Running the server & webhooks
Wiring Atlantis to your VCS.
Atlantis is a single Go binary (or container) that runs as a long-lived server, reachable by your version-control system. Setup has three connections: Atlantis needs a VCS token to read PRs and post comments, the VCS needs a webhook pointing at Atlantis so events reach it, and Atlantis needs cloud credentials to run Terraform. Once those are wired, opening a Terraform PR triggers the flow automatically.
$ atlantis server \--gh-user=atlantis-bot \--gh-token=$GH_TOKEN \--gh-webhook-secret=$WEBHOOK_SECRET \--repo-allowlist=github.com/acme/* \--atlantis-url=https://atlantis.acme.internal
Webhooks and the allowlist
The webhook is how PR events reach Atlantis, and it must be authenticated with a shared secret (--gh-webhook-secret) so Atlantis rejects forged events — without it, anyone who can reach the server could trigger runs. The repo allowlist restricts which repositories Atlantis will act on, so a webhook from an unexpected repo is ignored. These two settings are the front door’s lock; they are security controls, not optional config.
# VCS webhook -> https://atlantis.acme.internal/events# events: Pull request, Push, Issue comment# secret: <WEBHOOK_SECRET> (must match --gh-webhook-secret)# Atlantis verifies the secret on every event and ignores repos outside the allowlist