> ## Documentation Index > Fetch the complete documentation index at: https://docs.corgea.app/llms.txt > Use this file to discover all available pages before exploring further. # Webhooks > Automate HTTP callbacks from Corgea to any external system ## What are Webhooks? Webhooks are automated HTTP callbacks that allow Corgea to send real-time notifications to your external systems when specific events occur. Instead of continuously polling our API to check for updates, webhooks push event data directly to your specified endpoint the moment something happens. ### Key Benefits * **Real-time notifications** - Receive instant updates when security issues are found, status changes occur, or scans complete * **Automation** - Trigger workflows in external tools like Slack, Zapier, or custom applications * **Efficiency** - No need to poll APIs - we push data to you when events happen * **Flexibility** - Subscribe only to the events you care about and filter by project or status * **Reliability** - Built-in retry logic and delivery tracking ensure your notifications get through ### Supported Event Types Corgea supports webhooks for the following events: **Issue Events:** * `issue.status_changed` - Triggered when an issue's status is updated (e.g., open → fixed) * `issue.assigned` - Triggered when an issue is assigned to a team member **Scan Events:** * `scan.started` - Triggered when a security scan begins * `scan.completed` - Triggered when a scan finishes successfully * `scan.failed` - Triggered when a scan encounters an error **User Auth Events:** * `user.login` - Triggered when a user successfully logs in * `user.login_failed` - Triggered when a user login attempt fails *** ## How Webhooks Work ### The Webhook Lifecycle Something happens in Corgea (e.g., a scan completes, an issue status changes) The system identifies all webhooks subscribed to that event type Project and status filters determine if the webhook should fire By default, a standardized JSON payload is constructed with event details (or your custom body template is used, if configured) The payload is sent to your webhook URL with security headers If the request fails, automatic retries occur with exponential backoff All attempts are tracked in the delivery history for troubleshooting ### Payload Structure By default, webhook payloads follow a standardized structure: ```json webhook-payload.json theme={null} { "event_id": "550e8400-e29b-41d4-a716-446655440000", "event_type": "scan.completed", "timestamp": "2025-01-15T14:30:00.000Z", "data": { "company": "company-uuid", "scan_id": "scan-uuid", "project": { "id": "project-uuid", "name": "My Application" }, "issues_found": 12, ... } } ``` If you configure **Custom Body** during webhook setup, Corgea sends your rendered JSON object instead of the default payload structure. ### Security Features * When you provide a secret key, Corgea includes an `X-Corgea-Signature` header * This header contains an HMAC-SHA256 hash of the payload * Verify the signature to ensure the webhook came from Corgea * Include headers required by your endpoint (e.g., authentication tokens) * Configure custom headers during webhook setup * All webhook URLs must use HTTPS for secure transmission * Non-HTTPS URLs will be rejected to protect sensitive data ### Automatic Retry Logic If webhook delivery fails, Corgea automatically retries with the following strategy: * **Initial attempt** + **2 retries** = 3 total attempts * **Exponential backoff**: 2 seconds, 4 seconds between retries * **Timeout**: 10 seconds per request * **Auto-pause**: After 10 consecutive failures, the webhook is automatically paused ### Headers Sent with Each Webhook ```text webhook-headers.txt theme={null} Content-Type: application/json X-Corgea-Event: issue.status_changed X-Corgea-Delivery: X-Corgea-Timestamp: X-Corgea-Signature: (if secret configured) User-Agent: Corgea-Webhooks/1.0 ``` *** ## Setting Up a Webhook Webhooks management interface showing list of configured webhooks

Webhooks management interface showing list of configured webhooks

### Prerequisites Admin or integration management permissions in your Corgea account A webhook endpoint URL that accepts POST requests HTTPS endpoint (required for security) ### Step-by-Step Setup * Go to your Corgea dashboard * Click on "Integrations" in the navigation menu * Select "Webhooks" or "Create New Webhook" Webhooks management interface showing list of configured webhooks

