* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/)
* Enhanced Pull Request Com...

# Enhanced Pull Request Comments: Empower Developers to Ship Code That's Secure by Default

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fpull-request-comments-enhancements%2F)  
[](https://twitter.com/share?text=Enhanced+Pull+Request+Comments%3A+Empower+Developers+to+Ship+Code+That%E2%80%99s+Secure+by+Default&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fpull-request-comments-enhancements%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fpull-request-comments-enhancements%2F&title=Enhanced+Pull+Request+Comments%3A+Empower+Developers+to+Ship+Code+That%E2%80%99s+Secure+by+Default&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/pull-request-comments-enhancements/&ts=markdown)  
\[\](mailto:?subject=Enhanced Pull Request Comments: Empower Developers to Ship Code That’s Secure by Default)  
Link copied  
By [Jonathan Bregman](https://www.paloaltonetworks.com/blog/author/jonathan-bregman/?ts=markdown "Posts by Jonathan Bregman")  
Apr 04, 2023  
4 minutes  
[DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)  
[IaC](https://www.paloaltonetworks.com/blog/tag/iac/?ts=markdown)  
[Secrets](https://www.paloaltonetworks.com/blog/tag/secrets/?ts=markdown)  
[VCS](https://www.paloaltonetworks.com/blog/tag/vcs/?ts=markdown)

Preventing misconfigurations and vulnerabilities from reaching runtime in a manner that doesn't slow development is challenging. But that's where pull request (PR) comments come in.

With pull request comments, you can address code security issues --- such as IaC misconfigurations, [exposed credentials](https://www.paloaltonetworks.com/blog/prisma-cloud/secrets-security-across-files-repositories-pipelines/?ts=markdown), and vulnerabilities in open source --- early in the software development lifecycle, and empower yourself to ship code that's secure by default.

Through Prisma Cloud's [enhanced PR comments support](https://live.paloaltonetworks.com/t5/blogs/pull-request-comments-enhancements/ba-p/537303), you can get advanced functionality, such as automated fixes and embedded security guardrails, supported across all version control system (VCS) providers.

Let's look at PR comments and walk through how you can use them in your day to day.

## Built-In Security Context with Pull Request Comments

Traditional code reviews audit a developer's work and provide comments that the developer must manually address before merging. But manual processes are time consuming and don't follow [DevSecOps best practices](https://www.paloaltonetworks.com/blog/prisma-cloud/a-primer-on-secure-devops-learn-the-benefits-of-these-3-devsecops-use-cases/?ts=markdown). A better solution --- namely, pull request comments --- would empower you to fix code issues before you merge your side branch to the master.

When a pull request is opened, Prisma Cloud will automatically scan every line of code and provide in-line comments indicating what to fix and how to fix it. So when you go to merge your code, you'll see in detail exactly what issues --- such as IaC misconfigurations, vulnerabilities, [exposed credentials](https://www.paloaltonetworks.com/blog/prisma-cloud/exposed-credentials-across-the-devsecops-pipeline/?ts=markdown) and [open source license violations](https://www.paloaltonetworks.com/blog/prisma-cloud/why-you-need-proactive-open-source-license-compliance/?ts=markdown) --- you'll need to address.

## Automatically-Generated Fixes and Audit Trails

Prisma Cloud enables you to further simplify the process to ship secure code by providing *suggested fix comments*. With one click, you can accept a pull request comment that will automatically apply the code fix.

And whenever you address a comment and commit a fix --- whether it's an automated or manual fix --- each comment is then auto-updated to reflect the comment that has been addressed. These *interactive comments* provide both a written record of code issues and an audit trail of fixes. If a security incident should occur, you can trace back from the compromise to the PR comment on the precise line of at-risk code to identify if the issue was addressed.
![Prisma Cloud provides a suggested fix via a PR comment.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/03/word-image-181875-1.png)
Prisma Cloud provides a suggested fix via a PR comment.

## Support Across All VCS Providers

Prisma Cloud supports PR comments capabilities across all VCS types --- including Bitbucket, Bitbucket Server, Azure Repos, GitHub, GitHub Server, GitLab and GitLab Self-Managed.

The platform will also generate reports on PR comments, such as the report below that outlines IaC misconfigurations flagged in a PR comment in Bitbucket.
![Prisma Cloud generates a report detailing two flagged IaC misconfigurations found in a pull request.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/03/word-image-181875-2.png)
Prisma Cloud generates a report detailing two flagged IaC misconfigurations found in a pull request.

## Embedded Security Guardrails with Enforcement Rules for Pull Requests

Getting delayed because of a blocked PR can be frustrating and is one reason why streamlining your development is key to helping your team prevent risks from emerging at runtime. With Enforcement Rules for pull requests, Prisma Cloud enables you with guidance and security guardrails to help simplify this process.

With [Enforcement Rules](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/scan-monitor/development-pipelines/enforcement), you can finely tune several risk thresholds across each category --- [vulnerabilities](https://www.paloaltonetworks.com/blog/prisma-cloud/prisma-cloud-announces-software-composition-analysis/?ts=markdown), licenses, IaC, build integrity, and secrets --- so you can quickly identify the truly critical issues from ones that can be fixed in the next PR.

Enabling soft fails will generate comments that contextualize code risks but don't block you from merging your PR, which enables you to maintain your release velocity. Hard fails, on the other hand, introduce security guardrails long before production and equip your team to prevent or block code merges until critical issues are addressed. You'll never be left in the dark wondering why something was blocked because in-line code comments provide context on the risks.
![Enforcement Rules can be fine-tuned depending on your organization’s unique needs and security goals.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/03/word-image-181875-3.png)
Enforcement Rules can be fine-tuned depending on your organization's unique needs and security goals.

## Shifting Left with Pull Request Comments

PR comments are nothing new --- cloud-native organizations have long been using them as a frictionless way for developers to ship secure code. But with Prisma Cloud's recent enhancements and expanded support for all VCS providers, any team can easily adopt PR comments as they continue along their [DevSecOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops?ts=markdown) adoption journey.

To see PR comments in action, watch a [Code Security demo](https://www.paloaltonetworks.com/prisma/comprehensive-cloud-native-security-demo?ts=markdown) or [request a free trial](https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial?ts=markdown).

*** ** * ** ***

## Related Blogs

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### It's Not All Bad! Using Cloud Drift for Teachable Moments](https://www.paloaltonetworks.com/blog/cloud-security/using-cloud-drift-for-teachable-moments/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### How To Prevent the 5 Most Common Software Supply Chain Weaknesses](https://www.paloaltonetworks.com/blog/cloud-security/common-software-supply-chain-weaknesses/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### The Top 5 Secrets Management Mistakes and How to Avoid Them](https://www.paloaltonetworks.com/blog/cloud-security/5-secrets-management-mistakes/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### Top 5 DevSecOps Tools to Help You Ship Secure Code Fast](https://www.paloaltonetworks.com/blog/cloud-security/top-5-devsecops-tools-ship-secure-code-fast/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### How to Think About DevSecOps for a Secure Future](https://www.paloaltonetworks.com/blog/cloud-security/how-to-think-about-devsecops-for-a-secure-future/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### The Key to DevSecOps Success: Cross-Team Knowledge Sharing](https://www.paloaltonetworks.com/blog/cloud-security/the-key-to-devsecops-success-cross-team-knowledge-sharing/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language