This release adds a new analysis flow, upgrades the Anthropic model our scans use to Opus 4.8, expands coverage beyond zero-knowledge circuits toward broader cryptography, introduces per-repository pages, lets us record manual audits alongside automated scans, adds per-repository scan guidance, and redesigns the public report, scan, and finding pages.
New Analysis Flow: gestalt
We are adding a new analysis flow, gestalt, that runs as part of every scan type (ZKAO, ZKAO Pro, and ZKAO Max). It reasons from the protocol about what a correct, well-formed result should look like, then checks the code against those expectations, expanding the classes of bugs we can find.
Expanding Beyond ZK Circuits
Our coverage is growing past zero-knowledge circuits toward general cryptography. This release adds analysis for multi-party computation (MPC) and garbled circuits, and our scanning is no longer framed around circuits alone but around cryptography more broadly (ZKP, MPC, FHE, and more).
These join existing coverage for Circom, gnark, Jellyfish, Aleo/Leo, and Plonky3.
Upgraded Anthropic Analysis Model
We have upgraded the Anthropic model our scans use to its latest version, Opus 4.8, for deeper reasoning across complex cryptographic code.
Repositories Navigation and Per-Repo Pages
Projects now have a Repositories tab, and each repository gets its own page:
- The repository's own scans and findings, scoped to that repo
- Live HEAD status and a "scans on this commit" count
- An always-available Run scan button so you can launch analysis directly from the repo
Manual Audits by zkSecurity
Manual audits performed by zkSecurity can now be recorded and shown alongside automated scans. They are badged "Manual audit by zkSecurity" across scan lists, scan detail, and the public scan, report, and finding pages, so a human audit sits right next to automated analysis.
Per-Repository Scan Guidance
You can now provide a zkao.md file per repository to steer how zkao scans it. You can edit this guidance inline from the scan launch page, any project member can edit it (not just admins), and your edits are preserved when the repository's commit changes.
Repository Deletion Grace Period
Deleting a repository is no longer immediate. Hitting Delete now starts a 30-day grace period where:
- New scans cannot be launched on the repository.
- Existing scans and findings stay visible, so you can review history before deciding.
- Any project admin can revert the deletion in one click.
- Queued scans are cancelled and their credits returned.
After 30 days, an admin can confirm the permanent deletion, which hides the repository, its scans, and its findings from the project. Any public share links you published for that repository's scans or findings are revoked at the same time.
Redesigned Public Pages
The public scan, report, and finding pages have a refreshed, lighter design:
- A severity strip and a numbered findings table
- Copyable findings and clickable source locations
- Shorter dates, back-to-top links, and a print-friendly table of contents
Embeddable Trust Widget
Building on the README badge, projects on paid plans can now embed a live trust widget that shows subscription status and the number of scans run this month, available from the project dashboard.
Plan and Billing Experience
Project settings now live under a unified Settings area, including your plan and billing:
- Low-credit banners with add-credits and upgrade actions on the plan page, project dashboard, and scan launch
- Cancel a subscription at period end and resume it before it lapses
- Reminder emails before a plan ends, and email notifications when a plan is subscribed, cancelled, or resumed
- When a repository has never been scanned, we recommend the ZKAO baseline scan to start
Other Changes
- New users now receive an email when an admin approves their account
- Leo and Circom code blocks in findings and reports now render with proper syntax highlighting
- Project dashboard refresh: a compact header, a merged risk-posture and findings-to-review card, and a richer activity feed
- The project findings page now shows confirmed findings only, with one aggregated row per scan
- Clearer false-positive labeling in scan lists and detail
- Scan lists now show scan type, credits used, and confirmed-finding counts
- The scan detail header shows the commit hash next to the repository, and the scans page has a "Launch new scan" CTA
- You can now select text in a file and ask about it directly, with the Ask bubble layered above the file viewer