Create webhook form with configuration options

* **Name**: Give your webhook a descriptive name (e.g., "Slack Notifications", "Production Scan Alerts") * **Webhook URL**: Enter your HTTPS endpoint URL * **Type**: Select the integration type: * `Slack` - For Slack webhook integrations * `Zapier` - For Zapier zaps * `Other` - For custom integrations * Check the boxes for events you want to receive: * Issue Status Changed * Issue Assigned * Scan Started * Scan Completed * Scan Failed * User Login * User Login Failed * You can select multiple events per webhook **Project Filter** * Leave empty to receive events from all projects * Select specific projects to only receive their events * Useful for routing different projects to different endpoints **Status Change Filter** (for `issue.status_changed` events) * Leave empty to receive all status changes * Select specific statuses (e.g., `fixed`, `false_positive`) to only receive those changes * Reduces noise by filtering out irrelevant status updates **Secret Key** * Enter a random, secure string (minimum 32 characters recommended) * Corgea will include an HMAC signature in the `X-Corgea-Signature` header * Use this to verify webhook authenticity on your end **Custom Headers** Add headers required by your webhook destination. Each service has different requirements: **Required Header:** ```text theme={null} X-Automation-Webhook-Token: ``` **How to get your token:** 1. In Jira, create an automation rule with an "Incoming webhook" trigger 2. Copy the secret token provided by Jira 3. Add it as the header value in Corgea [Jira Webhook Documentation](https://support.atlassian.com/cloud-automation/docs/configure-the-incoming-webhook-trigger-in-atlassian-automation/) **No custom headers needed** - Slack webhook URLs include authentication in the URL itself. Just paste your Slack webhook URL (format: `https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXX`) Slack incoming webhooks do not validate custom headers. Security is provided by keeping the webhook URL secret. [Slack Webhook Documentation](https://api.slack.com/messaging/webhooks) **No custom headers needed** - Teams webhook URLs include authentication in the URL itself. Just paste your Teams webhook URL (format: `https://xxx.webhook.office.com/webhookb2/xxx/IncomingWebhook/xxx`) Teams incoming webhooks do not validate custom headers. Security is provided by keeping the webhook URL secret. [Teams Webhook Documentation](https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook) **Header:** ```text theme={null} Authorization: Bearer ``` Common for REST APIs that use JWT or OAuth tokens. **Header:** ```text theme={null} Authorization: Splunk ``` Use this when sending webhook events to a Splunk HTTP Event Collector (HEC) endpoint. **Headers (choose one):** ```text theme={null} X-API-Key: ``` or ```text theme={null} Authorization: ApiKey ``` Common for simple API key authentication. **No custom headers needed** - PagerDuty Events API v2 uses the `routing_key` in the JSON payload for authentication. Use the PagerDuty Events API endpoint: `https://events.pagerduty.com/v2/enqueue` PagerDuty does not validate custom headers. Authentication is handled via the routing\_key in the request body. [PagerDuty Webhook Documentation](https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTgw-events-api-v2-overview) **No custom headers needed** - Zapier webhook URLs include authentication in the URL itself. Create a "Webhooks by Zapier" trigger and use the provided URL. Zapier Catch Hook does not validate custom headers by default. Security is provided by keeping the webhook URL secret. You can add header validation logic within your Zap if needed. [Zapier Webhook Documentation](https://zapier.com/help/create/code-webhooks/trigger-zaps-from-webhooks) If your service isn't listed here, check the service's webhook or incoming webhook documentation for required headers. **Important:** While Corgea will send any custom headers you configure, not all webhook destinations validate them. Services like Slack, Teams, and Zapier rely on secret URLs rather than header validation. Only add custom headers if your destination service actually requires or validates them (like Jira, custom APIs, etc.). **Custom Body** * Optionally provide a JSON object template for the webhook request body * Leave blank to use Corgea's default payload structure * Supported placeholders: * `{{payload}}` (full default payload object) * `{{time}}` (Unix seconds) * `{{timestamp}}` (ISO 8601 timestamp) * `{{event_type}}` * `{{event_id}}` * If