Automatic Analysis
Register a GitHub push webhook so BlameTrail automatically analyzes every commit as it is pushed, without CI/CD changes.
Automatic analysis lets BlameTrail inspect code changes the moment they are pushed to GitHub, without requiring any modifications to your CI/CD pipeline. By registering a GitHub push webhook, every push event is verified, commits are ingested, and -- if auto-analyze is enabled -- a commit analysis runs automatically.
Setting up the webhook
Step 1: Generate the webhook secret
- Navigate to the repository settings page within BlameTrail (accessible from the service detail page or Organization > Integrations).
- Click Register Push Webhook.
- BlameTrail generates an HMAC secret. Copy this value -- it is displayed only once.
Step 2: Add the webhook in GitHub
- Open your repository on GitHub.
- Go to Settings > Webhooks > Add webhook.
- Configure the webhook:
| Field | Value |
|---|---|
| Payload URL | https://<your-blametrail-domain>/api/github/webhook |
| Content type | application/json |
| Secret | Paste the HMAC secret from Step 1 |
| Events | Select Just the push event |
- Click Add webhook.
Step 3: Verify the connection
Push a commit to the repository. BlameTrail verifies the HMAC signature on every incoming webhook payload. If verification succeeds, the push appears in your deploy timeline within seconds.
You can confirm the webhook is active by checking the Recent Deliveries tab on the GitHub webhook settings page. A 200 response indicates success.
Enabling auto-analyze
Registering the webhook alone only ingests commits. To trigger automatic commit analysis on every push:
- Open the repository settings page in BlameTrail.
- Toggle Auto-Analyze to on.
- Click Save.
With auto-analyze enabled, every push event triggers a commit analysis for each new commit. Results appear on the Analyses page as they complete.
How verification works
BlameTrail uses HMAC-SHA256 to verify webhook payloads:
- GitHub signs each payload using the shared secret and includes the signature in the
X-Hub-Signature-256header. - BlameTrail recomputes the signature using the stored secret and compares it to the header value.
- If the signatures do not match, the request is rejected with a
401response. Rejected payloads are logged for audit purposes.
This ensures that only legitimate push events from GitHub are processed.
Managing the webhook
From the repository settings page in BlameTrail, you can:
- Rotate the secret -- Generates a new HMAC secret and invalidates the previous one. You must update the secret in GitHub after rotating.
- Disable auto-analyze -- Stops automatic analysis while still ingesting commits from push events.
- Remove the webhook -- Deletes the webhook registration from BlameTrail. You should also remove the webhook from GitHub to stop sending payloads.
Analysis credits
Automatic analyses consume the same monthly credits as manual analyses. Monitor your usage on the Settings > Billing page. If you exceed your plan's limit, auto-analyze pauses until the next billing cycle.
See Plans and Pricing for credit limits by plan.
Next steps
- Commit Analysis -- Understand what each analysis produces.
- Range Analysis -- Analyze a range of commits after the fact.