> ## Documentation Index
> Fetch the complete documentation index at: https://hacktronai-changelog-e1a164be.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Findings and feedback

> Understand where Hacktron posts Code Review findings and how feedback improves future reviews.

Hacktron posts Code Review findings where developers already work.

## Inline findings

Findings are posted inline on GitHub PRs and GitLab MRs when a vulnerability is detected in the code change.

<video autoPlay muted loop playsInline className="w-full aspect-video" src="https://mintcdn.com/hacktronai-changelog-e1a164be/dpUdS1BJ16uy6tXP/images/github_findings.mp4?fit=max&auto=format&n=dpUdS1BJ16uy6tXP&q=85&s=de0421b1dea89c4cf3d3785146f5a62d" data-path="images/github_findings.mp4" />

<Tip>
  <p>
    Sometimes, a finding may involve code that is not directly within the diff.
    This can happen when Hacktron detects a vulnerability in e.g. a function
    that is called by code in the diff.
  </p>

  <p>
    In this case, Hacktron may report the finding in the file affected (if it is
    changed as part of the PR/MR) or in an expandable **"Findings outside
    diff"** section.
  </p>
</Tip>

## Public repositories

When a repository is **public**, Hacktron keeps sensitive outside-diff finding details out of the public pull request thread.

For findings outside your changes, the public comment shows the severity counts
and links back to Hacktron, but hides titles, descriptions, proof-of-concept
details, and affected file locations. Review the finding in Hacktron to see the
full details.

<img src="https://mintcdn.com/hacktronai-changelog-e1a164be/dpUdS1BJ16uy6tXP/images/public_repository_redacted_findings.png?fit=max&auto=format&n=dpUdS1BJ16uy6tXP&q=85&s=0a047ad11455188b7c2db88ab52a2549" alt="Public repository pull request comment with outside-diff finding details hidden" width="1391" height="1179" data-path="images/public_repository_redacted_findings.png" />

Inline findings on the diff itself are still visible because they are attached
to the changed code.

<img src="https://mintcdn.com/hacktronai-changelog-e1a164be/dpUdS1BJ16uy6tXP/images/inline_finding.png?fit=max&auto=format&n=dpUdS1BJ16uy6tXP&q=85&s=179023a21c44981332f8a837c6cc7560" alt="Inline findings" width="1654" height="1224" data-path="images/inline_finding.png" />

## Triage comments

You can leave triage comments on findings to help improve future reviews. This helps Hacktron understand
whether something is a false positive, accepted risk, or a true positive finding.

Every triage comment your team leaves on a finding becomes training signal.
Over time, Hacktron Review builds a deep understanding of your specific attack surface and threat model,
so reviews get sharper, with fewer false positives and more of the bugs that actually matter to your app.

<Tabs>
  <Tab title="GitHub or GitLab">
    You can comment directly on the finding in GitHub or GitLab with:

    * `!fp <reason>` to mark the finding as a false positive
    * `!accepted_risk <reason>` to mark the finding as an accepted risk
    * `!valid <reason>` to mark the finding as a true positive

    <img src="https://mintcdn.com/hacktronai-changelog-e1a164be/dpUdS1BJ16uy6tXP/images/triage_feedback.png?fit=max&auto=format&n=dpUdS1BJ16uy6tXP&q=85&s=5d50261565eeecbb89460dcd1a0f274a" alt="Triage comments" width="2051" height="1169" data-path="images/triage_feedback.png" />
  </Tab>

  <Tab title="Web Platform">
    From the finding page in the web platform, you can adjust finding severities and
    states: Open, True Positive, False Positive, Accepted Risk, or Resolved.

    When you adjust the severity or state, you can add a reason for the change.
    This will be recorded and used to improve future reviews.

    <video autoPlay muted loop playsInline className="w-full aspect-video" src="https://mintcdn.com/hacktronai-changelog-e1a164be/dpUdS1BJ16uy6tXP/images/triage_comment.mp4?fit=max&auto=format&n=dpUdS1BJ16uy6tXP&q=85&s=650d379d159a090198d43563e84b6387" data-path="images/triage_comment.mp4" />
  </Tab>

  <Tab title="Slack">
    When Hacktron's Slack app sends a finding in your configured channel,
    you can leave a triage comment and mark the finding as a false positive or accepted risk,
    or mark the finding as valid.

    Open the finding card and click on **Mark Valid** or **Triage Comment**.

    <img src="https://mintcdn.com/hacktronai-changelog-e1a164be/dpUdS1BJ16uy6tXP/images/slack_comment.png?fit=max&auto=format&n=dpUdS1BJ16uy6tXP&q=85&s=5d59ca2cb9e76f75272147044ec1c065" alt="Triage comments in Slack" width="1570" height="1190" data-path="images/slack_comment.png" />
  </Tab>
</Tabs>

## Duplicate findings

When a new finding is posted, Hacktron checks if it is a duplicate of a previously posted finding.
For example, if a pull request is merged containing a vulnerability, Hacktron may automatically deduplicate a new finding
from a subsequent pull request.

<img src="https://mintcdn.com/hacktronai-changelog-e1a164be/dpUdS1BJ16uy6tXP/images/duplicate.png?fit=max&auto=format&n=dpUdS1BJ16uy6tXP&q=85&s=fff85f06112d09e90239e4a6f8b5c80d" alt="Duplicate finding" width="1399" height="288" data-path="images/duplicate.png" />

<Tip>
  You can also manually mark a finding as a duplicate of another finding by
  clicking on the **Mark as duplicate** button in the finding page.

  You would need to select a **canonical (original) finding** in the same repository as the new finding.

  <img src="https://mintcdn.com/hacktronai-changelog-e1a164be/dpUdS1BJ16uy6tXP/images/mark_as_dupe.png?fit=max&auto=format&n=dpUdS1BJ16uy6tXP&q=85&s=879627a8e607c58510f6c985c31c101f" alt="Mark as duplicate" width="726" height="382" data-path="images/mark_as_dupe.png" />
</Tip>

## Checks update on triage

If a [fail-on gate](/code-review/config#fail-the-check-on-findings) is configured, triaging a finding updates the GitHub check (or GitLab commit status) right away.

For example, if the fail-on gate is configured to fail on high severity findings, triaging a high severity finding as a false positive
or accepted risk will update the GitHub check (or GitLab commit status) to pass. Reopening the finding will cause the check to fail again.

## Feedback loop

Triage feedback helps Hacktron adapt to your codebase. Comments and project rules
give Hacktron signal about what is urgent, trusted, irrelevant, or intentionally ignored for a specific repository.

When a later commit fixes a finding, Hacktron can recognize the remediation and close stale alerts automatically.

<video autoPlay muted loop playsInline className="w-full aspect-video" src="https://mintcdn.com/hacktronai-changelog-e1a164be/dpUdS1BJ16uy6tXP/images/auto_resolve.mp4?fit=max&auto=format&n=dpUdS1BJ16uy6tXP&q=85&s=45be1981f98ebde4fbdaf13de236a00b" data-path="images/auto_resolve.mp4" />

## Related setup

<Columns cols={2}>
  <Card title="Project rules" icon="file-text" href="/code-review/rules">
    Add `.hacktron/rules.md` to provide repository-specific review context.
  </Card>

  <Card title="Project Management Apps" icon="square-kanban" href="/platform/project-management">
    Send approved findings to Jira or Linear.
  </Card>
</Columns>
