A multi-tenant SaaS platform that collects GitHub webhook events, normalises them into a canonical schema, and surfaces developer metrics, PR cycle times, ticket coverage, and real-time security compliance — all from a single dashboard.
Connect a GitHub org in minutes. Webhook events flow in automatically — the platform normalises, archives, and computes metrics continuously, with no polling required on your end.
| Repository | PRs merged | Cycle time | Contributors | Ticket coverage |
|---|---|---|---|---|
| git-tracking-platform | 9 | 0.9d | 2 | |
| pr-gate | 6 | 1.2d | 1 | |
| nono | 5 | 2.1d | 3 | |
| pgbrowser | 3 | 0.6d | 1 |
From raw webhook to actionable insight — the platform handles ingestion, normalisation, metrics, and compliance in a single event-driven pipeline.
A GitHub App receives signed webhook events from your org. Each POST is HMAC-SHA256 verified, archived raw to S3, and acknowledged in <20ms — nothing is dropped, even during downstream outages.
Provider-specific payloads are mapped to a single canonical Event schema: kind, actor, repository, and typed JSONB payload. Idempotent writes keyed on delivery ID make replays safe with no duplicate rows.
Commit counts, PR throughput, review activity, and comment frequency aggregated per-actor, per-repo, per-period. Daily, weekly, and monthly rollups are pre-computed and queryable over a REST API.
One row per PR with opened, first-reviewed, and merged timestamps. Jira keys, GitHub issue refs, and Azure DevOps refs are extracted from PR titles and bodies — giving you org-level ticket linkage across every repo at a glance.
On-demand compliance scans across 13 CIS GitHub Benchmark controls, with SOC-2 CC6 and CC8 mappings. Results are stored per-scan so you can track your security posture over time and catch regressions before they're reported.
Security-relevant events — branch protection changes, membership changes, repository visibility flips — trigger immediate live checks via the GitHub API. Violations are raised and auto-resolved as state changes, scoped per GitHub org.
Full user auth with email invite flow, bcrypt passwords, 7-day sliding sessions, and scoped API tokens. Three roles (owner, admin, member) per tenant. Platform admin controls span all tenants, with per-user and per-token audit trails.
The canonical schema and multi-tenant architecture are provider-agnostic from day one. GitLab and Bitbucket support follow the same integration pattern — only webhook auth and payload shapes differ. Both are planned for after the GitHub GA.
The SNS fan-out architecture lets new consumer apps subscribe without touching the ingestion pipeline. Metrics is the first. Alerting, cost attribution, AI-generated PR summaries, and cross-repo dependency graphs can be wired in independently.
Click Connect in the dashboard and install the Zagware GitHub App on your org. GitHub redirects back with an installation ID and the platform links the installation to your tenant automatically.
GitHub sends signed webhook POSTs for every repo event — pushes, PRs, reviews, branch changes, membership updates. The Lambda receiver verifies the HMAC signature, archives the raw payload to S3, and acknowledges in <20ms with no data loss even if downstream is slow.
The ECS-based normaliser polls SQS, fetches each payload from S3, maps it to the canonical schema, and writes raw and canonical rows to Aurora PostgreSQL. Webhooks received before an installation is fully linked are queued and replayed automatically once it activates.
The metrics worker upserts actor stats, PR lifecycle rows, and repo throughput. Security-relevant events trigger live compliance checks in parallel — violations are created or auto-resolved within seconds of the event landing, scoped per connected GitHub org.
The React dashboard gives org-level, repo-level, and per-contributor views with period switching and a security compliance view. Every metric is also available over a REST API with Bearer token auth, accessible from CI, scripts, or any downstream tool.
Serverless at the edge, managed containers in the middle, Aurora at the core. Built for low operational overhead and clear cost scaling.
Webhook receiver runs as an arm64 Lambda — sub-20ms acknowledgement. Normaliser, metrics worker, and API run as long-lived ECS Fargate services, scalable to zero overnight.
Raw-events queue decouples Lambda from the normaliser. Canonical-events SNS topic fans out to all consumer queues. Adding a new app is a new SQS subscription, not a new pipeline.
PostgreSQL 16 · 0.5–4 ACU · scales to zero. Schema managed by goose migrations. Accessed only from private subnets and the SSM bastion; no public DB endpoint.
Vite build, React Router v6 SPA deployed to S3 and served through CloudFront. The same CloudFront distribution proxies /api/* to the ALB — no CORS configuration required.
All AWS infrastructure is managed by Terraform. CI runs Go tests with a live Postgres service container. Deploy workflows are manually triggered; dashboard deploys are automatic on push to main.
Transactional email for team invites and password resets from [email protected]. DKIM configured via Cloudflare. When SES is absent (local dev), invite tokens are returned directly in the API response.
Git Tracking Platform is in active development. Get in touch to discuss early access or a deployment tailored to your team.
Contact us