diff --git a/code-review/config.mdx b/code-review/config.mdx
index 26298be..044ca8b 100644
--- a/code-review/config.mdx
+++ b/code-review/config.mdx
@@ -1,12 +1,13 @@
---
title: "Repository configuration"
-description: "Use .hacktron/config.yaml to control which pull and merge requests Hacktron scans, and when a finding should fail the check."
+description: "Use .hacktron/config.yaml to control which pull and merge requests Hacktron scans, when a finding should fail the check, and whether findings are remediated automatically."
---
Add a `.hacktron/config.yaml` file to your repository to control Hacktron's Code Review behavior:
- **Skip** specific pull and merge requests so they aren't scanned.
- **Fail** the Hacktron check when a finding meets a severity threshold, so risky changes can't merge.
+- **Auto-remediate** findings at or above a severity, so qualifying findings get an AI-generated fix PR automatically.
This is separate from [`.hacktron/rules.md`](/code-review/rules), which shapes the *quality* of a review. `config.yaml` controls *whether* a PR is scanned and *whether* its check passes.
@@ -51,9 +52,14 @@ skip:
# Fail the Hacktron check when a finding is at or above this severity.
fail_on:
severity: high
+
+# Automatically remediate findings at or above this severity.
+remediation:
+ auto: true
+ severity: high
```
-Every key is optional. An empty or absent `config.yaml` means Hacktron behaves as it does today: it scans all covered PRs and the check stays green unless the scan itself errors.
+Every key is optional. An empty or absent `config.yaml` means Hacktron scans all covered PRs and the check stays green unless the scan itself errors. It does **not** turn off auto-remediation, though: a repository without a `remediation` block follows your organization's enabled [automations](/platform/automations/overview), which can start credit-consuming remediation runs for its findings. To opt a repository out, set [`remediation.auto: false`](#auto-remediate-findings) instead of omitting the block.
## Skip scans
@@ -139,11 +145,34 @@ You can set the threshold org-wide from the settings page, or per repository in
+## Auto-remediate findings
+
+Add a `remediation` block to have Hacktron [remediate](/platform/automations/remediation) qualifying findings in this repository automatically. When a finding at or above the configured severity is reported, Hacktron starts a remediation run: an agent writes a fix and opens a pull or merge request with it.
+
+```yaml
+remediation:
+ auto: true # turn auto-remediation on for this repository
+ severity: high # remediate findings at or above this severity
+```
+
+- `auto` turns auto-remediation on (`true`) or off (`false`) for the repository.
+- `severity` is **inclusive** and uses the same levels as `fail_on.severity`: `critical` › `high` › `medium` › `low` › `info`. When omitted, it defaults to `critical`.
+
+Each auto-triggered run consumes [automation credits](/platform/automations/credits), so pick a threshold that matches how much you want remediated automatically. Each finding is remediated at most once.
+
+
+ A repository with a `remediation` block follows that block **exclusively**:
+ `auto: false` also turns off any organization
+ [automations](/platform/automations/overview) for this repository.
+ Repositories without a `remediation` block follow the organization's enabled
+ automations instead.
+
+
## How invalid config is handled
Hacktron is **fail-open** about configuration — a config problem never silently blocks your development:
-- A missing, empty, or malformed `config.yaml` is ignored. Hacktron scans normally and the check stays green.
+- A missing, empty, or malformed `config.yaml` is ignored. Hacktron scans normally and the check stays green. Because an ignored config has no `remediation` block, the repository follows your organization's enabled [automations](/platform/automations/overview).
- Unknown keys are ignored, so a config can carry settings for future features without breaking today's scans.
- A type mismatch on a known key (for example `fail_on.severity: 7`) causes the **whole file** to be ignored. Keep values in the shapes shown above.
@@ -156,4 +185,10 @@ Hacktron is **fail-open** about configuration — a config problem never silentl
Connect a Git provider, enable repositories, and choose covered branches.
+
+ How a remediation run works and where the fix PR lands.
+
+
+ Auto-remediate findings org-wide with notifications and run history.
+
diff --git a/code-review/findings-feedback.mdx b/code-review/findings-feedback.mdx
index 992bc3e..134a1d7 100644
--- a/code-review/findings-feedback.mdx
+++ b/code-review/findings-feedback.mdx
@@ -119,6 +119,12 @@ If a [fail-on gate](/code-review/config#fail-the-check-on-findings) is configure
For example, if the fail-on gate is configured to fail on high severity findings, triaging a high severity finding as a false positive
or accepted risk will update the GitHub check (or GitLab commit status) to pass. Reopening the finding will cause the check to fail again.
