> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Monitored repos

> Scan automatically whenever new code lands on a repo's default branch.

Manual scans tell you your posture *when you remember to ask*. **Monitoring**
flips that: mark a repo as monitored and Pipefort scans it automatically every
time code is pushed to its **default branch**, keeping the dashboard, trends,
and [Attacker Mind](/webapp/attacker-mind) current without anyone clicking
"Scan".

## Turning it on

Monitoring is **off by default** for every repo. Toggle it in either place:

* **Repositories page** — the **Monitor** column has a switch per row.
* **Repository detail page** — the **Monitoring** switch in the header, next to
  the Re-scan button.

The toggle takes effect immediately: the next push to the repo's default branch
triggers a scan.

## What a push-triggered scan does

A push scan is identical to pressing **Re-scan** with the `all` ruleset — same
engine, same [rule settings](/webapp/rule-settings) (global toggles and
per-repo overrides are respected), same persistence. Two differences show up in
the UI:

* Scan history rows carry an **auto** badge (⚡) so you can tell push-triggered
  scans from manual ones.
* The scan records the **exact commit SHA** that was pushed (manual scans
  record the branch head at scan time).

## How it works

The Pipefort GitHub App subscribes to **push** webhooks. When GitHub delivers
one:

1. The API verifies the delivery's HMAC signature (`X-Hub-Signature-256`)
   against the deployment's `GITHUB_WEBHOOK_SECRET`. Unsigned or mis-signed
   deliveries are rejected.
2. Pushes to branches other than the default branch, and branch deletions, are
   acknowledged and ignored.
3. Each delivery is recorded by its GitHub delivery ID, so GitHub's automatic
   redeliveries never cause duplicate scans.
4. If several Pipefort users have linked the same installation and monitor the
   repo, **each user gets their own scan** — scan history and findings stay
   per-user, exactly like manual scans.

<Note>
  Scans can take longer than GitHub's \~10-second webhook delivery timeout, so the
  delivery may appear as "timed out" in the GitHub App's **Advanced → Recent
  Deliveries** log even though the scan completed. Check the repo's scan history
  in Pipefort for the actual result.
</Note>

## Limits (v1)

* **Default branch only.** Pushes to other branches are ignored. (Branch lists
  are a planned follow-up.)
* **GitHub only.** GitLab webhook support is a planned follow-up; GitLab repos
  can still be scanned manually.
* **Push events only.** Changing repo settings (branch protection, Actions
  permissions) does not trigger a scan — those changes are picked up by the
  next scan, manual or pushed.

## Self-hosted deployments

Monitoring requires the GitHub App to have webhooks enabled — see
[Create your GitHub App](/webapp/create-github-app): activate the webhook,
point it at `https://<your-deployment>/api/webhooks/github`, subscribe to
**Push**, and set the same secret as `GITHUB_WEBHOOK_SECRET` on the API. Until
the secret is configured the webhook endpoint answers `503` and monitored
repos simply don't auto-scan.
