The GitHub integration captures activity from your repositories: pushes, pull requests, code reviews, and more. This is how Cogniscape answers what changed, who did it, how it was done, and when it happened. This setup needs to be done once per repository you want to observe. If you add new repos later, just repeat the process for each one.Documentation Index
Fetch the complete documentation index at: https://docs.cogniscape.app/llms.txt
Use this file to discover all available pages before exploring further.
Configure the webhook
Open your repository settings
In GitHub, navigate to your repository and go to Settings → Webhooks → Add webhook.
Paste the Payload URL
Use the following URL, replacing
<your-customer-key> with the key from the Customer Portal:Set Content type and Secret
- Content type: select
application/json - Secret: copy the webhook signing secret from the Customer Portal (under Get Started → GitHub Webhook → step 3) and paste it here. Cogniscape uses this value to verify that incoming events are genuinely from GitHub.
Each customer has a unique webhook secret. The portal generates it for you — do not share it across tenants. If you need to rotate the secret, use the Regenerate button in the portal and paste the new value back into GitHub.
Choose which events to send
Select “Send me everything” for the richest insights. This ensures Cogniscape captures all relevant activity as it happens.
Verify the webhook
After saving, GitHub will send aping event. You can check the delivery status under Settings → Webhooks → Recent Deliveries. A 200 response confirms Cogniscape received the event successfully.
The Customer Portal shows a status line under the secret:
- Not verified yet — the secret is generated but no signed event has been received yet.
- Verified on
<date>— Cogniscape received and verified at least one signed webhook event with this secret. Your wiring is correct.
Supported events
Cogniscape processes these GitHub webhook event types:| Event | What it captures |
|---|---|
push | Commits pushed to any branch — who committed, when, and to which branch |
pull_request | PR creation, updates, merges, and closures — the full lifecycle |
pull_request_review | Code review submissions — approvals, change requests, and comments |
pull_request_review_comment | Inline code review comments on specific lines of a diff |
issues | Issue creation, updates, assignments, labeling, and closures |
issue_comment | Comments on issues and pull requests |
deployment_status | Deployment status notifications — success, failure, and pending states |
Events not listed above are received but silently ignored. Selecting “Send me everything” is safe — it won’t create noise in your knowledge graph.
Multiple repositories
Each repository needs its own webhook pointing to the same URL. The customer key in the URL ensures all events are routed to the correct knowledge graph regardless of which repository sends them. The same signing secret works across all your webhooks (repository-level or organization-level) — it is scoped to your customer account, not to an individual webhook.Why the signing secret matters
GitHub signs every webhook payload with an HMAC-SHA256 signature using the secret you configured. Cogniscape verifies this signature before processing any event, ensuring the request is genuinely from GitHub and has not been tampered with. Each customer has their own unique secret. This means:- A leaked secret only affects your tenant — it cannot be used to forge events for other customers.
- You can rotate the secret at any time from the Customer Portal without coordinating across customers.
- Ex-employees or compromised systems can be cut off by rotating, without disrupting other tenants.