+## Remediate a finding
+
+Hacktron can also fix a finding for you. Select **Remediate** on a finding in the web platform and a Hacktron agent writes a fix and opens a pull or merge request with it. You can also remediate qualifying findings automatically with [automations](/platform/automations/overview) or [repository configuration](/code-review/config#auto-remediate-findings).
+
+See [Remediation](/platform/automations/remediation) for how runs work, where the fix lands, and billing.
+
## Feedback loop
Triage feedback helps Hacktron adapt to your codebase. Comments and project rules
diff --git a/docs.json b/docs.json
index 102437a..00c176a 100644
--- a/docs.json
+++ b/docs.json
@@ -69,6 +69,14 @@
"platform/context/threat-models"
]
},
+ {
+ "group": "Automations",
+ "pages": [
+ "platform/automations/overview",
+ "platform/automations/remediation",
+ "platform/automations/credits"
+ ]
+ },
{
"group": "Account",
"pages": [
diff --git a/images/autofix-1.png b/images/autofix-1.png
new file mode 100644
index 0000000..e9926f5
Binary files /dev/null and b/images/autofix-1.png differ
diff --git a/images/autofix-2.png b/images/autofix-2.png
new file mode 100644
index 0000000..6823077
Binary files /dev/null and b/images/autofix-2.png differ
diff --git a/images/autofix-3.png b/images/autofix-3.png
new file mode 100644
index 0000000..508087d
Binary files /dev/null and b/images/autofix-3.png differ
diff --git a/images/image.png b/images/image.png
new file mode 100644
index 0000000..0a59fc9
Binary files /dev/null and b/images/image.png differ
diff --git a/images/remediation-1.png b/images/remediation-1.png
new file mode 100644
index 0000000..b1d2ce4
Binary files /dev/null and b/images/remediation-1.png differ
diff --git a/images/remediation-2.png b/images/remediation-2.png
new file mode 100644
index 0000000..8a96d08
Binary files /dev/null and b/images/remediation-2.png differ
diff --git a/images/remediation-pr.png b/images/remediation-pr.png
new file mode 100644
index 0000000..00afaa3
Binary files /dev/null and b/images/remediation-pr.png differ
diff --git a/platform/account-settings.mdx b/platform/account-settings.mdx
index 08787d2..87d283c 100644
--- a/platform/account-settings.mdx
+++ b/platform/account-settings.mdx
@@ -3,8 +3,7 @@ title: "Account settings"
description: "Manage your Hacktron profile and personal account security."
---
-Use **Account settings** to manage your personal profile and your own Hacktron
-account security. Open it from the account menu in the sidebar header.
+Use **Account settings** to manage your personal profile and your own Hacktron account security. Open it from the account menu in the sidebar header.
## Profile
@@ -16,9 +15,7 @@ Your profile controls how you appear to the rest of your organization.
## Multi-factor authentication (MFA)
-Multi-factor authentication adds a second verification step to sign-in, so a
-password alone is not enough to access your account. We strongly recommend
-enabling MFA on every account.
+Multi-factor authentication adds a second verification step to sign-in, so a password alone is not enough to access your account. We strongly recommend enabling MFA on every account.
### Enable MFA
@@ -26,43 +23,31 @@ enabling MFA on every account.
Open the account menu in the sidebar header and select **Account settings**.
-
-
+ 
Select **Enable MFA**. Hacktron shows a QR code for your authenticator app.
- Scan the QR code with an authenticator app such as 1Password, Google
- Authenticator, or Authy. If you cannot scan it, enter the setup key manually.
+ Scan the QR code with an authenticator app such as 1Password, Google Authenticator, or Authy. If you cannot scan it, enter the setup key manually.
- Enter the 6-digit code from your authenticator app to confirm setup. After it
- is verified, MFA is required the next time you sign in.
+ Enter the 6-digit code from your authenticator app to confirm setup. After it is verified, MFA is required the next time you sign in.
-
- Organization-wide security controls are managed separately from personal
- account settings.
+
+ Organization-wide security controls are managed separately from personal account settings.
### Save your backup codes
-When you enable MFA, Hacktron generates one-time backup codes. Store them in a
-safe place such as a password manager.
