API key from the dashboard under API Keys, or with email/password via zcodee login in the CLI.

CLI sign-in

zcodee login
zcodee whoami
zcodee scan ./your-project

Usage

Run your first scan

From the root of your project:

zcodee scan .

Scan a specific directory

zcodee scan ./src/api

Output formats

# Human-readable terminal output (default)
zcodee scan . --format text

# JSON — pipe to other tools or store results
zcodee scan . --format json > results.json

# SARIF — upload to GitHub Code Scanning
zcodee scan . --format sarif > results.sarif

Filter by severity

# Show only CRITICAL and HIGH findings
zcodee scan . --min-severity high

# Fail CI if any CRITICAL finding is found
zcodee scan . --fail-on critical

Reading your results

Each finding includes everything you need to understand and fix the issue:

Severity — CRITICAL, HIGH, MEDIUM, or LOW
Vulnerability type — what class of issue it is
Location — exact file and line number
Attack vector — how an attacker would exploit it
Impact — what data or systems are at risk
Fix suggestion — plain-English explanation and corrected code
Data flow trace — the path tainted data travels across your files

Capabilities

Zcodee covers a broad range of vulnerability classes — from classic injection attacks to complex business logic flaws and cloud misconfigurations. It goes well beyond what traditional SAST tools detect.

Vulnerability categories

Injection attacks

SQL, NoSQL, command, code, LDAP, XPath, template injection and more — detected across all supported languages.

Authentication & authorization

Authentication bypass, missing authorization checks, privilege escalation, weak session management, JWT vulnerabilities, and OAuth misconfigurations.

Business logic flaws

Workflow bypasses, race conditions, double-spending, price manipulation, and state transition abuse — vulnerabilities unique to your application's logic.

Cross-file data flows

Tainted data traced from entry point to sink across multiple files and service layers — catching vulnerabilities that single-file scanners miss entirely.

Secrets & cryptography

Hardcoded credentials, weak encryption, predictable tokens, secrets in logs or URLs, and missing encryption at rest or in transit.

Infrastructure & cloud

Cloud metadata SSRF, IAM over-permission, exposed S3 buckets, container escape risks, Kubernetes misconfigurations, and CI/CD pipeline vulnerabilities.

Supply chain

Vulnerable dependencies, dependency confusion attacks, malicious packages, and outdated libraries with known CVEs.

Configuration & deployment

Debug mode in production, verbose error messages, CORS misconfigurations, missing rate limiting, exposed admin panels, and insecure defaults.

Supported languages

Zcodee analyzes source code across all major languages and frameworks. If your stack isn't listed, it's likely still supported — the engine is language-agnostic for many vulnerability classes.

JavaKotlinScalaPythonRubyPHPJavaScriptTypeScriptGoC#RustSwiftCC++Groovy

Config & infrastructure files

DockerfileYAMLJSONXMLTerraformKubernetes manifests

Incremental Scanning

After your first scan, Zcodee remembers which files it has already analyzed. On every subsequent scan, only files that have actually changed are re-analyzed. Everything else reuses the previous results instantly — at zero cost.

What this means in practice

# First scan — full analysis of your project
zcodee scan .
# → 100 files analyzed

# After changing 8 files and rescanning
zcodee scan .
# → 8 files re-analyzed
# → 92 files reused from cache — instant, free

For typical development workflows, incremental scanning reduces both scan time and credit usage by 70–90%. The more you scan, the cheaper each scan gets.

How the cache works

The cache is tied to your project and your account. Any file you modify — even a single character — is automatically flagged for re-analysis. Deleted files are removed from the cache. Renamed files are treated as new. The cache is always consistent with your last completed scan.

API Reference

The Zcodee REST API lets you integrate security scanning directly into your tooling, dashboards, or custom workflows. All endpoints require a Bearer token or API key in the Authorization header.

Authentication

Authorization: Bearer <your-api-key>

Core endpoints

POST/auth/registerCreate account — receive API key immediately

POST/auth/loginLogin and receive a session token

POST/scans/initiateStart a scan — returns scan ID and cost estimate

GET/scansYour full scan history

GET/scans/{scanId}Status and summary of a single scan

GET/scans/{scanId}/findingsAll findings, sorted CRITICAL → LOW

DELETE/scans/{scanId}Cancel a scan in progress

GET/wallet/balanceCurrent scan credit balance

GET/wallet/transactionsFull credit transaction history

POST/api-keysGenerate a new API key

Full interactive API docs with request/response schemas are available at api.zcode.dev/swagger-ui.html

Integrations

VS Code Extension

The VS Code extension brings Zcodee directly into your editor. Vulnerabilities appear as inline diagnostics — the same way TypeScript errors do. Hover any highlighted line to see the full description, attack vector, and fix suggestion without leaving your editor.

The extension rescans automatically when you save a file, so your security posture stays current as you code.

GitHub Action

The GitHub Action integrates with GitHub Code Scanning. Results appear in the Security tab of your repository and as PR annotations. Configure it to block merges when CRITICAL findings are detected:

Block PRs on critical findings

- name: Run Zcodee Scan
  uses: zcodee-security/action@v1
  with:
    api-key: ${{ secrets.ZCODEE_API_KEY }}
    fail-on: critical
    upload-sarif: true

Teams & organizations

Team accounts let you share scan history and credits across your organization. Invite members, assign roles, and view your team's full security history from a single dashboard. Create an organization from the dashboard or via the API.

Available roles: Owner, Admin, Member, Viewer.

Security & Privacy

Your code stays private

Source files are transmitted over TLS and processed in isolated, ephemeral environments. Zcodee does not retain your source code after a scan completes. Only the scan findings and file fingerprints (for incremental scanning) are stored — never the code itself.

Credentials are never stored in plain text

Passwords are hashed using industry-standard algorithms before storage. API keys are hashed server-side — the raw key is shown exactly once at creation time and cannot be recovered. Store it securely.

Password reset

Password resets use a single-use token sent to your registered email. The token expires after 24 hours and is invalidated immediately after use. The reset flow is designed to prevent user enumeration — it always returns the same response regardless of whether the email exists.

Reporting a vulnerability

If you discover a security issue in Zcodee itself, please report it responsibly to security@zcodee.dev. We aim to respond within 48 hours and will credit you in our security acknowledgements.