Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.corgea.app/llms.txt

Use this file to discover all available pages before exploring further.

What are Webhooks?

Webhooks are automated HTTP callbacks that allow Corgea to send real-time notifications to your external systems when specific events occur. Instead of continuously polling our API to check for updates, webhooks push event data directly to your specified endpoint the moment something happens.

Key Benefits

  • Real-time notifications - Receive instant updates when security issues are found, status changes occur, or scans complete
  • Automation - Trigger workflows in external tools like Slack, Zapier, or custom applications
  • Efficiency - No need to poll APIs - we push data to you when events happen
  • Flexibility - Subscribe only to the events you care about and filter by project, status, or scheduled scan
  • Reliability - Built-in retry logic and delivery tracking ensure your notifications get through

Supported Event Types

Corgea supports webhooks for the following events: Issue Events:
  • issue.status_changed - Triggered when an issue’s status is updated (e.g., open → fixed)
  • issue.assigned - Triggered when an issue is assigned to a team member
SLA Events:
  • sla.violation - Triggered when the daily SLA job finds one or more SAST or SCA issues past their remediation or escalation deadline (configured per SLA in SLA Management)
Scan Events:
  • scan.started - Triggered when a security scan begins
  • scan.completed - Triggered when a scan finishes successfully
  • scan.failed - Triggered when a scan encounters an error
  • scheduled_scan.daily_report - Triggered daily when scheduled scan runs complete, summarizing new issues found across all runs in the last 24 hours. See Notifications for the email and payload schema.
User Auth Events:
  • user.login - Triggered when a user successfully logs in
  • user.login_failed - Triggered when a user login attempt fails

How Webhooks Work

The Webhook Lifecycle

1

Event Occurs

Something happens in Corgea (e.g., a scan completes, an issue status changes)
2

Webhook Triggered

The system identifies all webhooks subscribed to that event type
3

Filtering Applied

Project, status, and scheduled scan filters determine if the webhook should fire
4

Payload Built

By default, a standardized JSON payload is constructed with event details (or your custom body template is used, if configured)
5

HTTP POST Request

The payload is sent to your webhook URL with security headers
6

Retry Logic

If the request fails, automatic retries occur with exponential backoff
7

Delivery Logged

All attempts are tracked in the delivery history for troubleshooting

Payload Structure

By default, webhook payloads follow a standardized structure:
webhook-payload.json
{
  "event_id": "550e8400-e29b-41d4-a716-446655440000",
  "event_type": "scan.completed",
  "timestamp": "2025-01-15T14:30:00.000Z",
  "data": {
    "company": "company-uuid",
    "scan_id": "scan-uuid",
    "project": {
      "id": "project-uuid",
      "name": "My Application"
    },
    "summary": {
      "total_issues": 12,
      "issues_with_fixes": 7,
      "issues_without_fixes": 5
    },
    "scheduled_scan_ids": ["scheduled-scan-uuid"]
  }
}
Example sla.violation payload (from SLA Management daily job):
sla-violation-payload.json
{
  "event_id": "550e8400-e29b-41d4-a716-446655440001",
  "event_type": "sla.violation",
  "timestamp": "2025-01-15T14:30:00.000Z",
  "data": {
    "company": "1",
    "sla": {
      "id": 3,
      "rule_type": "code",
      "urgency": ["CR", "HI"],
      "remediation_days": 7,
      "escalation_days": 3
    },
    "notification_type": "remediation",
    "issue_kind": "SAST",
    "issue_count": 5,
    "summary_message": "Plain-text summary (same style as email body)...",
    "projects": [
      {
        "id": "project-uuid",
        "name": "My Application",
        "url": "https://app.corgea.com/project/project-uuid",
        "issue_count": 5,
        "urgency_counts": {
          "Critical": 2,
          "High": 3
        }
      }
    ]
  }
}
FieldDescription
notification_typeremediation or escalation
issue_kindSAST or SCA
sla.rule_typecode (SAST) or sca (dependency)
projectsOne entry per affected project; used for webhook project filters
Subscribe to sla.violation under Integrations → Webhooks, or attach a webhook from the SLA Management form (existing webhooks are auto-subscribed). Example scheduled_scan.daily_report payload:
scheduled-scan-daily-report-payload.json
{
  "event_id": "550e8400-e29b-41d4-a716-446655440002",
  "event_type": "scheduled_scan.daily_report",
  "timestamp": "2025-01-15T14:30:00.000Z",
  "data": {
    "title": "Corgea Daily Scan Report",
    "company": "1",
    "company_name": "Acme Security",
    "total_new_issues": 7,
    "message": "Daily scan report for Acme Security: 7 new issues detected across 2 scan runs.",
    "scan_runs": [
      {
        "scheduled_scan_name": "Weekly Production Scan",
        "project": "Payments API",
        "new_issue_count": 4,
        "scan_url": "https://www.corgea.app/scans/scan-uuid"
      }
    ]
  }
}
Company admins can control whether this event sends to webhooks from Settings → Notifications → Company Defaults. If you configure Custom Body during webhook setup, Corgea sends your rendered JSON object instead of the default payload structure.
The scheduled_scan.daily_report event uses the same envelope but has its own data schema. See Payload Examples for the full reference.

