> ## Documentation Index
> Fetch the complete documentation index at: https://hacktronai-changelog-5b138732.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Findings and feedback

> Understand where Hacktron posts Code Review findings and how feedback improves future reviews.

Hacktron posts Code Review findings where developers already work.

## Inline findings

Findings are posted inline on GitHub PRs and GitLab MRs when a vulnerability is detected in the code change.

<video autoPlay muted loop playsInline className="w-full aspect-video" src="https://mintcdn.com/hacktronai-changelog-5b138732/APr1kOfXqBiNxIGw/images/github_findings.mp4?fit=max&auto=format&n=APr1kOfXqBiNxIGw&q=85&s=0dd4a1dd75c8a7220f795c9e63466434" data-path="images/github_findings.mp4" />

<Tip>
  <p>
    Sometimes, a finding may involve code that is not directly within the diff.
    This can happen when Hacktron detects a vulnerability in e.g. a function
    that is called by code in the diff.
  </p>

  <p>
    In this case, Hacktron may report the finding in the file affected (if it is
    changed as part of the PR/MR) or in an expandable **"Findings outside
    diff"** section.
  </p>
</Tip>

## Public repositories

When a repository is **public**, Hacktron keeps sensitive outside-diff finding details out of the public pull request thread.

Inline findings on the diff itself are still visible.

<img src="https://mintcdn.com/hacktronai-changelog-5b138732/APr1kOfXqBiNxIGw/images/inline_finding.png?fit=max&auto=format&n=APr1kOfXqBiNxIGw&q=85&s=819656aebd2c0e1e31a49143112aaa8d" alt="Inline findings" width="1654" height="1224" data-path="images/inline_finding.png" />

## Triage comments

You can leave triage comments on findings to help improve future reviews. This helps Hacktron understand
whether something is a false positive, accepted risk, or a true positive finding.

Every triage comment your team leaves on a finding becomes training signal.
Over time, Hacktron Review builds a deep understanding of your specific attack surface and threat model,
so reviews get sharper, with fewer false positives and more of the bugs that actually matter to your app.

<Tabs>
  <Tab title="GitHub or GitLab">
    You can comment directly on the finding in GitHub or GitLab with:

    * `!fp <reason>` to mark the finding as a false positive
    * `!accepted_risk <reason>` to mark the finding as an accepted risk
    * `!valid <reason>` to mark the finding as a true positive

    <img src="https://mintcdn.com/hacktronai-changelog-5b138732/APr1kOfXqBiNxIGw/images/triage_feedback.png?fit=max&auto=format&n=APr1kOfXqBiNxIGw&q=85&s=82eb188445cf7727be1ac8c83d0c7ce7" alt="Triage comments" width="2051" height="1169" data-path="images/triage_feedback.png" />
  </Tab>

  <Tab title="Web Platform">
    From the finding page in the web platform, you can adjust finding severities and
    states: Open, True Positive, False Positive, Accepted Risk, or Resolved.

    When you adjust the severity or state, you can add a reason for the change.
    This will be recorded and used to improve future reviews.

    <video autoPlay muted loop playsInline className="w-full aspect-video" src="https://mintcdn.com/hacktronai-changelog-5b138732/APr1kOfXqBiNxIGw/images/triage_comment.mp4?fit=max&auto=format&n=APr1kOfXqBiNxIGw&q=85&s=d0180c09f781a8ad9234f4645c7b6882" data-path="images/triage_comment.mp4" />
  </Tab>

  <Tab title="Slack">
    When Hacktron's Slack app sends a finding in your configured channel,
    you can leave a triage comment and mark the finding as a false positive or accepted risk,
    or mark the finding as valid.

    Open the finding card and click on **Mark Valid** or **Triage Comment**.

    <img src="https://mintcdn.com/hacktronai-changelog-5b138732/APr1kOfXqBiNxIGw/images/slack_comment.png?fit=max&auto=format&n=APr1kOfXqBiNxIGw&q=85&s=2064ae37a4c702a276d9f01ae814258e" alt="Triage comments in Slack" width="1570" height="1190" data-path="images/slack_comment.png" />
  </Tab>
</Tabs>

## Duplicate findings

When a new finding is posted, Hacktron checks if it is a duplicate of a previously posted finding.
For example, if a pull request is merged containing a vulnerability, Hacktron may automatically deduplicate a new finding
from a subsequent pull request.

<img src="https://mintcdn.com/hacktronai-changelog-5b138732/APr1kOfXqBiNxIGw/images/duplicate.png?fit=max&auto=format&n=APr1kOfXqBiNxIGw&q=85&s=31f6a881147fef2039019c85c4dd3cdc" alt="Duplicate finding" width="1399" height="288" data-path="images/duplicate.png" />

<Tip>
  You can also manually mark a finding as a duplicate of another finding by
  clicking on the **Mark as duplicate** button in the finding page.

  You would need to select a **canonical (original) finding** in the same repository as the new finding.

  <img src="https://mintcdn.com/hacktronai-changelog-5b138732/APr1kOfXqBiNxIGw/images/mark_as_dupe.png?fit=max&auto=format&n=APr1kOfXqBiNxIGw&q=85&s=00f64a1f004d9b2079a3f2a48e5e558e" alt="Mark as duplicate" width="726" height="382" data-path="images/mark_as_dupe.png" />
</Tip>

## Checks update on triage

If a [fail-on gate](/code-review/config#fail-the-check-on-findings) is configured, triaging a finding updates the GitHub check (or GitLab commit status) right away.

For example, if the fail-on gate is configured to fail on high severity findings, triaging a high severity finding as a false positive
or accepted risk will update the GitHub check (or GitLab commit status) to pass. Reopening the finding will cause the check to fail again.

## Feedback loop

Triage feedback helps Hacktron adapt to your codebase. Comments and project rules
give Hacktron signal about what is urgent, trusted, irrelevant, or intentionally ignored for a specific repository.

When a later commit fixes a finding, Hacktron can recognize the remediation and close stale alerts automatically.

<video autoPlay muted loop playsInline className="w-full aspect-video" src="https://mintcdn.com/hacktronai-changelog-5b138732/APr1kOfXqBiNxIGw/images/auto_resolve.mp4?fit=max&auto=format&n=APr1kOfXqBiNxIGw&q=85&s=92f521de609934ece93deb086e1604a1" data-path="images/auto_resolve.mp4" />

## Related setup

<Columns cols={2}>
  <Card title="Project rules" icon="file-text" href="/code-review/rules">
    Add `.hacktron/rules.md` to provide repository-specific review context.
  </Card>

  <Card title="Project Management Apps" icon="square-kanban" href="/platform/project-management">
    Send approved findings to Jira or Linear.
  </Card>
</Columns>
