Deployment Webhooks

Wire AegisRunner into your deploy pipeline so a successful deploy automatically triggers a scan and run against the new build. Supported providers: Vercel, Netlify, GitLab, and a generic webhook for everything else.

How it works

1. You configure the deployment webhook URL in your provider's settings (Vercel, Netlify, GitLab).
2. When a deploy completes, the provider POSTs a deployment event to AegisRunner.
3. AegisRunner verifies the signature, extracts the deployed URL, and starts a scan against it.
4. After the scan, tests run automatically against the freshly-discovered pages.
5. You get notifications and (if configured) a PR comment with the result.

Vercel

Setup

1. Open Project → Integrations → Deployment Webhooks in AegisRunner.
2. Click Add Webhook → Vercel.
3. Copy the generated webhook URL and signing secret.
4. In Vercel, go to Project Settings → Git → Deploy Hooks… actually, that's the wrong direction. Use the Vercel Project Webhook in Project Settings → Webhooks instead:
5. Add a webhook with the AegisRunner URL.
6. Subscribe to deployment.succeeded (and optionally deployment.error).
7. Save.

What gets sent

Vercel sends the deploy URL (e.g. https://my-app-git-feat-x.vercel.app), the project, the deployment ID, and the commit SHA. AegisRunner runs a scan against the deploy URL — including preview deploys, so every PR gets tested against its preview environment.

Netlify

Setup

1. Open Project → Integrations → Deployment Webhooks in AegisRunner.
2. Click Add Webhook → Netlify. Copy the URL.
3. In Netlify, go to Site settings → Build & deploy → Deploy notifications.
4. Click Add notification → Outgoing webhook.
5. Event: Deploy succeeded.
6. Paste the AegisRunner URL.
7. Save.

What gets sent

Netlify sends the site URL, the deploy URL (preview or production), and the deploy state. Preview deploys get scanned just like production.

GitLab

Setup

1. Open Project → Integrations → Deployment Webhooks in AegisRunner.
2. Click Add Webhook → GitLab. Copy the URL.
3. In GitLab, go to Project → Settings → Webhooks.
4. Add the URL.
5. Trigger: Deployment events.
6. Save.

What gets sent

GitLab sends the deployment status, environment, deployable URL, and commit SHA. AegisRunner triggers a scan when status is success.

Generic webhook

For anything that isn't Vercel/Netlify/GitLab — Render, Fly.io, your own deploy script — use the generic webhook:

1. Click Add Webhook → Generic.
2. Copy the URL and secret.
3. POST a JSON body to it from your deploy script:

POST <your-aegisrunner-webhook-url>
Content-Type: application/json
X-AegisRunner-Signature: sha256=<hmac>

{
  "deploymentUrl": "https://my-app.fly.dev",
  "commitSha": "abc123",
  "environment": "production",
  "status": "success"
}

Compute the signature as HMAC-SHA256(secret, raw_body).

What the scan does

By default, every successful deploy triggers a Baseline Replay (if you have a baseline) or a Full Site scan (if you don't). The scan respects:

• Your project's environment settings (login script, tokens, cookies, headers).
• Your project's max-pages cap.
• The deploy URL as the base URL for this run.

You can override per-webhook:

• Run mode — scan only, scan + run, or run only (against the existing baseline).
• Browsers — which browsers to test on.
• Visual regression — toggle on or off for these auto-runs.
• Notifications — same as your project notifications, or a different routing.

Preview deploys

Preview deploys get unique URLs (https://pr-123.preview.example.com) that don't match your project's base URL. AegisRunner detects this and:

• Uses the preview URL as the scan's base URL for this run.
• Doesn't update your project's persistent baseline (preview-specific scans are flagged).
• Reports results back to whichever PR opened the preview, if a GitHub repo is configured.

Pairing with PR comments

If your deploy webhook payload includes a commit SHA and you've configured GitHub PR comments under CI/CD Integration, the run results land as a sticky comment on the matching PR. Closes the loop: deploy → scan → run → PR feedback, automatically.

Verifying signatures

Every incoming webhook (Vercel, Netlify, GitLab, generic) is verified before AegisRunner acts on it:

• Vercel — signature header, verified against the Vercel-supplied secret.
• Netlify — signature header.
• GitLab — secret token header.
• Generic — HMAC-SHA256 you compute.

Unsigned or invalid requests are dropped with a 401, no scan triggered. Look in the integration settings page for delivery logs.

Plan availability

Plan	Deployment webhooks
Free	—
Starter	1 webhook per project
Pro	3 webhooks per project
Business / Enterprise	Unlimited

Delivery logs

Every received webhook (success or failure) appears in Integrations → Deployment Webhooks → Delivery Log with the timestamp, source, payload, and triggered run. 30-day retention; longer on Business+.

Common questions

Can a single deploy trigger multiple AegisRunner runs?

Yes — configure multiple webhooks on the AegisRunner side, each running different browsers or scenarios. Or run all browsers from one webhook by checking multiple browsers in the run config.

The webhook fired but no scan ran.

Check Delivery Log. Common causes: signature mismatch, deploy status wasn't success, or you're at your monthly scan cap.

Can I delay the scan to give the deploy time to settle?

By default, AegisRunner waits 30 seconds after receiving the webhook before starting the scan to avoid hitting cold starts. Override under webhook settings if you need longer.

Related

• CI/CD Integration — same idea, but driven by your CI rather than your deploy.
• Baseline Replays — the recommended scan mode for auto-triggered runs.
• Notifications & Alerts — where the results go.