+When you enable MFA, Hacktron generates one-time backup codes. Store them in a safe place such as a password manager.
- Backup codes are the only way to sign in if you lose access to your
- authenticator app. Save them somewhere secure and do not share them.
+ Backup codes are the only way to sign in if you lose access to your authenticator app. Save them somewhere secure and do not share them.
### Disable or reset MFA
-You can turn MFA off or re-run setup from **Account settings**. Disabling MFA
-weakens your account security, so only do this if you are switching to a new
-device or authenticator app.
+You can turn MFA off or re-run setup from **Account settings**. Disabling MFA weakens your account security, so only do this if you are switching to a new device or authenticator app.
\ No newline at end of file
diff --git a/platform/automations/credits.mdx b/platform/automations/credits.mdx
new file mode 100644
index 0000000..51d34c5
--- /dev/null
+++ b/platform/automations/credits.mdx
@@ -0,0 +1,74 @@
+---
+title: "Automation credits"
+description: "Understand how you buy automation credit, how each run deducts them, and how auto top-up keeps your balance stocked."
+---
+
+[Automations](/platform/automations/overview) run on shared organization automation credits. Every [remediation](/platform/automations/remediation) run, whether triggered manually from a finding or by an automation, deducts credits based on what the run costs when it completes.
+
+Automation credits are organization-wide. They are separate from Code Review seats and your Whitebox Scan credits.
+
+## How credits work
+
+
+
+
+ All organizations with an active [Code Review](/code-review/overview)
+ subscription start with $50 in automation credits.
+
+ Buy credits from **Billing**, or turn on auto top-up to keep the balance above
+ a threshold you set.
+
+
+ A remediation run only starts while the organization has credits. When the
+ balance runs out, new runs don't start and the Billing page shows that
+ automations are paused.
+
+
+ Each run's cost is deducted from the balance once, when the run completes.
+ Costs vary with the size of the run.
+
+
+
+## Buy credits
+
+Organization **Owners** can buy automation credits from **Billing**. A saved payment method is required; if the organization has none, add one first.
+
+
+
+ Go to **Billing** in the Hacktron dashboard and find your automation credit
+ balance.
+
+
+ Select **Buy credits**, enter the credit amount, and review the price shown.
+
+
+ Complete any required card authentication (such as 3D Secure). The purchased
+ credits are added to the organization balance after the charge succeeds.
+
+
+
+The Billing page shows the credit balance and recent activity: purchases, run deductions, and grants.
+
+## Auto top-up
+
+Auto top-up buys credits automatically when the balance drops below a threshold, so yourautomations keep running without manual purchases.
+
+Set it up on the Billing page under your automation credit balance:
+
+- **Trigger**: the balance that starts a top-up.
+- **Target**: the balance the top-up buys back up to. Your target must be above the trigger.
+- **Monthly limit**: an optional cap on how many credits auto top-up may buy per month.
+
+Auto top-up requires a saved payment method and charges the card on file without an interactive checkout. If a top-up charge fails, your automations stay paused until the balance is topped up manually or the card issue is resolved.
+
+## Related docs
+
+
+
+ Trigger an AI-generated fix for a finding.
+
+
+
+ Auto-remediate qualifying findings and notify your team.
+
+
diff --git a/platform/automations/overview.mdx b/platform/automations/overview.mdx
new file mode 100644
index 0000000..409cc1b
--- /dev/null
+++ b/platform/automations/overview.mdx
@@ -0,0 +1,91 @@
+---
+title: "Automations"
+description: "Act on findings automatically. Set the rules for which findings qualify, and Hacktron fixes them the moment they're reported, then alerts your team. "
+---
+
+Automations act on findings for you. Configure which findings qualify, and when a matching finding is reported, Hacktron fires the automation: its **actions** run against the finding, and its **notifiers** alert your team over Slack or email.
+
+
+ **Autofix** is the first available action — it starts a [remediation](/platform/automations/remediation) run that fixes the finding — and we'll expand automations with more actions over time.
+
+
+Automations live under **Automations** in the dashboard sidebar. Organization **Admins** create and manage automations; other members can view them.
+
+## Create an automation
+
+
+
+ On the **Automations** page, select **New automation** and give it a name.
+
+ 
+
+
+ Choose the repositories and [applications](/platform/context/applications) the automation covers. You can limit each entry to specific branches (up to two) or leave the branch selection empty to cover all branches.
