GitHub Webhook

Receive GitHub webhook events to automatically trigger audits when skills are updated.

POST https://audit-engine.oathe.ai/api/webhook/github

Receive GitHub webhook events to automatically trigger audits when skills are updated. See Webhooks Guide for full setup and configuration.

Setup

Configure a webhook in your GitHub repository settings pointing to https://audit-engine.oathe.ai/api/webhook/github with content type application/json and a secret.

Signature Verification

All webhook payloads must include an x-hub-signature-256 header with a valid HMAC-SHA256 signature. Requests with invalid or missing signatures are rejected with 401.

Supported Events

push

Triggers an audit when SKILL.md is added or modified in the push.

release

Triggers an audit for the repository.

Other event types are acknowledged with 200 but do not trigger an audit.

Response `201`

{
  "audit_id": "a1b2c3d4-...",
  "queue_position": 1
}

Commit Status

When configured, Oathe posts a GitHub commit status back to the repository after the audit completes. This appears as a check on the commit in pull requests and the commit history.

Context

oathe/security-audit

SAFE / CAUTION success

Description: Score: 85/100 (SAFE)

DANGEROUS / MALICIOUS failure

Description: Score: 35/100 (DANGEROUS)

Audit failed failure

Description includes the error reason.

Commit statuses are only posted for webhook-triggered audits (not manual submissions). The status links to the full audit report.

Setup

Signature Verification

Supported Events

Response 201

Commit Status

Response `201`