Turning it on
Monitoring is off by default for every repo. Toggle it in either place:- Repositories page — the Monitor column has a switch per row.
- Repository detail page — the Monitoring switch in the header, next to the Re-scan button.
What a push-triggered scan does
A push scan is identical to pressing Re-scan with theall ruleset — same
engine, same rule settings (global toggles and
per-repo overrides are respected), same persistence. Two differences show up in
the UI:
- Scan history rows carry an auto badge (⚡) so you can tell push-triggered scans from manual ones.
- The scan records the exact commit SHA that was pushed (manual scans record the branch head at scan time).
How it works
The Pipefort GitHub App subscribes to push webhooks. When GitHub delivers one:- The API verifies the delivery’s HMAC signature (
X-Hub-Signature-256) against the deployment’sGITHUB_WEBHOOK_SECRET. Unsigned or mis-signed deliveries are rejected. - Pushes to branches other than the default branch, and branch deletions, are acknowledged and ignored.
- Each delivery is recorded by its GitHub delivery ID, so GitHub’s automatic redeliveries never cause duplicate scans.
- If several Pipefort users have linked the same installation and monitor the repo, each user gets their own scan — scan history and findings stay per-user, exactly like manual scans.
Scans can take longer than GitHub’s ~10-second webhook delivery timeout, so the
delivery may appear as “timed out” in the GitHub App’s Advanced → Recent
Deliveries log even though the scan completed. Check the repo’s scan history
in Pipefort for the actual result.
Limits (v1)
- Default branch only. Pushes to other branches are ignored. (Branch lists are a planned follow-up.)
- GitHub only. GitLab webhook support is a planned follow-up; GitLab repos can still be scanned manually.
- Push events only. Changing repo settings (branch protection, Actions permissions) does not trigger a scan — those changes are picked up by the next scan, manual or pushed.
Self-hosted deployments
Monitoring requires the GitHub App to have webhooks enabled — see Create your GitHub App: activate the webhook, point it athttps://<your-deployment>/api/webhooks/github, subscribe to
Push, and set the same secret as GITHUB_WEBHOOK_SECRET on the API. Until
the secret is configured the webhook endpoint answers 503 and monitored
repos simply don’t auto-scan.