Deptic Logo

Webhook Auto-Scan

Overview:

Deptic can automatically scan a repository whenever code is pushed to GitHub. This is implemented using GitHub webhooks — GitHub sends a push event to Deptic, which triggers a full scan without any manual action.

How it works:

1

User enables auto-scan for a repository in Projects page (toggle switch)

2

Deptic registers a webhook on GitHub: POST /repos/{owner}/{repo}/hooks

3

On every push to the watched branch, GitHub sends a push event to https://api.deptic.in/api/webhooks/github

4

Deptic verifies the HMAC-SHA256 signature using the per-webhook secret

5

Smart trigger: scan only fires if manifest files changed (package.json, pom.xml, go.mod etc.) OR commit message contains [deptic-scan]

6

Scan runs in background, results appear in dashboard automatically

7

Push notification sent to all subscribed devices

Smart trigger rules:

Deptic does NOT trigger a scan on every push. It checks HEAD commit's changed files and only scans when dependency files are modified. This prevents excessive API usage and keeps scan counts within limits.

Files that trigger a scan:

package.json
package-lock.json
requirements.txt
pyproject.toml
setup.py
Pipfile
pom.xml
go.mod
go.sum
Cargo.toml
Cargo.lock
Gemfile
Gemfile.lock
composer.json
composer.lock
*.csproj
packages.config

Rate limits:

LimitValue
Max webhook-triggered scans per user per day10
Minimum time between scans for same repo5 minutes
Duplicate commit SHASkipped (no re-scan)

Webhook signature verification:

go
func verifyGitHubSignature(payload []byte, signature, secret string) bool {
    mac := hmac.New(sha256.New, []byte(secret))
    mac.Write(payload)
    expected := "sha256=" + hex.EncodeToString(mac.Sum(nil))
    return hmac.Equal([]byte(expected), []byte(signature))
}