Skip to content
VULQN VULQN
Get Started

Findings & Feedback

VULQN is most useful when teams close the loop on review feedback. Fix what should be fixed, acknowledge what is intentional, and turn recurring context into team learnings.

Finding fields

Each finding includes:

FieldHow to use it
File and lineGo directly to the changed code.
SeverityDecide how urgently the team should respond.
CategoryUnderstand what kind of issue VULQN found.
ConfidenceJudge whether the finding is high certainty or medium certainty.
Suggested fixUse the proposed direction when the finding is actionable.

Fixing a finding

The normal workflow is:

  1. Read the inline comment in the PR.
  2. Push a fix.
  3. Let VULQN re-review the updated PR.
  4. If VULQN verifies the issue is fixed, it marks the finding resolved and resolves the thread when the provider supports it.

You can also manually resolve a finding from the PR thread with !vulqn resolve.

Acknowledging an intentional finding

Sometimes VULQN is correct about a tradeoff, but the team intentionally accepts it. Use !vulqn ack as a reply to that VULQN inline comment.

Acknowledging a finding:

  • Marks it as acknowledged in VULQN.
  • Resolves the source-control thread when possible.
  • Prevents equivalent findings from being re-posted on later re-reviews.
  • Keeps the record visible in review history.

Use acknowledgement for cases like compatibility requirements, deliberate product behavior, temporary migration code, or known risk accepted by the team.

Saving team learnings

Use !vulqn learn <text> when the explanation should influence future reviews.

Examples:

!vulqn learn This admin-only endpoint may run N+1 queries because result sets are capped at 25 rows.
!vulqn learn This package preserves the old response shape for mobile clients on versions before 5.3.

If you use !vulqn learn as a reply to a VULQN finding, VULQN saves the learning and acknowledges that finding. If you post it as a top-level PR comment, VULQN saves the learning only.

Good learnings are specific. Avoid broad instructions like “ignore all security issues” or “never report tests.” VULQN rejects learning text that looks like an attempt to suppress review wholesale.

Natural-language replies

When someone replies to a VULQN finding with clear language such as “intentional”, “by design”, “expected behavior”, or “won’t fix”, VULQN may treat that reply as a learning signal and acknowledge the parent finding.

For important context, prefer the explicit command:

!vulqn learn <the team-specific rule>

Explicit learnings are easier for reviewers to audit and easier for future readers to understand.

Resolving all open findings

Use a top-level PR comment when the PR has been reviewed and you want to mark every open VULQN finding as resolved:

!vulqn resolve

This does not change acknowledged findings. It only resolves currently open findings for that PR.

When to use pause or ignore

Use !vulqn pause when the PR is noisy for a while but you expect to resume automatic reviews later.

Use !vulqn ignore when you want automatic reviews off for the rest of that PR. Manual review commands can still be used if needed.