+
+ 
+
+
+ On the **Settings** tab, set:
+
+ - **Triggers**: when the automation runs, for example a PR scan finding, it's narrowed by the rules you set, the severity levels that qualify, and scope rules that limit it to specific repositories or applications.
+ - **Actions**: what the automation does. **Autofix** starts a [remediation](/platform/automations/remediation) run for the matching finding.
+ - **Notifiers**: who hears about a run, whether it's a Slack channel, email recipients from your organization's members, or both.
+
+ 
+
+
+ Select **Save**. An automation needs at least one environment, one trigger, and one action to run. Incomplete automations show an **Incomplete** badge and cannot be enabled. A save that removes required configuration disables the automation until it is complete again.
+
+
+
+## When an automation fires
+
+When a new finding is reported, an enabled automation fires if the finding matches its trigger, severity rules, scope rules, and one of its environments (including any branch limits). Firing runs the automation's actions — an **Autofix** action starts a remediation run, which uses [automation credits](/platform/automations/credits) — and sends your notifications.
+
+Each finding is fixed at most once, a finding that already has a remediation run won't fire automations again.
+
+
+ A repository with a `remediation` block in its [`.hacktron/config.yaml`](/code-review/config#auto-remediate-findings) follows that block exclusively, including `auto: false`, which turns auto-remediation off for that repository. Organization automations apply only to repositories without a `remediation` block.
+
+
+### Notifications
+
+- **Slack**: Hacktron posts a message to your channel linking the finding. The Hacktron bot joins public channels automatically; for a private channel, invite the bot to the channel first.
+- **Email**: Hacktron emails the recipients you choose from your organization's members.
+
+Notifications are best-effort, if one fails to send, it never blocks the remediation run itself.
+
+## Run history
+
+The **Run history** tab lists every run your automation has fired, with its status, the environment it matched, and the credits it used. Runs matched through an application are attributed to that application.
+
+Run statuses mirror [remediation outcomes](/platform/automations/remediation#outcomes): **Running**, **Success**, **No fix needed**, **False positive**, and **Failed**. You can filter the history by status and search it.
+
+
+
+
+## Related docs
+
+
+
+ How a remediation run works and where the fix lands.
+
+
+
+ How runs are billed and how to keep a balance with auto top-up.
+
+
\ No newline at end of file
diff --git a/platform/automations/remediation.mdx b/platform/automations/remediation.mdx
new file mode 100644
index 0000000..309546b
--- /dev/null
+++ b/platform/automations/remediation.mdx
@@ -0,0 +1,80 @@
+---
+title: "Remediation"
+description: "Trigger an AI-generated fix for a finding and receive it as a ready-to-review pull request."
+---
+
+Remediation is a part of [Automations](/platform/automations/overview) that fixes findings instead of just reporting them. A Hacktron agent analyzes the vulnerability, writes a fix, and opens a pull or merge request with the change. You review and merge it like any other PR.
+
+
+ When a remediation runs, Hacktron does the following:
+
+ 1. **Verifies that the finding is real.** Tests whether the reported issue is actually exploitable in this code. If the finding is wrong (e.g. the code is unreachable), Hacktron reports it as a false positive. We will never attempt to fix already sound code.
+ 2. **Implements the fix.** Makes the minimal correct fix that addresses the root cause of the vulnerability.
+ 3. **Tests the fix.** Runs the existing test suite for the repository, if any. Adds relevant regression tests & makes sure the fix correctly addresses the issue while avoiding breaking anything else.
+
+
+
+Remediation runs use [automation credits](/platform/automations/credits). You can start a run yourself from a finding, let it happen automatically through an [automation](/platform/automations/overview)'s Autofix action or your [repository configuration](/code-review/config#auto-remediate-findings).
+
+## Remediate a finding
+
+
+
+ Open the finding in the Hacktron dashboard, either in the finding detail panel or on the full finding page.
+
+
+ Select **Remediate**. Hacktron starts a remediation run for the finding.
+
+ 
+
+
+
+ When the agent produces a fix, Hacktron commits it to a dedicated fix branch and opens a pull or merge request in the finding's repository. Review and merge it as usual.
+
+ 
+
+
+
+
+Triggering remediation requires the **Member** role or above. Only one run happens per finding, if you select Remediate again while a run is active, Hacktron returns the existing run instad of starting a second one.
+
+
+ To push fix branches, Hacktron's GitHub App needs the **Contents: Read and
+ write** permission. If your installation predates remediation, GitHub asks an
+ organization admin to approve the updated permission before fixes can be
+ pushed.