the rendered template is invalid JSON, delivery fails and the error appears in webhook history * Click "Test Webhook" to send a sample payload * Verify your endpoint receives and processes the test correctly * Check the response status and any error messages * Click "Create Webhook" or "Save" * The webhook is now active and will start receiving events ### Verifying Webhook Signatures If you configured a secret key, verify the signature in your endpoint to ensure authenticity. ```python verify-signature.py theme={null} import hmac import hashlib def verify_webhook_signature(payload, signature, secret): """Verify Corgea webhook signature""" expected_signature = hmac.new( secret.encode('utf-8'), payload.encode('utf-8'), hashlib.sha256 ).hexdigest() return hmac.compare_digest(expected_signature, signature) # In your webhook handler: if not verify_webhook_signature(request.body, request.headers['X-Corgea-Signature'], SECRET_KEY): return HttpResponse(status=403) # Reject invalid signatures ``` ```javascript verify-signature.js theme={null} const crypto = require('crypto'); function verifyWebhookSignature(payload, signature, secret) { const expectedSignature = crypto .createHmac('sha256', secret) .update(payload) .digest('hex'); return crypto.timingSafeEqual( Buffer.from(expectedSignature), Buffer.from(signature) ); } ``` *** ## Use Cases ### 1. Real-time Slack Notifications **Scenario**: Notify your security team in Slack when high-severity issues are found **Setup**: * Create a Slack incoming webhook URL in your Slack workspace * In Corgea, create a webhook with: * Type: `Slack` * URL: Your Slack webhook URL * Events: `scan.completed` * Project Filter: Critical production projects **Result**: Your #security channel gets instant notifications when scans complete *** ### 2. Automated Ticketing for Critical Issues **Scenario**: Automatically create tickets in Jira/Linear when critical issues are detected **Setup**: * Create a Zapier zap or custom endpoint that creates tickets * In Corgea, create a webhook with: * Events: `scan.completed`, `issue.status_changed` * Status Filter: Only `open` status (to avoid duplicate tickets) * Project Filter: Production projects **Result**: High/critical issues automatically become tickets in your project management tool *** ### 3. Risk Acceptance Workflow Integration **Scenario**: Automatically document accepted risks in Jira or Linear when security issues are marked as "Accepted Risk" **Setup**: * Create an endpoint or Zapier integration that creates documentation tickets * In Corgea, create a webhook with: * Events: `issue.status_changed` * Status Filter: Only `accepted_risk` status * Project Filter: All projects or specific high-compliance projects * Configure the integration to: * Create a ticket documenting the risk acceptance * Include issue details (classification, file path, urgency) * Tag with "risk-acceptance" label * Assign to security lead for review **Result**: Every accepted risk is automatically logged in your project management system with full context, creating an audit trail for compliance and risk management reviews *** ### 4. Custom Dashboard Integration **Scenario**: Display real-time security metrics on your internal dashboard **Setup**: * Build an endpoint that receives webhook data and updates your dashboard * In Corgea, create a webhook with: * Events: All scan and issue events * No filters (receive everything) **Result**: Your dashboard shows live security scan results and issue trends *** ### 5. Multi-team Routing **Scenario**: Route different project notifications to different teams **Setup**: * Create separate webhooks for each team: * **Backend Team Webhook**: Project filter = backend projects, Slack channel #backend-security * **Frontend Team Webhook**: Project filter = frontend projects, Slack channel #frontend-security * **DevOps Team Webhook**: Project filter = infrastructure projects, Slack channel #devops-security **Result**: Each team only sees security issues relevant to their projects *** ### 6. Compliance Reporting **Scenario**: Automatically log all security findings to a compliance system **Setup**: * Create an endpoint that writes to your compliance database * In Corgea, create a webhook with: * Events: `scan.completed` * All projects * Store webhook delivery history for audit trail **Result**: Complete audit trail of all security scans for compliance purposes *** ## Troubleshooting ### Viewing Webhook Delivery History Navigate to **Integrations** → **Webhooks** Webhook delivery history showing recent webhook attempts

