Ctadel

Scan IaC from a Pull Request

Once wired, every push and pull request triggers a scan. You see the result as a PR comment and an optional CI status check.

Step 1, generate a webhook URL in Ctadel

  1. Settings, Git, Add repository.
  2. Pick the provider: GitHub / GitLab / Bitbucket.
  3. Paste the repo URL or pick from the list (if you connected a Git org).
  4. Choose:
    • Branches to scan: usually main plus all PR branches.
    • Severity threshold for CI failure: CRITICAL, HIGH, MEDIUM, none (warn only).
    • Comment on PRs: yes / no.
  5. Save. Ctadel generates a unique webhook URL and a secret token.

Step 2, configure the webhook in your git provider

GitHub

  1. Repo, Settings, Webhooks, Add webhook.
  2. Payload URL: paste from Ctadel.
  3. Content type: application/json.
  4. Secret: paste from Ctadel.
  5. Events: Pushes, Pull requests.
  6. Add webhook.

GitLab

  1. Repo, Settings, Webhooks, Add new webhook.
  2. URL: paste from Ctadel.
  3. Secret token: paste from Ctadel.
  4. Trigger: Push events, Merge request events.
  5. Add webhook.

Bitbucket

  1. Repo, Repository settings, Webhooks, Add webhook.
  2. URL: paste from Ctadel.
  3. Triggers: Push, Pull request.
  4. Save.

Step 3, push a test commit

Make a trivial change and push. Ctadel:

  1. Receives the webhook.
  2. Clones the affected branch (read-only, ephemeral).
  3. Walks IaC files (*.tf, *.yaml, Dockerfile, ...).
  4. Runs the IaC rule library.
  5. Posts results.

You should see:

  • A PR comment summarising findings, severity-grouped, with file/line links.
  • A CI status check on the commit (Ctadel: PASS / FAIL).
  • A scan row in IaC, Scans in Ctadel.

Step 4, fail CI on threshold (optional)

If you set the severity threshold to anything other than none, the CI check fails when a finding at or above the threshold matches. The PR cannot merge until findings are resolved or marked IGNORED.

To unblock a specific PR with a known false positive:

  • Mark the finding IGNORED in Ctadel with a reason.
  • The CI check re-runs and passes (the finding is no longer counted as OPEN).

Step 5, drift correlation

Once IaC is scanning, every CSPM/KSPM finding gets a drift_status field. See CSPM module, drift status for what each value means and how to react.

Common pitfalls

  • Webhook doesn't fire. Check the git provider's webhook delivery log. Common causes: wrong URL, secret mismatch, IP-allowlisting on a self-hosted git server.
  • Scan succeeds but no findings. Verify the path globs in Settings, Git match where your IaC actually lives.
  • PR comments spam. If you have many short-lived branches, set "Comment on PRs: no" and rely on the CI status check + the IaC module instead.

What's next