Skip to main content
Hacktron posts Code Review findings where developers already work.

Inline findings

Findings are posted inline on GitHub PRs and GitLab MRs when a vulnerability is detected in the code change.

Sometimes, a finding may involve code that is not directly within the diff. This can happen when Hacktron detects a vulnerability in e.g. a function that is called by code in the diff.

In this case, Hacktron may report the finding in the file affected (if it is changed as part of the PR/MR) or in an expandable “Findings outside diff” section.

Triage comments

You can leave triage comments on findings to help improve future reviews. This helps Hacktron understand whether something is a false positive, accepted risk, or a true positive finding. Every triage comment your team leaves on a finding becomes training signal. Over time, Hacktron Review builds a deep understanding of your specific attack surface and threat model, so reviews get sharper, with fewer false positives and more of the bugs that actually matter to your app.
You can comment directly on the finding in GitHub or GitLab with:
  • !fp <reason> to mark the finding as a false positive
  • !accepted_risk <reason> to mark the finding as an accepted risk
  • !valid <reason> to mark the finding as a true positive
Triage comments

Feedback loop

Triage feedback helps Hacktron adapt to your codebase. Comments and project rules give Hacktron signal about what is urgent, trusted, irrelevant, or intentionally ignored for a specific repository. When a later commit fixes a finding, Hacktron can recognize the remediation and close stale alerts automatically.

Related setup

Project rules

Add .hacktron/rules.md to provide repository-specific review context.

Project Management Apps

Send approved findings to Jira or Linear.