zero

module

v0.0.0-...-515337b Latest Latest Go to latest Published: Jan 14, 2026 License: GPL-3.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/crashappsec/zero

Links

Open Source Insights

README ¶

Zero

"Hack the planet!" - Engineering intelligence platform for repository analysis

Named after Zero Cool from Hackers (1995), Zero provides engineering intelligence tools and specialist AI agents for comprehensive repository assessment.

Quick Start

# Clone and build
git clone https://github.com/crashappsec/zero.git
cd zero
go build -o zero ./cmd/zero

# Authenticate with GitHub
gh auth login

# Optional: Sync Semgrep SAST rules
./zero feeds semgrep    # Sync Semgrep community rules

# Scan a repository
./zero hydrate strapi/strapi

# View results
./zero serve            # Open http://localhost:3000

Full Getting Started Guide - Prerequisites, installation, profiles, and troubleshooting.

What is Zero?

Zero is a Go CLI that provides Engineering Intelligence through 11 analyzers with 50+ features, aligned with industry frameworks (DORA, SPACE, LinearB).

6 Pillars of Engineering Intelligence

┌────────────────────────────────────────────────────────────┐
│     Productivity Pillars    │      Technical Pillars       │
├────────────────────────────────────────────────────────────┤
│  Speed │ Quality │  Team   │ Security │ Supply  │  Tech   │
│ (DORA) │ (Health)│(People) │  (Risk)  │  Chain  │ (Stack) │
└────────────────────────────────────────────────────────────┘

Pillar	Analyzer	Key Metrics
Speed	devops, build	DORA metrics, cycle time, CI/CD optimization
Quality	code-quality, tool-config	Tech debt, complexity, linter/bundler config
Team	code-ownership, devx, repo-governance	Bus factor, contributors, branch protection
Security	code-security	Vulnerabilities, secrets, crypto issues
Supply Chain	code-packages	Dependencies, licenses, malware, SBOM
Technology	technology-identification, infra-config	Stack detection, Docker/K8s/Terraform config

AI Agents

13 specialist agents (named after Hackers 1995 characters) for deep analysis:

Agent	Character	Expertise
Zero	Zero Cool	Master orchestrator
Cereal	Cereal Killer	Supply chain, malware, CVEs
Razor	Razor	Code security, SAST, secrets
Blade	Blade	Compliance, SOC 2, ISO 27001
Phreak	Phantom Phreak	Legal, licenses, privacy
Acid	Acid Burn	Frontend, React, TypeScript
Flu Shot	Flu Shot	Backend, APIs, databases
Nikon	Lord Nikon	Architecture, system design
Joey	Joey	Build, CI/CD optimization
Plague	The Plague	DevOps, Kubernetes, IaC
Gibson	The Gibson	DORA metrics, team health
Gill	Gill Bates	Cryptography, TLS, keys
Hal	Hal	AI/ML security, ML-BOM

Use /agent in Claude Code to chat with Zero.

Scan Profiles

./zero hydrate owner/repo all-quick       # All scanners, fast (~2min)
./zero hydrate owner/repo all-complete    # All scanners, thorough (~12min)
./zero hydrate owner/repo code-security   # Security only
./zero hydrate myorg --demo               # Organization scan, skip large repos

Documentation

Document	Description
Getting Started	Installation, prerequisites, first scan
Documentation Index	Full documentation
Scanner Reference	All scanners and features
Agent Reference	AI agent system
Configuration	Profiles, settings, customization

Commands

./zero hydrate <target> [profile]  # Clone and scan
./zero status                       # Show analyzed projects
./zero checkup                      # Verify setup and tools
./zero serve                        # Start web UI
./zero feeds semgrep                # Sync Semgrep SAST rules
./zero list                         # List available scanners

Storage

.zero/
└── repos/owner/repo/
    ├── repo/              # Cloned repository
    └── analysis/          # Scanner results (JSON)
        ├── sbom.cdx.json
        ├── code-packages.json
        ├── code-security.json
        └── ...

Contributing

Contributions welcome! See CONTRIBUTING.md.

All contributors must complete our Contributor License Agreement.

License

GNU General Public License v3.0

Copyright (c) 2025 Crash Override Inc. - https://crashoverride.com

Status: Alpha | Version: 6.0.0 | "Hack the planet!"

