Skip to main content
Hacktron posts Code Review findings where developers already work.

Inline findings

Findings are posted inline on GitHub PRs and GitLab MRs when a vulnerability is detected in the code change.

Sometimes, a finding may involve code that is not directly within the diff. This can happen when Hacktron detects a vulnerability in e.g. a function that is called by code in the diff.

In this case, Hacktron may report the finding in the file affected (if it is changed as part of the PR/MR) or in an expandable “Findings outside diff” section.

Public repositories

When a repository is public, Hacktron keeps sensitive finding details out of the public pull request thread. In the summary review comment, findings outside the changed lines no longer show their title, description, proof-of-concept, or file location. Instead, you see a count and a link back to the finding in Hacktron. Inline comments on the diff itself are unaffected, so findings on the changed lines still appear in full. Private and internal repositories are unchanged and show complete finding details as usual.

Triage comments

You can leave triage comments on findings to help improve future reviews. This helps Hacktron understand whether something is a false positive, accepted risk, or a true positive finding. Every triage comment your team leaves on a finding becomes training signal. Over time, Hacktron Review builds a deep understanding of your specific attack surface and threat model, so reviews get sharper, with fewer false positives and more of the bugs that actually matter to your app.
You can comment directly on the finding in GitHub or GitLab with:
  • !fp <reason> to mark the finding as a false positive
  • !accepted_risk <reason> to mark the finding as an accepted risk
  • !valid <reason> to mark the finding as a true positive
Triage comments

Checks update on triage

Triaging a finding updates the pull request check right away. Marking a finding as a false positive or accepted risk removes it from the fail-on gate, so the GitHub check (or GitLab commit status) flips back to passing with no re-run. Reopen the finding and the check fails again to match.

Feedback loop

Triage feedback helps Hacktron adapt to your codebase. Comments and project rules give Hacktron signal about what is urgent, trusted, irrelevant, or intentionally ignored for a specific repository. When a later commit fixes a finding, Hacktron can recognize the remediation and close stale alerts automatically.

Related setup

Project rules

Add .hacktron/rules.md to provide repository-specific review context.

Project Management Apps

Send approved findings to Jira or Linear.