Self-hosting - Digger

Requirements
Key environment variables
Scheduling and notifications
Security

Drift checks are triggered by a separate service, with its own Dockerfile

Requirements

Build/run the drift service (see Dockerfile_drift).
Backend database accessible to the service.
Webhook secret configured and used to protect internal endpoints.

Key environment variables

DIGGER_HOSTNAME: Base URL of your backend, used to call internal endpoints.
DIGGER_WEBHOOK_SECRET: Shared secret to authenticate internal requests.
DIGGER_APP_URL: Base URL for links in notifications.
DIGGER_DRIFT_REPORTER_HOSTNAME: Hostname for the reporter in CI job specs.

Scheduling and notifications

Set the org-level drift_cron_tab for when to scan.
Slack rollups use an org-level webhook URL when configured.
SQL helper snippets for periodic invocation live in drift/scripts/cron/.

Security

Expose internal endpoints only behind your network boundary and verify the webhook secret on requests.

Remediation Troubleshooting

⌘I