Forge's inbound webhooks let external systems trigger runs automatically. This guide connects a GitHub repository so that every new pull request automatically starts a DevSecOps Review.
Step 1: Enable the webhook on your Forge team
Open your DevSecOps Review team. Click the Tools tab. Find the Inbound Webhook section and toggle it on. Copy the generated webhook URL — it looks like:
https://forge.shanova.se/api/webhooks/whk_abc123xyz
Step 2: Add the webhook in GitHub
- Open your GitHub repository. Go to Settings → Integrations → Webhooks → Add webhook.
- Paste the Forge webhook URL in the Payload URL field.
- Set Content type to
application/json. - Under "Which events would you like to trigger this webhook?", select Let me select individual events and tick Pull requests only.
- Click Add webhook.
Step 3: How the payload maps to a run
When a pull request is opened, GitHub sends a payload like this to Forge:
{
"action": "opened",
"pull_request": {
"title": "feat: add OAuth2 support",
"body": "This PR adds OAuth2 authentication...",
"html_url": "https://github.com/org/repo/pull/142",
"user": { "login": "developer" }
},
"repository": { "full_name": "org/repo" }
}Forge uses pull_request.title as the run title and pull_request.body as the brief. All other fields are stringified and appended to the brief automatically, giving agents full context.
Step 4: Verify it works
Open a test pull request in your repository. Within a few seconds, a new run should appear in your Forge dashboard with the PR title as the run title. If it doesn't, check the GitHub webhook delivery logs under Settings → Integrations → Webhooks → Recent Deliveries.
fire_condition on your Slack action tool: outcome == "completed" AND confidence >= 0.85. This way the PR author only gets notified when the review is high confidence, and low-confidence runs get flagged for human review.