Security Features

  • When you provide a secret key, Corgea includes an X-Corgea-Signature header
  • This header contains an HMAC-SHA256 hash of the payload
  • Verify the signature to ensure the webhook came from Corgea
  • Include headers required by your endpoint (e.g., authentication tokens)
  • Configure custom headers during webhook setup
  • All webhook URLs must use HTTPS (ports 443 or 80 only)
  • URLs must not embed credentials in the URL
  • Destinations that resolve to private, loopback, link-local, reserved, or multicast addresses are rejected (SSRF protection)
  • Operators can optionally restrict hosts with the WEBHOOK_ALLOWED_HOSTS setting

Automatic Retry Logic

If webhook delivery fails, Corgea automatically retries with the following strategy:
  • Initial attempt + 2 retries = 3 total attempts
  • Exponential backoff: 2 seconds, 4 seconds between retries
  • Timeout: 10 seconds per request
  • Auto-pause: After 10 consecutive failures, the webhook is automatically paused

Headers Sent with Each Webhook

webhook-headers.txt
Content-Type: application/json
X-Corgea-Event: issue.status_changed
X-Corgea-Delivery: <delivery-uuid>
X-Corgea-Timestamp: <unix-timestamp>
X-Corgea-Signature: <hmac-signature> (if secret configured)
User-Agent: Corgea-Webhooks/1.0

Setting Up a Webhook

Webhooks management interface showing list of configured webhooks

Prerequisites

Admin or integration management permissions in your Corgea account
A webhook endpoint URL that accepts POST requests
HTTPS endpoint (required for security)

Step-by-Step Setup

1

Navigate to Integrations

  • Go to your Corgea dashboard
  • Click on “Integrations” in the navigation menu
  • Select “Webhooks” or “Create New Webhook”
Webhooks management interface showing list of configured webhooks
2

Configure Basic Settings

Create webhook form with configuration options
  • Name: Give your webhook a descriptive name (e.g., “Slack Notifications”, “Production Scan Alerts”)
  • Webhook URL: Enter your HTTPS endpoint URL
  • Type: Select the integration type:
    • Slack - For Slack webhook integrations
    • Zapier - For Zapier zaps
    • Other - For custom integrations
3

Subscribe to Events

  • Check the boxes for events you want to receive (grouped by category in the form):
    • Issue Status Changed
    • Issue Assigned
    • SLA Violation (sla.violation)
    • Scan Started
    • Scan Completed
    • Scan Failed
    • User Login
    • User Login Failed
  • You can select multiple events per webhook
4

Configure Filters (Optional)

Project Filter
  • Leave empty to receive events from all projects
  • Select specific projects to only receive their events
  • Useful for routing different projects to different endpoints
  • For sla.violation, a webhook fires if any project in the payload matches the filter (notifications can include multiple projects)
Status Change Filter (for issue.status_changed events)
  • Leave empty to receive all status changes
  • Select specific statuses (e.g., fixed, false_positive) to only receive those changes
  • Reduces noise by filtering out irrelevant status updates
Scheduled Scan Filter (for scan.* events)
  • Leave disabled to receive events for all scans, including manual and scheduled scans
  • Enable the filter and select one or more scheduled scans to receive scan events only when those scheduled scans run
  • Applies to scan.started, scan.completed, and scan.failed events
5

Add Security (Optional but Recommended)

