Big Cranium Logo White.png
TrainingHelp Center
Find the insights and best practices about our product.
General
FAQs
System & Network Requirements
Getting Started
My AI Dashboard Overview
Release Notes
2026.4.2 Release Notes
2026.4.1 Release Notes
2026.3.1 Release Notes
2026.2.2 Release Notes
2026.2.1 Release Notes
2026.1.1 Release Notes
2025.12.1 Release Notes
2025.11.1 Release Notes
2025.10.3 Release Notes
2025.10.1 Release Notes
2025.9.1 Release Notes
2025.8.1 Release Notes
2025.7.1 Release Notes
2025.4.1 Release Notes
2025.3.1 Release Notes
2025.1.1 Release Notes
2024.12.1 Release Notes
AI Manager
My AI Systems
My AI Systems Overview
AI System Details Overview
Adding a New AI System
Self-Attesting to a Compliance Framework
Compliance Scoring
Compliance Agent [Beta]
My AI Supply Chain
Supply Chain Overview
Managing Outgoing AI Card Requests
Responding to an AI Card Request
Publishing an AI Card Without a Request
My Vendors Overview
Artifacts
Bill of Materials
Bill of Materials Overview
Creating a Bill of Materials with CodeSensor
Self-Attest to a Bill of Materials
AgentSensor Overview
Technology Search Overview
Document Library
Document Library Overview
Vulnerability Management
Arena Shield
Arena Shield Overview
Shield YAML Implementation Guide
Arena
AI Arena Overview
Vulnerability Assessment
Vulnerability Management
Vulnerability Assessment Overview
Accessing a Vulnerability Assessment
Adversarial Inputs Detector
Vulnerabilities Overview
Settings
User Manager Overview
Detect AI
Integrations
Accessing a Private VCS
Registering SSH for CodeSensor
Integrating Bitbucket with Cranium
Integrating GitHub with Cranium
Integrating GitLab with Cranium
Integrating Azure DevOps with Cranium
Continuous Monitoring Overview
VCS Service Rate Limits
CloudSensor
CloudSensor Overview
Public API
Public API Overview
Authentication & Generating Credentials
Pagination & Incremental Sync
Rate Limits & Error Handling
Endpoint Reference
Bills of Materials
Technology Vulnerabilities
Arena Models
Arena Model Vulnerabilities
Home
Settings
Integrations
Continuous Monitorin...
Continuous Monitoring Overview

Introduction

Continuous Monitoring keeps your AI Bills of Materials current by automatically rescanning repositories when code is pushed, and notifying AI Card stakeholders when changes are detected. It has two components that work independently:

  • Webhook-triggered BOM scanning, which is configured on your VCS Integration
  • Stakeholder notifications, which are configured on each AI System and control whether stakeholders receive email notifications about BOM changes

Webhook-triggered BOM scanning

When a webhook is configured on a VCS Integration, Cranium automatically triggers an incremental rescan of a repository whenever code is pushed to it. The BOM for that repository is updated with the results. When a BOM is updated automatically via webhook, an Auto tag appears under the owner of the BOM, indicating the update was triggered by Continuous Monitoring rather than a manual rescan.

Important: Any repository with an existing BOM under a webhook-enabled integration will rescan on every push to that repository. Before configuring a webhook, consider which repositories you want to monitor continuously.

Recommendation: Use a dedicated VCS Integration for Continuous Monitoring

Most customers create a single VCS Integration with access to all their repositories. If you configure a webhook on that integration, every push to any repository with an existing BOM will trigger a rescan. To keep Continuous Monitoring scoped to specific repositories, we recommend creating a dedicated VCS Integration for the repositories you want to monitor, and configuring the webhook only on that integration. Create BOMs for the repositories you want monitored from this dedicated integration.

Prerequisites

  • A VCS Integration must exist in Cranium for the repositories you want to monitor.
  • A BOM must already exist for a repository before webhook-triggered rescanning will work. Webhooks for repositories without a BOM are silently ignored.

Supported Platforms

Webhook-triggered scanning is supported for GitHub, GitHub Enterprise Cloud, GitLab, and GitLab Self-Managed. Azure DevOps, GitHub Enterprise Server, Bitbucket Cloud, and Bitbucket Data Center are not currently supported.

Setting up the Webhook

Navigate the Integrations and find the VCS Integration you want to use for Continuous Monitoring. Open the three-dot menu and select Get Webhook Details. This opens a modal display the Webhook URL and Tenant Secret for that integration.

The Tenant Secret is not generated automatically. If the Tenant Secret field is empty when you first open the modal, click Get New Secret to generate one. The secret is retrievable at any time by reopening the modal, but note that generating a new secret immediately invalidates the old one. If you rotate the secret, you will need to update your webhook configuration in GitHub to match. Users without the required permission will not see the Tenant Secret field.

To configure the webhook in GitHub:

  1. Navigate to the Settings page of your GitHub organization
  2. Select Webhooks from the left menu
  3. Click Add Webhook
  4. Copy the Webhook URL and Tenant Secret from the Cranium modal into the corresponding fields in GitHub
  5. Set the Content Type to application/json
  6. Cranium listens for push events only; configure your webhook to send push events


Once configured, Cranium will begin processing push events for any repository in that integration that has an existing BOM.

Stakeholder Notifications

The Continuous Monitoring toggle controls whether email notifications are sent to AI Card stakeholders when a BOM change is detected on an AI System. When a rescan results in components being added or removed, stakeholders who have received a published AI Card for that AI System are notified by email with a summary of what changed.

When a BOM change is detected, the AI Cards associated with that AI System are marked as out-of-sync. You can update all out-of-sync cards directly from the AI System page by clicking Update all Out-Of-Sync Cards.

For notifications to reach anyone, two conditions must be met:

  1. Stakeholder notifications must be enabled on the AI System
  2. The AI System must have at least one published AI Card with recipients

If stakeholder notifications are enabled but no AI Cards have been published, no notifications will be sent.

The Continuous Monitoring toggle for stakeholder notifications is available in the following locations:

  • My AI Systems list view, in the header of each AI System card
  • Create AI System Wizard, on the Details step
  • AI System Details, Settings tab
  • AI System Details, Published AI Cards tab

How the two components work together

A typical Continuous Monitoring setup looks like this:

  • A dedicated VCS Integration has a webhook configured.
  • BOMs are created from that integration for the repositories you want to monitor.
  • Stakeholder notifications are enabled on the AI Systems those BOMs belong to.
  • When code is pushed, the BOM rescans automatically.
  • If components change and the AI System has published AI Cards, stakeholders are notified.

Neither component requires the other. A BOM can rescan automatically via webhook without stakeholder notifications configured, and stakeholder notifications can be enabled on an AI System without a webhook in place. In that case, notifications will only be triggered by manual rescans that result in BOM changes.

Did this answer your question?
Related Articles
Accessing a Private VCS
Creating a Bill of Materials with CodeSensor
Integrating GitHub with Cranium
Integrating GitLab with Cranium
Managing Outgoing AI Card Requests
Bill of Materials Overview
VCS Service Rate Limits