Skip to main content
BugViper exposes a single webhook endpoint that receives all GitHub events and routes them based on the X-GitHub-Event header value. You configure this URL once as your GitHub App’s webhook URL, and GitHub calls it automatically for every relevant event. You do not call this endpoint directly in your application code. Authentication for this endpoint uses HMAC-SHA256 signature verification via the X-Hub-Signature-256 header — not Firebase tokens.

POST /api/v1/webhook/onComment

Routes incoming GitHub webhook payloads to the appropriate handler based on the event type.
X-GitHub-Event
string
required
GitHub event name. Handled values: push, pull_request, issue_comment. All other values return {"status": "ignored"}.
X-Hub-Signature-256
string
required
HMAC-SHA256 signature of the raw request body, prefixed with sha256=. GitHub computes this using your webhook secret. BugViper verifies it before processing.

Event: push

Triggered when commits are pushed directly to any branch. BugViper ingests the changed files into the graph. BugViper ignores the push if:
  • The pushed after SHA is all zeros (branch deletion).
  • The pushed before SHA is all zeros (new branch creation — use the full ingestion endpoint instead).
  • The pushed branch has an open pull request. In that case, the PR review flow owns those changes to prevent graph corruption from unmerged intermediate states.
Response when processing: 
{
  "status": "processing",
  "job_id": "inc-push-3f8a1b2c4d5e",
  "repo": "acme-corp/my-api",
  "ref": "refs/heads/main",
  "commits": "a1b2c3d..e4f5g6h"
}
Response when ignored: 
{
  "status": "ignored",
  "reason": "branch 'feature/auth' has an open PR — ingestion skipped"
}

Event: pull_request

Triggered when a pull request is closed. BugViper only acts when the PR was also merged (action: closed + merged: true). When a PR is merged, BugViper updates the knowledge graph with the changes from the merged branch. BugViper ignores the event if:
  • The action is anything other than "closed".
  • The pull request was closed without merging (merged: false).
Response when processing: 
{
  "status": "processing",
  "job_id": "inc-pr-7a9b2c1d3e4f",
  "pr": "acme-corp/my-api#42",
  "action": "graph_update"
}

Event: issue_comment

Triggered when a comment is created on any issue or pull request. BugViper only acts on comments that are:
  1. Made on a pull request (not a regular issue).
  2. Made by a human user (not a bot).
  3. Containing an @bugviper mention with a recognized command.
Recognized commands:
CommandBehavior
@bugviper reviewIncremental review — analyzes only the new changes in the PR.
@bugviper full reviewComplete review — analyzes all files touched by the PR.
If @bugviper is mentioned but the command is not recognized, BugViper posts a help comment on the PR explaining the available commands. BugViper ignores the event if:
  • The action is not "created".
  • The comment was posted by a bot account (type is "Bot" or login contains [bot]).
  • The comment is on an issue, not a pull request.
  • The repository has not been indexed yet (BugViper posts an error comment instead).
  • A review is already running for the same PR.
Response when a review is triggered: 
{
  "status": "processing",
  "pr": "acme-corp/my-api#42",
  "action": "review"
}
This endpoint is called by GitHub automatically — you do not call it directly. Configure it as your GitHub App’s webhook URL in the GitHub App settings under Webhook URL. Set the webhook secret to match the GITHUB_WEBHOOK_SECRET environment variable on your BugViper server.