Skip to main content
VERDiiiCT
DevOps & CI/CDgithubsetupwebhooks

How to Connect GitHub to VERDiiiCT: Step-by-Step Guide

VERDiiiCT Team8 min read

Overview

VERDiiiCT integrates with GitHub through two components: an SCM connection (authenticated with a Personal Access Token) and a webhook (which triggers reviews automatically when pull requests are opened or updated). This guide walks you through both.

The process takes about five minutes:

  1. Create a Personal Access Token in GitHub
  2. Create an SCM connection in VERDiiiCT
  3. Register a webhook for your repository
  4. Configure the webhook in GitHub
  5. Configure the webhook secret for payload verification

Prerequisites

  • A VERDiiiCT account with Owner or Admin role in your organization
  • A GitHub account with admin access to the repository you want to connect
  • Permission to create Personal Access Tokens and webhooks in GitHub

Step 1: Create a Personal Access Token in GitHub

VERDiiiCT uses a PAT to authenticate against the GitHub API — reading pull request diffs, fetching linked issues, and posting review comments.

Using a Fine-Grained Token (Recommended)

Fine-grained tokens let you scope permissions to specific repositories.

  1. Go to SettingsDeveloper settingsPersonal access tokensFine-grained tokens
  2. Click Generate new token
  1. Configure the token:
    • Token name: VERDiiiCT Code Review
    • Expiration: Choose an appropriate period
    • Repository access: Select Only select repositories and pick the repositories you want VERDiiiCT to review
    • Permissions:
      • Pull requests: Read and Write (to read PR metadata and post reviews)
      • Contents: Read (to read file diffs)
      • Issues: Read (to fetch linked issues for review context)
  1. Click Generate token and copy it immediately

Using a Classic Token (Alternative)

If your organization doesn't support fine-grained tokens:

  1. Go to SettingsDeveloper settingsPersonal access tokensTokens (classic)
  2. Click Generate new token
  3. Select scopes:
    • repo (full control of private repositories)
  4. Click Generate token and copy it

Security note: VERDiiiCT encrypts your PAT at rest using AES-256-GCM. The plaintext token is never stored or logged. Fine-grained tokens are recommended because they follow the principle of least privilege.

Step 2: Create an SCM Connection in VERDiiiCT

An SCM connection links your GitHub account to VERDiiiCT.

  1. Log in to VERDiiiCT at app.verdiiict.com
  2. Navigate to Connections in the sidebar
  3. Click Add Connection
  1. Fill in the connection details:
    • Provider: Select GitHub
    • Display Name: A friendly name like My GitHub Account or Org - GitHub
    • Organization URL: Enter https://api.github.com (this is the default for GitHub.com)
    • Personal Access Token: Paste the PAT you created in Step 1
    • Webhook Secret (optional): You can enter a connection-level secret or leave it blank — VERDiiiCT generates a unique secret per webhook registration automatically.
  1. Click Create
  2. Use the Test Connection button to verify VERDiiiCT can authenticate with GitHub using your PAT

Step 3: Register a Webhook in VERDiiiCT

A webhook registration tells VERDiiiCT which repository to watch and generates a unique callback URL along with a secret token.

  1. Open the connection you just created
  2. Navigate to the Webhooks tab
  3. Click Register Webhook

  1. Fill in:

    • Repository ID: The numeric GitHub repository ID (you can find this via the GitHub API at https://api.github.com/repos/{owner}/{repo} — the id field)
    • Repository Name: The repository name, e.g. my-api
    • Events (optional): Defaults to pull_request.created and pull_request.updated. Leave as default.

  2. Click Register

VERDiiiCT returns a Webhook URL and generates a Secret Token — you'll need both in the next step.

The webhook URL follows this format:

https://api.verdiiict.com/api/webhooks/github/{registration-id}

Important: Copy both the Webhook URL and the Secret Token. You will configure these in GitHub in the next step.

Step 4: Configure the Webhook in GitHub

  1. In your GitHub repository, go to SettingsWebhooks
  2. Click Add webhook
  1. Configure the webhook:
    • Payload URL: Paste the Webhook URL from VERDiiiCT (e.g. https://api.verdiiict.com/api/webhooks/github/{registration-id})
    • Content type: Select application/json
    • Secret: Paste the Secret Token from VERDiiiCT (the 64-character hex string)
    • SSL verification: Leave enabled (recommended)
  1. Under Which events would you like to trigger this webhook?, select Let me select individual events
  2. Check Pull requests and uncheck everything else
  1. Ensure Active is checked
  2. Click Add webhook

GitHub will send a ping event to verify the URL is reachable. You should see a green checkmark next to the webhook.

Step 5: How Secret Validation Works for GitHub

GitHub uses HMAC-SHA256 for webhook secret validation — a cryptographically secure method that verifies both the authenticity and integrity of every payload.

The Validation Flow

When GitHub sends a webhook payload, it:

  1. Computes an HMAC-SHA256 hash of the entire request body using your secret token as the key
  2. Sends the hash in the X-Hub-Signature-256 header:
X-Hub-Signature-256: sha256=a]b1c2d3e4f5...

