Projects and scans
Projects are the main organizational boundary in ZeroQuarry. They are how you turn individual scans into product history.
Use projects to group scans for a product, repository, service, mobile app, external target set, or release train.
Projects become the durable home for scan history, tags, lineages, and the cross-mode evidence that accumulates over time.
Projects
Every account starts with a default project. You can create additional projects from Projects in the sidebar or while creating scans through the API.
Use separate projects when you want to separate:
- product areas with different owners
- production services from test targets
- mobile apps from backend services
- bug bounty targets from internal assets
- customer or tenant-specific assessments
Project pages show scan history, mode, status, severity counts, tags, and summary statistics.
Model projects around decisions
A project should answer a question someone will ask later:
- "What security work happened for the billing service?"
- "Which scans supported the 2.8 mobile release?"
- "Did this finding recur after the fix?"
- "Which bug-bounty reports came from this target family?"
For most teams, one project per product or service is better than one project per scan. It keeps source, binary, and remote evidence together.
Use separate projects when ownership, data sensitivity, or authorization scope changes.
Scan names and tags
Names make individual reports easy to identify. Tags make scan history easier to filter.
Recommended tag patterns:
- asset type:
api,web,android,firmware - environment:
staging,prod-like,internal - workflow:
ci,release,bug-bounty - team or service name:
billing,identity,mobile
For release reviews, include the version as a tag, such as v2.8.0-rc1.
For CI scans, include ci and the repository or service name.
Versions and rescans
Reports can be re-run without overwriting the previous result. A re-run creates a new scan version in the same lineage, preserving the older findings, PoCs, and chat history.
For Git-backed source scans, API-triggered scans can use auto_delta. When a
previous completed scan exists for the same Git URL set, ZeroQuarry can focus
the next scan on changed files and nearby data flow instead of repeating a full
repository audit.
Use lineages for "same target, new question" work:
- validate a fix
- rerun after a release-candidate change
- compare a fresh full scan with a delta scan
- preserve findings while changing notes or review settings
Status lifecycle
Common scan statuses:
| Status | Meaning |
|---|---|
queued | The scan is waiting for a worker. |
running | A worker is preparing targets or running agents. |
awaiting_batch | Agent work finished, but Batch API artifacts are still pending. |
completed | The report is ready. |
failed | The scan stopped because of an error. |
cancelled | A user cancelled the scan. |
Cancelled and failed scans may still contain logs and partial findings.
When to delete or free data
Deleting a scan removes the report and artifacts. Freeing clones removes on-disk cloned source material while preserving report evidence and findings.
Use clone cleanup when you want to reduce retained source data but still keep the security review record. Use scan deletion when the report itself should no longer be available.