Webhooks
CodeStax receives and sends webhooks for automated security workflows.
Incoming Webhooks (from SCM Providers)
GitHub Webhooks
Endpoint: Your CodeStax instance receives webhooks at a registered endpoint.
Verification: All requests are verified using HMAC SHA-256 with a shared secret.
Supported events:
| Event | Payload | Action |
|---|---|---|
pull_request.opened | PR details, diff URL | Trigger security review |
pull_request.synchronize | Updated PR, new commits | Re-trigger review |
pull_request.reopened | Reopened PR details | Trigger security review |
push | Branch, commits | Trigger auto-scan |
Bitbucket Webhooks
Similar webhook support for Bitbucket pull request events.
Setting Up Webhooks
Webhooks are automatically configured when you:
- Import a repository with Auto-scan on Push enabled
- Enable PR reviews for a repository
CodeStax registers the webhook on your SCM provider using your OAuth token. No manual configuration is required.
Webhook Security
All incoming webhooks are verified to prevent spoofing:
- GitHub: HMAC SHA-256 signature in
X-Hub-Signature-256header - Bitbucket: Request signing verification
Unverified webhook requests are rejected with a 401 status.
Troubleshooting
| Problem | Solution |
|---|---|
| Webhooks not firing | Check if the webhook is registered in your SCM provider’s settings |
| Webhook delivery failures | Verify your CodeStax instance is reachable from the internet |
401 Unauthorized responses | Re-register the webhook (the secret may have changed) |