Secret Key
  • Enter a random, secure string (minimum 32 characters recommended)
  • Corgea will include an HMAC signature in the X-Corgea-Signature header
  • Use this to verify webhook authenticity on your end
Custom HeadersAdd headers required by your webhook destination. Each service has different requirements:
Required Header:
X-Automation-Webhook-Token: <your-jira-webhook-secret>
How to get your token:
  1. In Jira, create an automation rule with an “Incoming webhook” trigger
  2. Copy the secret token provided by Jira
  3. Add it as the header value in Corgea
Jira Webhook Documentation
No custom headers needed - Slack webhook URLs include authentication in the URL itself.Just paste your Slack webhook URL (format: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXX)
Slack incoming webhooks do not validate custom headers. Security is provided by keeping the webhook URL secret.
Slack Webhook Documentation
No custom headers needed - Teams webhook URLs include authentication in the URL itself.Just paste your Teams webhook URL (format: https://xxx.webhook.office.com/webhookb2/xxx/IncomingWebhook/xxx)
Teams incoming webhooks do not validate custom headers. Security is provided by keeping the webhook URL secret.
Teams Webhook Documentation
Header:
Authorization: Bearer <your-api-token>
Common for REST APIs that use JWT or OAuth tokens.
Header:
Authorization: Splunk <your-hec-token>
Use this when sending webhook events to a Splunk HTTP Event Collector (HEC) endpoint.
Headers (choose one):
X-API-Key: <your-api-key>
or
Authorization: ApiKey <your-api-key>
Common for simple API key authentication.
No custom headers needed - PagerDuty Events API v2 uses the routing_key in the JSON payload for authentication.Use the PagerDuty Events API endpoint: https://events.pagerduty.com/v2/enqueue
PagerDuty does not validate custom headers. Authentication is handled via the routing_key in the request body.
PagerDuty Webhook Documentation
No custom headers needed - Zapier webhook URLs include authentication in the URL itself.Create a “Webhooks by Zapier” trigger and use the provided URL.
Zapier Catch Hook does not validate custom headers by default. Security is provided by keeping the webhook URL secret. You can add header validation logic within your Zap if needed.
Zapier Webhook Documentation
If your service isn’t listed here, check the service’s webhook or incoming webhook documentation for required headers.
Important: While Corgea will send any custom headers you configure, not all webhook destinations validate them. Services like Slack, Teams, and Zapier rely on secret URLs rather than header validation. Only add custom headers if your destination service actually requires or validates them (like Jira, custom APIs, etc.).
Custom Body
  • Optionally provide a JSON object template for the webhook request body
  • Leave blank to use Corgea’s default payload structure
  • Supported placeholders:
    • {{payload}} (full default payload object)
    • {{time}} (Unix seconds)
    • {{timestamp}} (ISO 8601 timestamp)
    • {{event_type}}
    • {{event_id}}
  • If the rendered template is invalid JSON, delivery fails and the error appears in webhook history
6

Test Your Webhook

  • Click “Test Webhook” to send a sample payload
  • Verify your endpoint receives and processes the test correctly
  • Check the response status and any error messages
7

Save and Activate

  • Click “Create Webhook” or “Save”
  • The webhook is now active and will start receiving events

Verifying Webhook Signatures

If you configured a secret key, verify the signature in your endpoint to ensure authenticity.
verify-signature.py
import hmac
import hashlib

def verify_webhook_signature(payload, signature, secret):
    """Verify Corgea webhook signature"""
    expected_signature = hmac.new(
        secret.encode('utf-8'),
        payload.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()

    return hmac.compare_digest(expected_signature, signature)

# In your webhook handler:
if not verify_webhook_signature(request.body, request.headers['X-Corgea-Signature'], SECRET_KEY):
    return HttpResponse(status=403)  # Reject invalid signatures

Use Cases

1. Real-time Slack Notifications

Scenario: Notify your security team in Slack when high-severity issues are found Setup:
  • Create a Slack incoming webhook URL in your Slack workspace
  • In Corgea, create a webhook with:
    • Type: Slack
    • URL: Your Slack webhook URL
    • Events: scan.completed
    • Project Filter: Critical production projects
Result: Your #security channel gets instant notifications when scans complete

2. Automated Ticketing for Critical Issues

Scenario: Automatically create tickets in Jira/Linear when critical issues are detected Setup:
  • Create a Zapier zap or custom endpoint that creates tickets
  • In Corgea, create a webhook with:
    • Events: scan.completed, issue.status_changed
    • Status Filter: Only open status (to avoid duplicate tickets)
    • Project Filter: Production projects
Result: High/critical issues automatically become tickets in your project management tool

