How CodeDig Integrates with GitHub: From Install to PR Analysis

A walkthrough of how CodeDig works as a GitHub App — from one-click installation to real-time PR analysis, Check Runs, and security scanning with zero configuration.

One-Click Installation

CodeDig installs as a GitHub App directly from the GitHub Marketplace or from the CodeDig dashboard. The process takes under 60 seconds:

1. Click Install and choose which repositories to connect (all repos or a selected subset).
2. Authorize the app. CodeDig requests only the permissions it needs: read access to code and pull requests, and write access to checks and PR comments.
3. That is it. No config files, no CI pipeline changes, no YAML to maintain.

The GitHub App model means CodeDig runs as a first-class integration inside GitHub — not as a third-party webhook bolted on after the fact.

What Happens When a PR Is Opened

The moment a pull request is opened or updated, GitHub sends a webhook event to CodeDig. Here is the flow:

1. Webhook received — GitHub delivers a pull_request event with the diff metadata.
2. Signature verification — CodeDig verifies the HMAC-SHA256 webhook signature to ensure the payload is authentic and has not been tampered with.
3. Analysis triggered — CodeDig fetches the diff, resolves symbols across the changed files, and runs the full analysis pipeline: blast radius calculation, security scanning, test coverage overlay, and architectural drift detection.
4. Results posted — Within seconds, CodeDig posts a detailed comment on the PR and creates a Check Run with the analysis summary.

The entire pipeline runs in under 30 seconds for most pull requests.

The PR Comment

Every analyzed PR receives a comment from CodeDig that includes:

• Risk score — A composite score (0-100) based on blast radius, complexity changes, and historical failure patterns. PRs scoring above your configured threshold are flagged as high-risk.
• Blast radius — The number of downstream consumers (services, APIs, modules) affected by the change, with the top impacted symbols listed.
• Security findings — Any vulnerabilities detected across 200+ rules covering OWASP Top 10 categories, hardcoded secrets, SQL injection, and PII exposure.
• Test coverage gaps — Changed or new code paths that lack test coverage, overlaid directly on the diff.
• Recommendations — Actionable next steps: add tests, notify downstream teams, update documentation, or review specific files.

The comment updates automatically when new commits are pushed to the PR branch.

Check Runs Integration

In addition to PR comments, CodeDig creates a GitHub Check Run for every analysis. This means:

• The analysis result appears in the Checks tab of the PR, alongside your CI pipeline.
• You can configure branch protection rules to require a passing CodeDig check before merging.
• The check summary provides a quick pass/fail signal, while the PR comment provides the full detail.

Check Runs give teams a way to enforce analysis thresholds at the merge gate without changing their existing CI workflow.

Privacy and Security

CodeDig is designed with a security-first architecture:

• No source code stored — CodeDig analyzes the diff in memory and discards the raw code after analysis. Only the analysis results (scores, findings, metadata) are persisted.
• Webhook signature verification — Every incoming webhook is verified using HMAC-SHA256 with your app's webhook secret. Unsigned or tampered payloads are rejected.
• Minimal permissions — The GitHub App requests only the permissions necessary for analysis. It does not request admin access, write access to code, or access to organization settings.
• End-to-end encryption — All communication between GitHub, CodeDig, and your browser is encrypted in transit.

For more details, see our security overview.

Supported Languages

CodeDig provides deep, language-aware analysis for six languages:

• TypeScript — Full type-aware symbol resolution, import/export tracking, and module boundary analysis.
• Rust — Trait implementations, lifetime analysis, and crate-level dependency tracking.
• Python — Dynamic import resolution, class hierarchy analysis, and type hint awareness.
• Java — Package-level analysis, interface implementations, and annotation processing.
• Go — Module-aware analysis, interface satisfaction checking, and goroutine impact tracking.
• C# — Namespace resolution, generic type tracking, and assembly-level dependency analysis.

All six languages receive the same depth of analysis from a single GitHub App install. No per-language configuration required.

Get Started

Sign up at codedig.ai and install the GitHub App during onboarding. Open a pull request and see the analysis in action within seconds.