Choose your scan model and control which PRs get scanned
Model tier selection: When you run a cost estimation, you can now choose between Default and Legacy AI models before the scan starts. Default uses the current generation; Legacy gives you the previous generation if you need it for reproducibility or cost reasons.Per-scan AI triage: Large scans now include AI-assisted finding triage automatically, while smaller scans let you opt in at the checkout step. The triage fee is applied to your credit balance alongside the scan cost, so you see the full charge before confirming.Mark Resolved from Slack: The finding overflow menu in Slack now includes a “Mark Resolved” action alongside Mark Valid, Mark False Positive, and Mark Accepted Risk. You can also type!fixed or !resolved as a thread reply to resolve a finding without leaving Slack.Author and label filters in repo config: .hacktron/config.yaml now supports skip.authors, include.authors, and include.labels fields. Use them to skip bot PRs by author, restrict scanning to PRs from specific contributors, or trigger scans only when a particular label is applied.Start a Whitebox scan → · Connect Slack → · Configure repo scanning →A new Context page for your repositories, applications, and threat models
Context page: A dedicated Context page now gathers what Hacktron knows about your code, split across Repositories and Applications tabs. Cards are sorted by most recent threat-model update and show a badge for each model’s status; clicking one opens its threat model.Applications: Group related repositories into an application, and Hacktron synthesizes an application-level threat model by merging the threat models of its member repos. You can scan an application as a single target so findings are grounded in the combined model, and any context documents you upload to the application are folded into it.Threat models: Repository and application threat models now open in an inline reading view with a file tree and outline, and you can edit them with your changes preserved across regenerations.Redacted findings on public PRs: For public repositories, the PR review comment no longer includes full titles, descriptions, proof-of-concept code, or file locations for findings outside the changed lines. You see a count and a link back to Hacktron, so sensitive details stay out of the public thread. Private and internal repos are unchanged, and inline comments on the diff itself are unaffected.Org-level fail-on severity default: Organization admins can now set a default severity threshold for PR/MR checks in settings. Individual repo configs still take precedence when set.Enterprise SSO sign-in: A dedicated single sign-on page and a “Single sign-on (SSO)” button on the login screen let users authenticate via your organization’s SAML or OIDC identity provider. Invite tokens survive the IdP round-trip, so onboarding links still work.Duplicate marking in the MCP tool: Theupdate_finding MCP tool now accepts a duplicate_of field so you can mark or unmark duplicates programmatically.Explore the Context page → · Group repositories into an application → · Learn how threat models work → · Set a fail-on severity threshold → · Read the API reference →Dismiss a finding and your PR check clears instantly
PR and MR checks update on triage: When you mark a finding as a false positive or accepted risk, the GitHub check or GitLab commit status flips back to passing right away, with no manual re-run needed. If you later reopen the finding, the check fails again to match.Close findings as duplicates: You can now mark a finding as a duplicate of another finding in the same repository, and unmark it if needed. A duplicated finding inherits its canonical finding’s severity when the PR gate counts blocking issues.Scan volume chart: The dashboard’s scan volume widget now shows a stacked bar chart instead of a line graph, with a tooltip on each bar showing the Code Review and Whitebox scan counts for that day.Upload scans named after the archive: When you start a Whitebox scan from an uploaded archive, the scan now takes the archive’s filename as its name instead of a generic label.Legal agreement before trial or billing: You now review and accept the terms of service before starting a free trial or adding a payment method.Set up GitHub or GitLab →Control your scans and account security like never before
Multi-factor authentication controls: Secure your account with MFA requirements and additional verification steps. Admins can enforce MFA across their organization.API access through MCP protocol: Connect external tools and scripts to Hacktron’s finding-triage toolset through a new remote MCP server endpoint with OAuth and API key authentication.Skip scans with repository configuration: Use.hacktron/config.yaml to skip pull request scans based on file patterns, keywords in titles, or labels.Secure your account with MFA → · See MCP integration → · Configure repository scanning →GitLab now works just like GitHub
Automatic merge-request scanning: Connect a GitLab project and merge-request scans turn on by themselves, exactly as they do for GitHub. Turn them off per project whenever you want.GitLab in signup and trials: Connect GitLab during signup or a trial and it follows the same guided setup as GitHub, start to finish.Set up GitLab →Go from a Slack alert to a fix in one click
Fix with AI in Slack: Finding alerts in Slack now carry a “Fix with AI” button that deep-links the issue straight into Cursor or Claude. See the alert, open your editor, fix it.No-card free trials: Start a free trial without a credit card. You enter payment details only when you decide to subscribe.Findings close themselves on abandoned PRs: Close a pull or merge request without merging and its findings move to a new “Closed” state. Reopen the PR and they come back, and anything you already triaged stays put.Up-front unsupported-language notices: Cost estimation now tells you when a repository is mostly in a language Hacktron cannot scan yet, instead of failing with no explanation.Clearer GitLab connection setup: The Connect GitLab dialog walks you through GitLab’s group Service Accounts step by step and adds a GitLab.com / Self-hosted toggle that matches the GitHub Enterprise setup.Connect Slack → · Start a free trial →Scan self-hosted GitHub Enterprise Server
GitHub Enterprise Server: Point Hacktron at self-hosted GitHub Enterprise Server for white-box scans and PR reviews, and run several Enterprise hosts next to github.com at the same time.GitLab MR feedback matches GitHub: Merge-request comments now carry severity badges, collapsible proof-of-concept, trace diagrams, and a “Fix with AI” block. Trigger a review with@hacktronai review, and triage shows up the
same across the web app, Slack, and the MR thread.Scan an exact tag or commit: Target a specific tag or commit when you pick
a repository for a Whitebox scan, not just a branch.Richer Jira ticketing: Search large Jira projects and assignee lists while
filing a ticket, and issues you create from a finding link back to it.Set up GitHub Enterprise Server → · See how reviews work → · Set up Jira →PR comments that fix the bug for you
Sharper GitHub PR comments: Pull-request comments now use crisp severity badges instead of emoji, with a “Fix with AI” prompt that reproduces the issue, fixes the root cause, and adds a regression test.See how PR reviews work →Share Code Review limits across your whole org
Org-pooled limits, annual seats, and a Usage page: Code Review limits are now pooled across your whole organization instead of capped per seat, you can buy developer seats on an annual prepaid plan, and a new owner-only Usage page shows usage and any overage for the period.Redesigned sidebar navigation: Cleaner, collapsible sections that remember what you left open, with account actions moved into the sidebar header.On-demand PR reviews: Comment@hacktron review on a pull request to
review it on the spot, even on drafts or external-contributor PRs.Request GitHub access without being an admin: If you do not own the GitHub
organization, clicking Connect sends an installation request to your admin and
marks it pending. The integration appears the moment they approve.Smoother Jira setup: A cleaner Jira configuration and per-ticket dialog,
with sensible defaults already on for new installs.Slack Connect onboarding: Sign up with a work email and set up
notifications right away through a Slack Connect step.See billing and plans → · Set up Code Review →