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
cmd
zero command Package main is the entry point for the zero CLI	Package main is the entry point for the zero CLI
zero/cmd Package cmd provides CLI commands for Zero	Package cmd provides CLI commands for Zero
pkg
agent Package agent provides the agent runtime for Zero	Package agent provides the agent runtime for Zero
analyzer Package analyzer provides confidence scoring for git-history-based analysis	Package analyzer provides confidence scoring for git-history-based analysis
analyzer/build Package build provides the CI/CD optimization analyzer Features: cost analysis, caching optimization, parallelization, flaky test detection	Package build provides the CI/CD optimization analyzer Features: cost analysis, caching optimization, parallelization, flaky test detection
analyzer/code-ownership Package codeownership provides code ownership analysis with benchmark tiers	Package codeownership provides code ownership analysis with benchmark tiers
analyzer/code-packages Package codepackages implements the consolidated code packages analyzer This analyzer generates SBOMs and performs comprehensive package analysis.	Package codepackages implements the consolidated code packages analyzer This analyzer generates SBOMs and performs comprehensive package analysis.
analyzer/code-quality Package codequality provides the consolidated code quality analyzer	Package codequality provides the consolidated code quality analyzer
analyzer/code-security Package codesecurity provides the consolidated code security analyzer	Package codesecurity provides the consolidated code security analyzer
analyzer/common Package common provides shared utilities for analyzer implementations	Package common provides shared utilities for analyzer implementations
analyzer/developer-experience Package developerexperience provides the consolidated developer experience analyzer Features: onboarding, tooling, workflow	Package developerexperience provides the consolidated developer experience analyzer Features: onboarding, tooling, workflow
analyzer/devops Package devops provides the consolidated DevOps and CI/CD security analyzer Renamed from infra - now includes all infrastructure, CI/CD, and GitHub Actions security	Package devops provides the consolidated DevOps and CI/CD security analyzer Renamed from infra - now includes all infrastructure, CI/CD, and GitHub Actions security
analyzer/infra-config Package infraconfig provides the infrastructure configuration analyzer	Package infraconfig provides the infrastructure configuration analyzer
analyzer/repo-governance Package repogovernance provides the repository governance analyzer	Package repogovernance provides the repository governance analyzer
analyzer/technology-identification Package techid provides the consolidated technology identification analyzer Includes AI/ML security and ML-BOM generation	Package techid provides the consolidated technology identification analyzer Includes AI/ML security and ML-BOM generation
analyzer/tool-config Package toolconfig provides the developer tool configuration analyzer	Package toolconfig provides the developer tool configuration analyzer
api Package api provides the HTTP API layer for Zero	Package api provides the HTTP API layer for Zero
api/agent Package agent provides agent chat functionality for the Zero API	Package agent provides agent chat functionality for the Zero API
api/banter Package banter provides idle agent conversation generation for full personality mode	Package banter provides idle agent conversation generation for full personality mode
api/handlers Package handlers provides HTTP request handlers for the Zero API	Package handlers provides HTTP request handlers for the Zero API
api/jobs Package jobs provides background job queue functionality for async operations	Package jobs provides background job queue functionality for async operations
api/middleware Package middleware provides HTTP middleware for the Zero API	Package middleware provides HTTP middleware for the Zero API
api/shared Package shared provides common agent data for the API layer	Package shared provides common agent data for the API layer
api/types Package types provides API type definitions for Zero	Package types provides API type definitions for Zero
api/ws Package ws provides WebSocket functionality for real-time updates	Package ws provides WebSocket functionality for real-time updates
auth Package auth provides authentication and authorization functionality for Zero IDP.	Package auth provides authentication and authorization functionality for Zero IDP.
catalog Package catalog provides types and operations for the service catalog.	Package catalog provides types and operations for the service catalog.
core/config Package config handles Zero configuration loading and management	Package config handles Zero configuration loading and management
core/credentials Package credentials manages API keys and tokens for Zero	Package credentials manages API keys and tokens for Zero
core/cyclonedx Package cyclonedx provides CycloneDX BOM generation and export capabilities.	Package cyclonedx provides CycloneDX BOM generation and export capabilities.
core/errors Package errors provides sentinel errors and error utilities for Zero.	Package errors provides sentinel errors and error utilities for Zero.
core/feedback Package feedback provides types and storage for analyst feedback on findings	Package feedback provides types and storage for analyst feedback on findings
core/feeds Package feeds provides external feed synchronization for security data	Package feeds provides external feed synchronization for security data
core/findings Package findings provides standardized finding types for all scanners	Package findings provides standardized finding types for all scanners
core/github Package github provides GitHub API interactions	Package github provides GitHub API interactions
core/languages Package languages provides programming language detection utilities using go-enry (a Go port of GitHub Linguist)	Package languages provides programming language detection utilities using go-enry (a Go port of GitHub Linguist)
core/liveapi Package liveapi provides clients for live API queries (e.g., OSV)	Package liveapi provides clients for live API queries (e.g., OSV)
core/logging Package logging provides structured logging for Zero using slog.	Package logging provides structured logging for Zero using slog.
core/rag Package rag provides utilities for loading RAG (Retrieval-Augmented Generation) knowledge files that configure scanner behavior dynamically.	Package rag provides utilities for loading RAG (Retrieval-Augmented Generation) knowledge files that configure scanner behavior dynamically.
core/rules Package rules provides Semgrep rule generation and management	Package rules provides Semgrep rule generation and management
core/sarif Package sarif provides SARIF (Static Analysis Results Interchange Format) export SARIF is a standard format for the output of static analysis tools.	Package sarif provides SARIF (Static Analysis Results Interchange Format) export SARIF is a standard format for the output of static analysis tools.
core/scoring Package scoring provides standardized score calculation utilities	Package scoring provides standardized score calculation utilities
core/status Package status implements the status command for showing hydrated projects	Package status implements the status command for showing hydrated projects
core/suppression Package suppression provides filtering of findings based on user feedback and context	Package suppression provides filtering of findings based on user feedback and context
core/terminal Package terminal provides colored output and progress display	Package terminal provides colored output and progress display
mcp Package mcp provides an MCP server for Zero analysis data	Package mcp provides an MCP server for Zero analysis data
reports/markdown Package markdown generates markdown reports from analysis data	Package markdown generates markdown reports from analysis data
storage Package storage provides database abstraction for Zero's data layer.	Package storage provides database abstraction for Zero's data layer.
storage/sqlite Package sqlite provides a SQLite implementation of the storage.Store interface.	Package sqlite provides a SQLite implementation of the storage.Store interface.
workflow/automation Package automation provides file watching and automated scan triggering	Package automation provides file watching and automated scan triggering
workflow/diff
workflow/freshness Package freshness provides staleness detection and freshness metadata tracking	Package freshness provides staleness detection and freshness metadata tracking
workflow/hydrate Package hydrate implements the hydrate command for cloning and scanning repos	Package hydrate implements the hydrate command for cloning and scanning repos
workflow/vex Package vex provides VEX (Vulnerability Exploitability eXchange) document generation.	Package vex provides VEX (Vulnerability Exploitability eXchange) document generation.