VERDiiiCT validates this by:

  1. Reading the raw request body
  2. Computing its own HMAC-SHA256 hash using the stored secret token
  3. Comparing the computed hash against the value in the X-Hub-Signature-256 header
  4. Using constant-time comparison to prevent timing attacks
// Simplified validation logic
var keyBytes = Encoding.UTF8.GetBytes(secretToken);
var bodyBytes = Encoding.UTF8.GetBytes(requestBody);
 
using var hmac = new HMACSHA256(keyBytes);
var hash = hmac.ComputeHash(bodyBytes);
var expected = "sha256=" + Convert.ToHexString(hash).ToLowerInvariant();
 
// Constant-time comparison prevents timing attacks
CryptographicOperations.FixedTimeEquals(
    Encoding.UTF8.GetBytes(expected),
    Encoding.UTF8.GetBytes(signature));

Why This Matters

  • Authenticity: Proves the payload came from GitHub (only GitHub and VERDiiiCT know the secret)
  • Integrity: Proves the payload wasn't tampered with in transit
  • Timing-attack resistant: The constant-time comparison prevents attackers from inferring the secret by measuring response times

Security best practice: Always configure the webhook secret. GitHub strongly recommends it, and VERDiiiCT generates a cryptographically random 32-byte (64 hex character) token specifically for this purpose.

The Complete Flow

Once everything is configured, here's what happens automatically:

Developer opens or updates a Pull Request on GitHub
        ↓
GitHub fires the webhook (HTTP POST with HMAC signature)
        ↓
VERDiiiCT receives the payload at /api/webhooks/github/{id}
        ↓
VERDiiiCT validates the HMAC-SHA256 signature
        ↓
VERDiiiCT filters for relevant events:
  - "opened" → new PR, triggers review
  - "synchronize" → new commits pushed, triggers review
  - Other actions → ignored
        ↓
VERDiiiCT fetches the PR diffs via GitHub API using the stored PAT
        ↓
AI (Claude or GPT) reviews the code changes
        ↓
VERDiiiCT posts a review with line-level comments and a verdict
(Approved / Needs Work / Rejected) directly on the PR

No manual steps required. Every pull request gets reviewed within minutes.

Troubleshooting

Webhook shows a red X in GitHub

  • Click on the failed delivery to see the response code and body
  • 404: The webhook URL is incorrect or the registration was deleted in VERDiiiCT
  • 401: The secret doesn't match. Copy the exact secret token from VERDiiiCT and paste it into the GitHub webhook's Secret field
  • 503: VERDiiiCT's review queue is full. The payload will need to be redelivered — click Redeliver in GitHub's webhook delivery history

Webhook shows 200 but no review appears on the PR

  • VERDiiiCT only processes opened and synchronize actions on pull request events. Other actions (labeled, assigned, closed, etc.) are accepted but ignored
  • Verify the PAT has the required permissions (Pull requests Read/Write, Contents Read)
  • Check that the PAT hasn't expired

Reviews appear but with missing comments

  • Ensure the PAT has Pull requests Write permission
  • For fine-grained tokens, verify the token has access to the specific repository

"Event ignored" response

This is expected behavior. GitHub sends many pull request event types (labeled, review_requested, closed, etc.). VERDiiiCT only acts on opened (new PR) and synchronize (new commits pushed to an existing PR). All other events return a 200 OK with "Event ignored".

GitHub vs. Azure DevOps: Key Differences

| Aspect | GitHub | Azure DevOps | |--------|--------|-------------| | Secret validation | HMAC-SHA256 (X-Hub-Signature-256 header) | Basic Auth (Authorization header) | | Events | opened, synchronize | git.pullrequest.created | | PAT type | Fine-grained (recommended) or classic | Scoped PAT | | Webhook config location | Repository Settings → Webhooks | Project Settings → Service hooks | | Review posting | Pull request review API | PR comments + status API |

What's Next

Share

Try VERDiiiCT Free

Automate your code reviews with AI. Set up in under 5 minutes — no credit card required.

Get Started Free

Related Posts

H
DevOps & CI/CD

How to Connect Bitbucket to VERDiiiCT: Step-by-Step Guide

Learn how to connect your Bitbucket Cloud repositories to VERDiiiCT for automated AI-powered code reviews on every pull request.

9 min read
H
DevOps & CI/CD

How to Connect Gitea to VERDiiiCT: Step-by-Step Guide

Learn how to connect your self-hosted Gitea instance to VERDiiiCT for automated AI-powered code reviews on every pull request.

8 min read
H
DevOps & CI/CD

How to Connect GitLab to VERDiiiCT: Step-by-Step Guide

Learn how to connect your GitLab repositories to VERDiiiCT for automated AI-powered code reviews on every merge request.

9 min read
PreviousWhy Automated Code Reviews Matter for Engineering TeamsNextHow to Connect Azure DevOps to VERDiiiCT: Step-by-Step Guide