Summary
Add webhook-based CI/CD integration so scans are automatically triggered on GitHub push and pull request events, with results reported back to the PR.
Problem
Currently scans can only be triggered manually or via scheduled recurring scans. There is no way to:
- Automatically scan when code is pushed to a branch
- Scan PR changes before merge
- Block merges when critical vulnerabilities are found
- Post scan results as PR comments or status checks
This means vulnerability detection happens after the fact rather than as part of the development workflow.
Proposed solution
Backend — Webhook receiver
POST /api/webhooks/github — Receives GitHub webhook events (push, pull_request)- Verify webhook signature using
X-Hub-Signature-256 header
- On
push to default branch: trigger full scan
- On
pull_request (opened/synchronize): trigger scan of the PR branch
- Store webhook secret per repository in
ai_detection_repositories
Backend — GitHub status checks
- After scan completes, post results back to GitHub:
- Create commit status check (pending → success/failure)
- Post PR comment with findings summary (new findings count, risk score, top vulnerabilities)
- Configurable thresholds: fail check if risk score < X or new critical findings > Y
Frontend — Repository settings
- Add "CI/CD integration" section to repository edit modal
- Webhook URL display with copy button
- Webhook secret generation and management
- Threshold configuration (minimum risk score, max allowed critical findings)
- Toggle: post PR comments, create status checks
Database
- Add to
ai_detection_repositories: webhook_secret, ci_enabled, ci_min_score, ci_max_critical, ci_post_comments, ci_status_checks
- Add to
ai_detection_scans: trigger_type (manual | scheduled | webhook), pr_number, commit_sha, branch
Acceptance criteria
Summary
Add webhook-based CI/CD integration so scans are automatically triggered on GitHub push and pull request events, with results reported back to the PR.
Problem
Currently scans can only be triggered manually or via scheduled recurring scans. There is no way to:
This means vulnerability detection happens after the fact rather than as part of the development workflow.
Proposed solution
Backend — Webhook receiver
POST /api/webhooks/github— Receives GitHub webhook events (push, pull_request)X-Hub-Signature-256headerpushto default branch: trigger full scanpull_request(opened/synchronize): trigger scan of the PR branchai_detection_repositoriesBackend — GitHub status checks
Frontend — Repository settings
Database
ai_detection_repositories:webhook_secret,ci_enabled,ci_min_score,ci_max_critical,ci_post_comments,ci_status_checksai_detection_scans:trigger_type(manual | scheduled | webhook),pr_number,commit_sha,branchAcceptance criteria