Push Webhooks

Automatically ingest commits from GitHub push events and optionally trigger AI-powered commit analysis on every push.

GitHub push webhooks allow BlameTrail to automatically ingest commits whenever code is pushed to a repository. Instead of relying solely on deploy events from your CI/CD pipeline, push webhooks capture every commit as it lands, enabling real-time commit tracking and optional AI analysis.

Setting up the webhook

1. Generate the webhook secret in BlameTrail

Open the service that is linked to the GitHub repository.
Navigate to the Repository section of the service settings.
Click Generate Webhook Secret. BlameTrail creates an HMAC secret and displays it once.
Copy the secret immediately and store it securely.

2. Add the webhook to GitHub

Go to your GitHub repository's Settings > Webhooks.
Click Add webhook.
Configure the following:

Field	Value
Payload URL	`https://blametrail.com/api/github/webhook`
Content type	`application/json`
Secret	The HMAC secret you copied from BlameTrail
Events	Select Let me select individual events, then check Pushes and Pull requests
Active	Checked

Click Add webhook.

3. Verify the webhook

Push a commit to the repository. In GitHub, go to Settings > Webhooks, click the webhook, and check Recent Deliveries. You should see a 200 response from BlameTrail.

HMAC verification

Every incoming webhook request is verified using HMAC-SHA256. BlameTrail computes the expected signature from the request body and the stored secret, then compares it to the X-Hub-Signature-256 header sent by GitHub. Requests with invalid or missing signatures are rejected with a 401 status.

Auto-analyze

When auto-analyze is enabled, BlameTrail automatically triggers AI-powered commit analysis on each push. This provides:

File classification for every changed file
Risk scoring based on the nature of the changes
A human-readable diagnosis of what the changes do and what could go wrong

To toggle auto-analyze:

Open the service settings.
In the Repository section, toggle Auto-analyze on push.
Click Save.

When disabled, commits are still ingested from push events but not analyzed automatically. You can always trigger analysis manually from the commit detail page.

Secret rotation

If the webhook secret is compromised:

Open the service settings in BlameTrail.
Click Rotate Secret in the repository webhook section.
Copy the new secret.
Update the secret in your GitHub repository's webhook settings (Settings > Webhooks > Edit).

The previous secret is invalidated immediately. GitHub deliveries using the old secret will be rejected until you update the webhook configuration.

What gets ingested

For each push event, BlameTrail records:

All commits included in the push
Commit SHAs, messages, authors, and timestamps
The branch that was pushed to
The repository reference

This data is stored alongside the service and is available for commit analysis, range analysis, and correlation with incidents.

Push webhooks vs. deploy webhooks

Push webhooks and deploy webhooks serve different purposes:

Feature	Push webhook	Deploy webhook
Trigger	Every `git push`	CI/CD pipeline step after deployment
Scope	All commits on all branches	Specific commits that were deployed
Use case	Commit analysis, range analysis	Suspect scoring, deploy tracking
Setup	GitHub repository webhook	CI/CD pipeline step

For complete coverage, use both: push webhooks for real-time commit tracking and analysis, deploy webhooks for accurate deploy-to-incident correlation.

Pull request state sync

If your webhook includes pull request events, BlameTrail automatically tracks the state of fix proposal PRs. When a fix PR is closed or merged on GitHub, the corresponding fix proposal is updated in BlameTrail.

This is optional — BlameTrail also polls GitHub every 15 minutes to sync PR state as a fallback. Enabling PR events provides faster state updates and a Slack notification when a fix PR is merged.

On this page