3. Risk Acceptance Workflow Integration

Scenario: Automatically document accepted risks in Jira or Linear when security issues are marked as “Accepted Risk” Setup:
  • Create an endpoint or Zapier integration that creates documentation tickets
  • In Corgea, create a webhook with:
    • Events: issue.status_changed
    • Status Filter: Only accepted_risk status
    • Project Filter: All projects or specific high-compliance projects
  • Configure the integration to:
    • Create a ticket documenting the risk acceptance
    • Include issue details (classification, file path, urgency)
    • Tag with “risk-acceptance” label
    • Assign to security lead for review
Result: Every accepted risk is automatically logged in your project management system with full context, creating an audit trail for compliance and risk management reviews

4. Custom Dashboard Integration

Scenario: Display real-time security metrics on your internal dashboard Setup:
  • Build an endpoint that receives webhook data and updates your dashboard
  • In Corgea, create a webhook with:
    • Events: All scan and issue events
    • No filters (receive everything)
Result: Your dashboard shows live security scan results and issue trends

5. Multi-team Routing

Scenario: Route different project notifications to different teams Setup:
  • Create separate webhooks for each team:
    • Backend Team Webhook: Project filter = backend projects, Slack channel #backend-security
    • Frontend Team Webhook: Project filter = frontend projects, Slack channel #frontend-security
    • DevOps Team Webhook: Project filter = infrastructure projects, Slack channel #devops-security
Result: Each team only sees security issues relevant to their projects

6. Compliance Reporting

Scenario: Automatically log all security findings to a compliance system Setup:
  • Create an endpoint that writes to your compliance database
  • In Corgea, create a webhook with:
    • Events: scan.completed
    • All projects
    • Store webhook delivery history for audit trail
Result: Complete audit trail of all security scans for compliance purposes

Troubleshooting

Viewing Webhook Delivery History

1

Navigate to Webhook History

Navigate to IntegrationsWebhooksWebhook delivery history showing recent webhook attempts
2

Access Delivery Log

Click on History or Delivery Log
3

Review Delivery Details

Detailed webhook delivery information including request and responseView all webhook delivery attempts with:
  • Event type and timestamp
  • HTTP status code
  • Request/response details
  • Error messages (if any)
  • Retry attempts

Common Issues and Solutions

Possible Causes:
  • Webhook is paused or inactive
  • Event subscriptions not configured
  • Project, status, or scheduled scan filters excluding events
  • Endpoint not returning 2xx status codes
Solutions:
  1. Check webhook status - ensure it’s active (not paused)
  2. Verify event subscriptions are selected
  3. Review filters - temporarily remove project, status, or scheduled scan filters to test
  4. Check your endpoint logs for incoming requests
  5. Test the webhook using the “Test Webhook” button
Cause: 10 consecutive delivery failuresSolutions:
  1. Check the delivery history for error details
  2. Verify your endpoint URL is correct and accessible
  3. Ensure your endpoint returns 2xx status codes
  4. Check for firewall/security rules blocking Corgea’s requests
  5. Fix the underlying issue, then manually re-activate the webhook
  6. Use “Test Webhook” to verify it’s working before re-enabling
Solutions:
  1. Use Status Filters: For issue.status_changed, filter to only statuses you care about (e.g., only fixed and false_positive)
  2. Use Project Filters: Only subscribe to specific critical projects
  3. Use Scheduled Scan Filters: For scan events, select the scheduled scans that should trigger the webhook
  4. Reduce Event Subscriptions: Unsubscribe from events you don’t need
  5. Implement Rate Limiting: On your endpoint, implement rate limiting or queuing
Possible Causes:
  • Wrong secret key
  • Incorrect signature verification logic
  • Character encoding issues
Solutions:
  1. Verify you’re using the exact secret key from Corgea
  2. Ensure you’re using HMAC-SHA256 algorithm
  3. Use the raw request body (not parsed JSON) for verification
  4. Check for UTF-8 encoding on both sides
  5. Use hmac.compare_digest() (Python) or crypto.timingSafeEqual() (Node.js) for timing-safe comparison
Log both the received signature and your computed signature to compare
Cause: Your endpoint takes longer than 10 seconds to respondSolutions:
  1. Acknowledge Immediately: Return 200 OK immediately, then process asynchronously
  2. Use a Queue: Add webhook payloads to a queue for background processing
  3. Optimize Processing: Speed up your webhook handler logic
  4. Increase Resources: Scale up your endpoint infrastructure
Best Practice Pattern:
webhook-handler.py
@app.route('/webhook', methods=['POST'])
def handle_webhook():
    payload = request.json

