Webhooks
Pullminder uses GitHub webhooks to receive pull request events in real time. When you install the Pullminder GitHub App, GitHub automatically configures the webhook. No manual setup is required.
Inbound: GitHub to Pullminder
Section titled “Inbound: GitHub to Pullminder”Endpoint
Section titled “Endpoint”POST /webhooks/githubThis endpoint receives webhook payloads from GitHub. It is a public endpoint and does not require session authentication. Instead, every request is verified using the webhook signature.
Supported events
Section titled “Supported events”Pullminder listens for pull request events with the following actions:
| Event action | What happens |
|---|---|
opened | A new pull request is created. Pullminder fetches the diff and runs the full analysis pipeline. |
synchronize | New commits are pushed to an open pull request. Pullminder re-analyzes the updated diff. |
reopened | A previously closed pull request is reopened. Pullminder runs analysis again with the current diff. |
All other event types and actions are ignored.
Analysis pipeline
Section titled “Analysis pipeline”When a supported event is received, Pullminder performs the following steps:
- Validate the signature — The
X-Hub-Signature-256header is verified against the webhook secret to confirm the payload was sent by GitHub. - Fetch the diff — Pullminder retrieves the full pull request diff from the GitHub API using the installed app credentials.
- Run analyzers — The diff is processed through all installed rule packs. Each pack evaluates the changes and produces findings.
- Calculate risk score — Findings are weighted by severity and category to produce an overall risk score from 0 to 100.
- Post PR comment — Pullminder posts a comment on the pull request with the risk score, findings summary, and reviewer brief.
- Set commit status — If any rule with the
blockaction triggered, Pullminder sets a failing commit status to prevent merging. Otherwise, the status is set to passing. - Generate alerts — If the risk score exceeds the organization’s threshold or a block-action rule triggered, an alert is created in the dashboard (and sent to Slack, if configured).
Signature verification
Section titled “Signature verification”Every incoming webhook request must include a valid X-Hub-Signature-256 header. Pullminder computes an HMAC-SHA256 digest of the raw request body using the webhook secret and compares it to the signature in the header. Requests with missing or invalid signatures are rejected with 401 Unauthorized.
The webhook secret is configured automatically when the GitHub App is installed. You do not need to manage it manually.
Outbound: Pullminder to Slack
Section titled “Outbound: Pullminder to Slack”If you have configured a Slack incoming webhook URL in your dashboard settings, Pullminder sends notifications to your Slack channel when certain events occur.
Alert format
Section titled “Alert format”Slack messages are sent for the following events:
| Event | When it fires |
|---|---|
| High-risk PR | A pull request exceeds the organization’s risk threshold |
| Policy block | A rule with the block action triggered, preventing merge |
Each Slack message includes:
- PR title and author
- Repository name
- Risk score
- Number of findings by severity
- Link to the PR detail page in the dashboard
- Link to the pull request on GitHub
Testing the webhook
Section titled “Testing the webhook”You can send a test message to your Slack channel from the dashboard settings page using the Test webhook button. This sends a sample alert payload so you can verify the channel and formatting before relying on it for real notifications.
Next steps
Section titled “Next steps”- Authentication — how session-based auth works
- API endpoints — complete reference for all REST endpoints
- Dashboard settings — configure Slack and notification preferences