Integrations

Most teams just install the GitHub App and they're done. If you need something else — a non-GitHub CI, webhooks into your own tools, Slack alerts — it's below.

GitHub (recommended)

Install the Dependency Guardian GitHub App (free account required). Scans run automatically on every pull request and a status check is published. No workflow file, no API key, no YAML. Full walkthrough on the Getting Started page.

To make the check block merges, require it in a branch ruleset — see Blocking → Merge protection.

CLI in CI

If you're not on GitHub, or you want to gate something outside the PR flow (self-hosted runner, GitLab, CircleCI, Jenkins, a release pipeline), run the CLI directly:

npm install -g @westbayberry/dg
export DG_API_KEY="..."
dg scan

Get your API key from Settings → CI keys. A non-zero exit code means a block-tier finding — wire that into your pipeline's pass/fail. The CLI auto-detects CI environments (GitHub Actions, GitLab, CircleCI, Buildkite, Jenkins, others) and switches to non-interactive output.

GitHub Actions YAML (only if you don't want the App)

name: Dependency Guardian
on: [pull_request]
jobs:
  dg-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: 20 }
      - run: npm install -g @westbayberry/dg
      - run: dg scan
        env:
          DG_API_KEY: ${{ secrets.DG_API_KEY }}

Webhooks Team plan

Open Dashboard → Integrations, click Add Webhook, enter an HTTPS URL, and pick the events you want.

Events: install.blocked (the CLI install wrapper blocked a high-risk package install) · install.force_override (a developer confirmed the terminal override to bypass a block).

Payload:

{
  "event": "install.blocked",
  "occurred_at": "2026-04-01T12:00:00.000000+00:00",
  "ecosystem": "npm",
  "package": { "name": "ua-pars3r-js", "version": "0.7.40" },
  "score": 85,
  "action": "block",
  "bypassed": false,
  "bypass_reason": null,
  "actor": "alice@a…",
  "project_hash": "f8e7d6c5b4a3",
  "dashboard_url": "https://westbayberry.com/dashboard/audit"
}

A few fields aren't self-evident: action is "block" or "override"; actor is the developer's email, redacted to user@first-letter…; bypass_reason is an optional free-text reason for the override (may be null); dashboard_url is null unless the operator has set a public base URL.

Secret shown once. Your webhook secret is displayed exactly once — when you click Add Webhook or Rotate Secret. We never store it in a form we can show you again. If you lose it, rotate.

Signature verification

Every delivery includes X-DG-Signature: sha256=<hex>, computed as HMAC-SHA256 over the raw body bytes (not the parsed JSON) using your secret as the key. Two helper headers ride along: X-DG-Event (event type) and X-DG-Delivery-Id (unique per delivery).

Example:

const crypto = require('crypto');

function verifySignature(rawBody, signature, secret) {
  if (!signature) return false;
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(rawBody)
    .digest('hex');
  const a = Buffer.from(expected);
  const b = Buffer.from(signature);
  if (a.length !== b.length) return false;          // timingSafeEqual throws on unequal-length
  return crypto.timingSafeEqual(a, b);
}

// In your Express handler:
app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
  const sig = req.headers['x-dg-signature'];        // Express lowercases header names
  if (!verifySignature(req.body, sig, process.env.DG_WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }
  const event = JSON.parse(req.body);
  // Handle event...
  res.sendStatus(200);
});

import hmac, hashlib

def verify_signature(raw_body: bytes, signature: str, secret: str) -> bool:
    if not signature:
        return False
    expected = 'sha256=' + hmac.new(
        secret.encode(), raw_body, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, signature)

Verify it works

On the webhook row in Dashboard → Integrations, click Test Delivery to send a sample install.blocked event to your endpoint. Recent attempts (status, last error) are listed inline so you can confirm the signature check passes before a real event fires.

Delivery policy: one attempt per event, 10-second timeout. We don't retry failed deliveries — your endpoint should respond 2xx quickly and queue the work for itself. Non-2xx responses and timeouts are recorded under the webhook row.

Slack Team plan

From Dashboard → Integrations, click Connect Slack, authorize the bot, and pick a channel. Dependency Guardian posts a summary on every scan with block / warn / pass formatting.

What the bot does: posts scan summaries to the one channel you selected.
Slack scopes requested: chat:write, channels:join, incoming-webhook. Nothing else — it can't read messages, list users, or post elsewhere.
To disconnect: click Disconnect on the same Integrations page.