    # Immediately acknowledge receipt
    queue.add(process_webhook, payload)

    # Return quickly
    return '', 200

def process_webhook(payload):
    # Do time-consuming work here
    ...
Possible Causes:
  • Multiple webhooks subscribed to same event
  • Retry logic triggering after delayed success
Solutions:
  1. Check for duplicate webhook configurations
  2. Use event_id field for idempotency - store processed event IDs and skip duplicates
  3. Implement idempotency keys in your endpoint
Idempotency Pattern:
idempotency.py
processed_events = set()  # Or use Redis/database

@app.route('/webhook', methods=['POST'])
def handle_webhook():
    event_id = request.json['event_id']

    if event_id in processed_events:
        return '', 200  # Already processed

    # Process event...
    processed_events.add(event_id)
    return '', 200
Solutions:
  1. Check the webhook delivery history for the full payload
  2. Some fields may be null if data doesn’t exist (e.g., unassigned issues)
  3. Implement null checks in your handler code
  4. Reference the event-specific payload structure in the delivery history

Getting Webhook Statistics

View performance metrics for your webhooks:
  1. Navigate to IntegrationsWebhooks
  2. View each webhook’s statistics:
    • Total Deliveries: Total number of webhook calls
    • Successful Deliveries: Calls that returned 2xx
    • Failed Deliveries: Calls that failed or timed out
    • Success Rate: Percentage of successful deliveries
    • Consecutive Failures: Current failure streak
    • Last Triggered: When the webhook last fired

Manual Retry

If a webhook delivery failed, you can manually retry it:
  1. Go to IntegrationsWebhooksHistory
  2. Find the failed delivery
  3. Click Retry
  4. A new delivery attempt will be created and sent immediately

Exporting Delivery History

For compliance or debugging, export webhook delivery history:
  1. Navigate to IntegrationsWebhooksHistory
  2. Apply filters (date range, event type, status, webhook)
  3. Click Export to download CSV
  4. Use the export for:
    • Compliance audits
    • Performance analysis
    • Debugging patterns
    • Issue resolution tracking

Testing Tips

  1. Use webhook.site or RequestBin to inspect payloads
  2. Test with low-volume projects first
  3. Monitor delivery success rate for the first few days
  4. Set up alerting for webhook failures in your own system
  • Webhook URL is correct and accessible
  • Endpoint returns 2xx status code within 10 seconds
  • Firewall allows Corgea’s requests
  • Event subscriptions are selected
  • Filters are configured correctly (or removed for testing)
  • Signature verification works (if using secret)
  • Webhook is active (not paused)

Payload Examples

issue-status-changed.json
{
  "event_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "event_type": "issue.status_changed",
  "timestamp": "2025-01-15T14:30:00.000Z",
  "data": {
    "company": "comp-uuid-1234",
    "issue_id": "issue-uuid-5678",
    "classification": "SQL Injection",
    "urgency": "HI",
    "status": "fixed",
    "previous_status": "open",
    "file_path": "src/controllers/user.py",
    "line_num": 45,
    "project": {
      "id": "proj-uuid-9012",
      "name": "Production API"
    },
    "scan_id": "scan-uuid-3456",
    "url": "https://app.corgea.com/issue/issue-uuid-5678/"
  }
}

FAQ

Yes! Your endpoint will receive an X-Corgea-Event header and event_type field to identify the event.
There’s no hard limit, but we recommend organizing by purpose (e.g., one per team or tool).
Corgea will retry 3 times with exponential backoff. After 10 consecutive failures, the webhook auto-pauses.
Yes! Use the “Test Webhook” button to send a sample payload without waiting for real events.
Yes! Use custom headers to include authentication tokens, or use HMAC signature verification.
Not directly, but you can filter by project. You can also filter on the received payload in your endpoint.
Payloads are sent over HTTPS (TLS), providing encryption in transit. Use HMAC signatures for verification.
Delivery logs are retained for compliance and debugging. Check with your plan for specific retention periods.
Yes! Go to the webhook delivery history and click “Retry” on any failed delivery.
Contact support for the current list of IP addresses to whitelist in your firewall.
Questions or issues? Contact Corgea Support