+
+
+## Where the fix lands
+
+Hacktron picks the target branch for the fix automatically:
+
+- **Finding from an open PR or MR**: if the source pull or merge request is still open and its branch lives in the same repository, the fix is opened against that PR's branch, so the fix becomes part of the change that introduced the issue.
+- **Everything else**: for merged or closed source PRs, branches from forks, and findings from whitebox scans, the fix is opened against the repository's default branch.
+
+If the source PR merges while the agent is still working, the fix is re-targeted to the default branch.
+
+## Outcomes
+
+A remediation run ends in one of four states:
+
+| Outcome | Meaning |
+| ------------------ | --------------------------------------------------------------------- |
+| **Success** | A fix was generated and a pull or merge request was opened. |
+| **No fix needed** | The agent completed the run and concluded no code change is required. |
+| **False positive** | The agent concluded the finding is not a real issue. |
+| **Failed** | The run could not complete; the failure reason is recorded. |
+
+Runs triggered by an automation appear in that automation's [run history](/platform/automations/overview#run-history), including the credits each run consumed.
+
+## Run remediation automatically
+
+
+
+ Auto-remediate qualifying findings across repositories and applications, with Slack and email notifications.
+
+
+
+ Opt a single repository into auto-remediation with a `remediation` block in `.hacktron/config.yaml`.
+
+
diff --git a/platform/security-settings.mdx b/platform/security-settings.mdx
index a2d830f..d6be82c 100644
--- a/platform/security-settings.mdx
+++ b/platform/security-settings.mdx
@@ -3,21 +3,15 @@ title: "Security settings"
description: "Configure organization-wide MFA enforcement and SAML Enterprise SSO."
---
-Use **Security settings** to manage authentication controls for your Hacktron
-organization. These settings apply to members of the organization, not just your
-own account.
+Use **Security settings** to manage authentication controls for your Hacktron organization. These settings apply to members of the organization, not just your own account.
- [Set up your own
- MFA](/platform/account-settings#multi-factor-authentication-mfa) from
- **Account settings**.
+ [Set up your own MFA](/platform/account-settings#multi-factor-authentication-mfa) from **Account settings**.
## Require MFA for members
-Organization admins and owners can require MFA for every member of a Hacktron
-organization. When this is enabled, members who have not set up MFA must complete
-MFA setup before they can continue using that organization.
+Organization admins and owners can require MFA for every member of a Hacktron organization. When this is enabled, members who have not set up MFA must complete MFA setup before they can continue using that organization.
@@ -27,14 +21,12 @@ MFA setup before they can continue using that organization.
In **Security**, locate **Require MFA for members**.
- Enable **Require MFA for members**. Hacktron applies the requirement to the
- current organization.
+ Enable **Require MFA for members**. Hacktron applies the requirement to the current organization.
- Members who have not set up MFA are prompted to complete setup when they next
- access the organization.
+ Members who have not set up MFA are prompted to complete setup when they next access the organization.
## Enterprise SSO
@@ -42,8 +34,7 @@ MFA setup before they can continue using that organization.
Hacktron supports Enterprise SSO through SAML.
- If this is your first time setting up SAML SSO, you will need to [contact
- us](mailto:hello@hacktron.ai).
+ If this is your first time setting up SAML SSO, you will need to [contact us](mailto:hello@hacktron.ai).
If we have set up SSO for your organization, you can log in via SSO from your identity provider.
@@ -53,15 +44,12 @@ If we have set up SSO for your organization, you can log in via SSO from your id
From the login page, select **Single sign-on (SSO)**.
- Enter the work email address for the domain connected to your SAML identity
- provider.
+ Enter the work email address for the domain connected to your SAML identity provider.
- Hacktron redirects you to the SAML identity provider configured for that
- email domain.
+ Hacktron redirects you to the SAML identity provider configured for that email domain.
- After successful authentication, you return to Hacktron and continue to the
- page you were signing in for.
+ After successful authentication, you return to Hacktron and continue to the page you were signing in for.
-
+
\ No newline at end of file
diff --git a/style.css b/style.css
index afb03fe..2ecc4ac 100644
--- a/style.css
+++ b/style.css
@@ -1,3 +1,7 @@
+html {
+ scroll-behavior: smooth;
+}
+
.bg-primary-dark,
.bg-primary-dark *,
#banner * {