CI/CD Integration
Automate security audits on every push or release using GitHub webhooks.
Overview
Oathe can automatically audit your skill on every push or release via GitHub webhooks. When a qualifying event fires, Oathe receives the payload, clones the repo at the relevant commit, and runs a full behavioral audit. The result is posted back as a commit status on GitHub.
Getting Started
Webhook integration requires a shared secret between your GitHub repository and Oathe. To get set up, contact us and we’ll provision your webhook credentials and walk you through configuration.
Once configured, Oathe verifies the X-Hub-Signature-256 header on every incoming webhook. Requests with an invalid or missing signature are rejected.
Commit Status Reporting
After the audit completes, Oathe posts a commit status back to GitHub using the Checks API. The status appears on the commit and in any associated pull request.
| Verdict | GitHub Status | Description |
|---|---|---|
| SAFE | success | No significant security concerns |
| CAUTION | success | Minor findings, generally safe |
| DANGEROUS | failure | Significant behavioral concerns |
| MALICIOUS | error | Strong indicators of malicious intent |
The status links directly to the full audit report on Oathe.
Alternative: Poll-Based CI
If you cannot use webhooks (for example, in a self-hosted runner), you can trigger and poll an audit using curl:
# Submit the audit
AUDIT_RESPONSE=$(curl -s -X POST https://audit-engine.oathe.ai/api/submit \
-H "Content-Type: application/json" \
-d '{"skill_url": "https://github.com/your-org/your-skill"}')
AUDIT_ID=$(echo "$AUDIT_RESPONSE" | jq -r '.audit_id')
# Poll until complete
while true; do
STATUS=$(curl -s "https://audit-engine.oathe.ai/api/audit/$AUDIT_ID" | jq -r '.status')
if [ "$STATUS" = "complete" ]; then
break
fi
sleep 5
done
# Fetch the final report
curl -s "https://audit-engine.oathe.ai/api/audit/$AUDIT_ID"You can then parse the verdict field and fail your CI pipeline accordingly.
Tips
- Use the
pushevent for feature branch audits. Usereleasefor final checks before distribution. - Combine webhook-triggered audits with a branch protection rule that requires the Oathe status check to pass.
- For monorepos, Oathe uses the repository root by default. Pass a subdirectory in the skill URL if needed (e.g.,
https://github.com/org/repo/tree/main/packages/my-skill).