Webhooks
Webhooks connect your SCM provider (GitHub or Bitbucket) to CodeStax, enabling automatic security reviews when code changes happen.
Supported Events
GitHub
| Event | Trigger | CodeStax Action |
|---|---|---|
pull_request.opened | A new PR is created | Triggers PR review |
pull_request.synchronize | New commits pushed to a PR | Re-triggers PR review |
pull_request.reopened | A closed PR is reopened | Triggers PR review |
push | Code pushed to a branch | Triggers auto-scan (if enabled in policy) |
Bitbucket
| Event | Trigger | CodeStax Action |
|---|---|---|
pullrequest:created | A new PR is created | Triggers PR review |
pullrequest:updated | PR is updated with new commits | Re-triggers PR review |
repo:push | Code pushed to a branch | Triggers auto-scan (if enabled in policy) |
Setup
Automatic Setup (Recommended)
If you connected your repository via OAuth, CodeStax can configure webhooks automatically:
- Go to Repository Settings → Webhooks
- Click Enable Auto-Review
- CodeStax registers the webhook with your SCM provider
- Verify the status shows “Active”
Manual Setup — GitHub
- Go to your GitHub repository → Settings → Webhooks → Add webhook
- Configure:
- Payload URL:
https://codestax.co/api/v1/webhooks/github - Content type:
application/json - Secret: Copy from Repository Settings → Webhooks → Webhook Secret in CodeStax
- Events: Select “Pull requests” and optionally “Pushes”
- Payload URL:
- Click Add webhook
- Verify delivery with a test ping
Manual Setup — Bitbucket
- Go to your Bitbucket repository → Settings → Webhooks → Add webhook
- Configure:
- Title:
CodeStax Security - URL:
https://codestax.co/api/v1/webhooks/bitbucket - Triggers: Select “Pull Request: Created”, “Pull Request: Updated”, and optionally “Repository: Push”
- Title:
- Click Save
- Verify with a test event
Webhook Security
Signature Verification
All incoming webhooks are verified using HMAC signatures:
- GitHub:
X-Hub-Signature-256header validated against your webhook secret - Bitbucket: Request origin verified against Bitbucket IP ranges
Invalid signatures are rejected with a 401 Unauthorized response.
Webhook Status
View webhook status in Repository Settings → Webhooks:
| Status | Meaning |
|---|---|
| Active | Webhook is registered and receiving events |
| Inactive | Webhook is registered but disabled |
| Error | Last delivery failed — check the error message |
| Not configured | No webhook registered for this repository |
Event Processing
When a webhook event is received:
- Signature validation — reject if invalid
- Event filtering — only process supported event types
- Repository lookup — match to a connected repository
- Policy check — verify the event matches the repo’s policy (e.g.,
scan_on_pris enabled) - Deduplication — skip if the same commit is already being reviewed
- Trigger — queue the PR review or scan
Processing typically takes 1-3 seconds before the scan or review begins.
Troubleshooting
| Issue | Solution |
|---|---|
| Webhook shows “Error” | Check the delivery log in your SCM provider for the HTTP response |
| PR reviews not triggering | Verify the webhook secret matches between SCM and CodeStax |
| Duplicate reviews | Ensure only one webhook is registered (not both auto and manual) |
| Events delayed | Check CodeStax status page; processing may be queued during high load |
401 Unauthorized response | Webhook secret mismatch — regenerate in CodeStax and update in SCM |
Disabling Webhooks
To stop automatic reviews:
- Go to Repository Settings → Webhooks
- Click Disable Auto-Review
- The webhook is deactivated but not deleted — you can re-enable it later
To permanently remove, also delete the webhook from your SCM provider’s settings.