Skip to main content
Webhooks let Gecko react to activity in your repositories, running a PR scan when a pull or merge request opens, and tracking pushes. Gecko generates the webhook URL and secret when you connect a provider; you add them in your provider’s settings.

Endpoints, events, and verification

ProviderWebhook URLEventsVerification
GitHub.comhttps://app.gecko.security/api/github/webhookpull_request, issue_comment, pushX-Hub-Signature-256 (HMAC-SHA256)
GitHub Enterprisehttps://app.gecko.security/api/github-enterprise/webhookPull requests, PushesX-Hub-Signature-256 (per-connection secret)
GitLabhttps://app.gecko.security/api/gitlab/webhookMerge request, Push, Note (MR comments), VulnerabilityX-Gitlab-Token (shared secret)
Always use the exact URL and secret shown in Gecko when you connect the provider; secrets are generated per team (GitHub/GitLab) or per connection (GitHub Enterprise).

GitHub & GitHub Enterprise

GitHub signs each delivery with an HMAC-SHA256 signature in the X-Hub-Signature-256 header. Gecko verifies it against the webhook secret and supports multiple secrets at once, so you can rotate without downtime. For GHES, set the content type to application/json.

GitLab

GitLab sends your secret token verbatim in the X-Gitlab-Token header. Gecko compares it against the per-team secret generated at connection time.
Enable Vulnerability events in GitLab if you want findings to flow into GitLab’s Security Dashboard via vulnerability export.

Network direction

Webhooks are outbound from your instance to Gecko at app.gecko.security. This is the opposite direction from cloning and API calls. Your network must be able to reach app.gecko.security on HTTPS, but webhooks don’t require you to allowlist Gecko’s IP addresses; those are for the outbound paths.

Troubleshooting

The secret doesn’t match. Re-copy the secret from Gecko into the provider’s secret field.
Confirm the right events are enabled (pull/merge request and push) and that the webhook delivery log in your provider shows 2xx responses.