repowiseAlerts & notifications
HMAC-signed Slack-compatible webhooks, the in-product notification bell, and per-kind email preferences — for security events and engineering signals, designed to never spam.
Repowise alerts on two families of events, through three channels.
Event families:
| Family | Events |
|---|---|
| Security | New CVEs (nightly refresh), live secret detected, scan failed, secret rotation overdue, audit-event stream (SIEM) |
| Engineering | Hotspot drift, bus-factor risk, health decline, decision staleness |
Channels:
- Notification bell — in-product, deduped to one unread per event kind per repo. A second nightly finding folds into the existing unread notification instead of stacking.
- Email — sent only when a new notification is actually raised (so it inherits the same dedupe), with a per-kind opt-out at Settings → Email notifications.
- Webhooks (Teams) — HMAC-signed HTTPS deliveries, configured per repo or per team.
Webhooks
Configure under your repo → Settings → Alerts. Each endpoint picks its events and a payload format:
- Slack format — Block Kit messages that also work with Microsoft Teams and Mattermost inbound webhooks.
- Signed JSON — a stable envelope for your own receivers or SIEM.
Every delivery is signed over the exact raw body:
X-Repowise-Event: engineering_hotspot_drift
X-Repowise-Timestamp: 2026-06-12T04:00:00+00:00
X-Repowise-Signature: sha256=HMAC_SHA256(secret, body)The signing secret is shown once at creation. Verify by recomputing the HMAC over the received body; the signed body embeds the same timestamp, so a replayed body with a fresh header is detectable.
Delivery semantics: 3 retries with backoff on 5xx, no retry on 4xx, and an endpoint that fails 10 consecutive deliveries is auto-disabled with the reason surfaced in the UI. A webhook outage never blocks a scan or a cron.
Team-scoped endpoints fire for every repo shared into the team.
Anti-noise rules
Alerting only earns its keep if you don't mute it. The rules, all deliberate:
- Crossings, not levels — engineering signals compare each nightly observation against the previous one and alert only when something crosses a threshold. The first observation of a repo stores a baseline and stays silent.
- One unread per kind per repo — repeat findings fold into the existing unread notification.
- Email rides the notification — no notification, no email. Every kind is individually opt-out, and the weekly digest is opt-in.
- Rotation nudges fire once per secret, not daily.
Payload privacy
Webhook and email payloads carry metadata only: file paths, owner names, deltas, counts, OSV ids, rule ids. Never code snippets, never secret values or previews.
Security alerting is available on Teams. Engineering signals are detected nightly for Teams repos; see Teams & portfolio intelligence for what each signal watches.
Teams & portfolio intelligence
Seats with pooled repos and credits, shared workspaces, portfolio health and ownership rollups, and an engineering-leader dashboard fed by nightly drift detection.
Requirements
System and toolchain requirements for self-hosted repowise — Python, Git, disk, and an LLM provider key.