This release brings deeper security analysis with new specialized flows, public-facing report generation, Gnark circuit support, and a much improved GitHub integration.
Gnark Circuit Support
zkao now supports Gnark (Go-based) zero-knowledge circuits alongside Circom, with restructured bug guidance and proper Go tooling in the sandbox environment.
New Analysis Flows
We are expanding the depth and breadth of our security analysis with new specialized flows. Each flow takes a different angle on your codebase, and running them together helps us surface more issues:
- snarksentinel (our original flow): comprehensive security audit of your ZK circuits
- cryptopsy: reverse-engineers cryptographic protocol implementations and attempts to find weaknesses
- testator: generates comprehensive test suites targeting cryptographic edge cases
- paper-cuts: searches for known vulnerability patterns and generates proof-of-concept exploits
- invariants-hunter (improved): now supports priority-based audit scope with a shared overview step for cross-referencing
- overview-builder: generates structured scan overviews that synthesize findings across all flows
This is an ongoing experiment. We are actively monitoring how these flows perform and tuning them to maximize the number of real bugs found while keeping false positives low.
Public Reports
Report Builder
Project admins can now create professional public audit reports with an executive summary, table of contents, methodology section, and selectively disclosed findings. Reports are built through a dedicated UI with a report editor, bulk finding controls, and draft preview.
Shareable Public Pages
Each report gets a public URL with a print-friendly layout, OpenGraph metadata for link previews, and a document-style aesthetic. Individual scans and findings can also be shared publicly with per-artifact publish permissions, optional notes, and activity logging.
GitHub Integration
The GitHub integration has been overhauled with a two-token architecture: user OAuth for identity and GitHub App installations for repository access. This enables:
- Multi-org support: connect repos from different GitHub organizations within the same project
- Automatic installation discovery: the platform detects and uses the correct App installation per repository
- Cleaner connect/disconnect UI with collapsible states and immediate repo visibility after adding
Multi-Provider LLM Support
We are experimenting with multiple LLM providers: Mistral, Google, and Anthropic alongside OpenAI. For now, all scans still run exclusively on OpenAI models, but we are evaluating other providers for specific analysis tasks and will expand support as results improve.
Other Changes
- Findings now display severity-accented card headers with copiable ZK-IDs
- New "Show unconfirmed" toggle on scan detail pages to filter the findings view
- Copy-as-markdown button for quickly exporting triage reports
- Triage breakdown (confirmed/invalidated/incident) included in scan completion notifications
- Mobile responsiveness overhaul across all pages
- Various performance improvements to page load times