Skip the noise: filter scans by author or label
Author and label filters: You can now control exactly which pull and merge requests Hacktron scans. Addskip.authors, include.authors, or include.labels to your .hacktron/config.yaml to exclude bot accounts, restrict scanning to specific team members, or gate scans on a trigger label. Skip rules always win over include rules, so exclusions are guaranteed.Fixed and resolved triage commands: Two new commands let you close out findings directly from a PR comment: !fixed marks a finding as fixed in the current change, and !resolved marks it resolved. Both join the existing !fp and !accepted_risk commands in the triage workflow.Severity gate evaluates all scans: The fail_on severity threshold now checks findings across every scan tied to a PR or MR, not just the most recent one. Re-scans that only diff changed files no longer clear a threshold that an earlier scan tripped.Dollar signs in findings render correctly: Finding descriptions containing $ no longer get misread as math notation and render as-is.Configure scan filters →A new Context page for your repositories, applications, and threat models
Context page: A dedicated Context page now gathers what Hacktron knows about your code, split across Repositories and Applications tabs. Cards are sorted by most recent threat-model update and show a badge for each model’s status; clicking one opens its threat model.Applications: Group related repositories into an application, and Hacktron synthesizes an application-level threat model by merging the threat models of its member repos. You can scan an application as a single target so findings are grounded in the combined model, and any context documents you upload to the application are folded into it.Threat models: Repository and application threat models now open in an inline reading view with a file tree and outline, and you can edit them with your changes preserved across regenerations.Redacted findings on public PRs: For public repositories, the PR review comment no longer includes full titles, descriptions, proof-of-concept code, or file locations for findings outside the changed lines. You see a count and a link back to Hacktron, so sensitive details stay out of the public thread. Private and internal repos are unchanged, and inline comments on the diff itself are unaffected.Org-level fail-on severity default: Organization admins can now set a default severity threshold for PR/MR checks in settings. Individual repo configs still take precedence when set.Enterprise SSO sign-in: A dedicated single sign-on page and a “Single sign-on (SSO)” button on the login screen let users authenticate via your organization’s SAML or OIDC identity provider. Invite tokens survive the IdP round-trip, so onboarding links still work.Duplicate marking in the MCP tool: Theupdate_finding MCP tool now accepts a duplicate_of field so you can mark or unmark duplicates programmatically.Explore the Context page → · Group repositories into an application → · Learn how threat models work → · Set a fail-on severity threshold → · Read the API reference →Dismiss a finding and your PR check clears instantly
PR and MR checks update on triage: When you mark a finding as a false positive or accepted risk, the GitHub check or GitLab commit status flips back to passing right away, with no manual re-run needed. If you later reopen the finding, the check fails again to match.Close findings as duplicates: You can now mark a finding as a duplicate of another finding in the same repository, and unmark it if needed. A duplicated finding inherits its canonical finding’s severity when the PR gate counts blocking issues.Scan volume chart: The dashboard’s scan volume widget now shows a stacked bar chart instead of a line graph, with a tooltip on each bar showing the Code Review and Whitebox scan counts for that day.Upload scans named after the archive: When you start a Whitebox scan from an uploaded archive, the scan now takes the archive’s filename as its name instead of a generic label.Legal agreement before trial or billing: You now review and accept the terms of service before starting a free trial or adding a payment method.Set up GitHub or GitLab →Control your scans and account security like never before
Multi-factor authentication controls: Secure your account with MFA requirements and additional verification steps. Admins can enforce MFA across their organization.API access through MCP protocol: Connect external tools and scripts to Hacktron’s finding-triage toolset through a new remote MCP server endpoint with OAuth and API key authentication.Skip scans with repository configuration: Use.hacktron/config.yaml to skip pull request scans based on file patterns, keywords in titles, or labels.Secure your account with MFA → · See MCP integration → · Configure repository scanning →GitLab now works just like GitHub
Automatic merge-request scanning: Connect a GitLab project and merge-request scans turn on by themselves, exactly as they do for GitHub. Turn them off per project whenever you want.GitLab in signup and trials: Connect GitLab during signup or a trial and it follows the same guided setup as GitHub, start to finish.Set up GitLab →Go from a Slack alert to a fix in one click
Fix with AI in Slack: Finding alerts in Slack now carry a “Fix with AI” button that deep-links the issue straight into Cursor or Claude. See the alert, open your editor, fix it.No-card free trials: Start a free trial without a credit card. You enter payment details only when you decide to subscribe.Findings close themselves on abandoned PRs: Close a pull or merge request without merging and its findings move to a new “Closed” state. Reopen the PR and they come back, and anything you already triaged stays put.Up-front unsupported-language notices: Cost estimation now tells you when a repository is mostly in a language Hacktron cannot scan yet, instead of failing with no explanation.Clearer GitLab connection setup: The Connect GitLab dialog walks you through GitLab’s group Service Accounts step by step and adds a GitLab.com / Self-hosted toggle that matches the GitHub Enterprise setup.Connect Slack → · Start a free trial →Scan self-hosted GitHub Enterprise Server
GitHub Enterprise Server: Point Hacktron at self-hosted GitHub Enterprise Server for white-box scans and PR reviews, and run several Enterprise hosts next to github.com at the same time.GitLab MR feedback matches GitHub: Merge-request comments now carry severity badges, collapsible proof-of-concept, trace diagrams, and a “Fix with AI” block. Trigger a review with@hacktronai review, and triage shows up the
same across the web app, Slack, and the MR thread.Scan an exact tag or commit: Target a specific tag or commit when you pick
a repository for a Whitebox scan, not just a branch.Richer Jira ticketing: Search large Jira projects and assignee lists while
filing a ticket, and issues you create from a finding link back to it.Set up GitHub Enterprise Server → · See how reviews work → · Set up Jira →PR comments that fix the bug for you
Sharper GitHub PR comments: Pull-request comments now use crisp severity badges instead of emoji, with a “Fix with AI” prompt that reproduces the issue, fixes the root cause, and adds a regression test.See how PR reviews work →Share Code Review limits across your whole org
Org-pooled limits, annual seats, and a Usage page: Code Review limits are now pooled across your whole organization instead of capped per seat, you can buy developer seats on an annual prepaid plan, and a new owner-only Usage page shows usage and any overage for the period.Redesigned sidebar navigation: Cleaner, collapsible sections that remember what you left open, with account actions moved into the sidebar header.On-demand PR reviews: Comment@hacktron review on a pull request to
review it on the spot, even on drafts or external-contributor PRs.Request GitHub access without being an admin: If you do not own the GitHub
organization, clicking Connect sends an installation request to your admin and
marks it pending. The integration appears the moment they approve.Smoother Jira setup: A cleaner Jira configuration and per-ticket dialog,
with sensible defaults already on for new installs.Slack Connect onboarding: Sign up with a work email and set up
notifications right away through a Slack Connect step.See billing and plans → · Set up Code Review →