Webhook delivery history showing recent webhook attempts

Click on **History** or **Delivery Log** Detailed webhook delivery information including request and response

View all webhook delivery attempts with: * Event type and timestamp * HTTP status code * Request/response details * Error messages (if any) * Retry attempts ### Common Issues and Solutions **Possible Causes:** * Webhook is paused or inactive * Event subscriptions not configured * Project/status filters excluding events * Endpoint not returning 2xx status codes **Solutions:** 1. Check webhook status - ensure it's active (not paused) 2. Verify event subscriptions are selected 3. Review filters - temporarily remove filters to test 4. Check your endpoint logs for incoming requests 5. Test the webhook using the "Test Webhook" button **Cause:** 10 consecutive delivery failures **Solutions:** 1. Check the delivery history for error details 2. Verify your endpoint URL is correct and accessible 3. Ensure your endpoint returns 2xx status codes 4. Check for firewall/security rules blocking Corgea's requests 5. Fix the underlying issue, then **manually re-activate** the webhook 6. Use "Test Webhook" to verify it's working before re-enabling **Solutions:** 1. **Use Status Filters**: For `issue.status_changed`, filter to only statuses you care about (e.g., only `fixed` and `false_positive`) 2. **Use Project Filters**: Only subscribe to specific critical projects 3. **Reduce Event Subscriptions**: Unsubscribe from events you don't need 4. **Implement Rate Limiting**: On your endpoint, implement rate limiting or queuing **Possible Causes:** * Wrong secret key * Incorrect signature verification logic * Character encoding issues **Solutions:** 1. Verify you're using the exact secret key from Corgea 2. Ensure you're using HMAC-SHA256 algorithm 3. Use the raw request body (not parsed JSON) for verification 4. Check for UTF-8 encoding on both sides 5. Use `hmac.compare_digest()` (Python) or `crypto.timingSafeEqual()` (Node.js) for timing-safe comparison Log both the received signature and your computed signature to compare **Cause:** Your endpoint takes longer than 10 seconds to respond **Solutions:** 1. **Acknowledge Immediately**: Return 200 OK immediately, then process asynchronously 2. **Use a Queue**: Add webhook payloads to a queue for background processing 3. **Optimize Processing**: Speed up your webhook handler logic 4. **Increase Resources**: Scale up your endpoint infrastructure **Best Practice Pattern:** ```python webhook-handler.py theme={null} @app.route('/webhook', methods=['POST']) def handle_webhook(): payload = request.json # Immediately acknowledge receipt queue.add(process_webhook, payload) # Return quickly return '', 200 def process_webhook(payload): # Do time-consuming work here ... ``` **Possible Causes:** * Multiple webhooks subscribed to same event * Retry logic triggering after delayed success **Solutions:** 1. Check for duplicate webhook configurations 2. Use `event_id` field for idempotency - store processed event IDs and skip duplicates 3. Implement idempotency keys in your endpoint **Idempotency Pattern:** ```python idempotency.py theme={null} processed_events = set() # Or use Redis/database @app.route('/webhook', methods=['POST']) def handle_webhook(): event_id = request.json['event_id'] if event_id in processed_events: return '', 200 # Already processed # Process event... processed_events.add(event_id) return '', 200 ``` **Solutions:** 1. Check the webhook delivery history for the full payload 2. Some fields may be `null` if data doesn't exist (e.g., unassigned issues) 3. Implement null checks in your handler code 4. Reference the event-specific payload structure in the delivery history ### Getting Webhook Statistics View performance metrics for your webhooks: 1. Navigate to **Integrations** → **Webhooks** 2. View each webhook's statistics: * **Total Deliveries**: Total number of webhook calls * **Successful Deliveries**: Calls that returned 2xx * **Failed Deliveries**: Calls that failed or timed out * **Success Rate**: Percentage of successful deliveries * **Consecutive Failures**: Current failure streak * **Last Triggered**: When the webhook last fired *** ### Manual Retry If a webhook delivery failed, you can manually retry it: 1. Go to **Integrations** → **Webhooks** → **History** 2. Find the failed delivery 3. Click **Retry** 4. A new delivery attempt will be created and sent immediately *** ### Exporting Delivery History For compliance or debugging, export webhook delivery history: 1. Navigate to **Integrations** → **Webhooks** → **History** 2. Apply filters (date range, event type, status, webhook) 3. Click **Export** to download CSV 4. Use the export for: * Compliance audits * Performance analysis * Debugging patterns * Issue resolution tracking *** ### Testing Tips 1. Use [webhook.site](https://webhook.site) or [RequestBin](https://requestbin.com) to inspect payloads 2. Test with low-volume projects first 3. Monitor delivery success rate for the first few days 4. Set up alerting for webhook failures in your own system * Webhook URL is correct and accessible * Endpoint returns 2xx status code within 10 seconds * Firewall allows Corgea's requests * Event subscriptions are selected * Filters are configured correctly (or removed for testing) * Signature verification works (if using secret) * Webhook is active (not paused) *** ## Payload Examples ```json issue-status-changed.json theme={null} { "event_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "event_type": "issue.status_changed", "timestamp": "2025-01-15T14:30:00.000Z", "data": { "company": "comp-uuid-1234", "issue_id": "issue-uuid-5678", "classification": "SQL Injection", "urgency": "HI", "status": "fixed", "previous_status": "open", "file_path": "src/controllers/user.py", "line_num": 45, "project": { "id": "proj-uuid-9012", "name": "Production API" }, "scan_id": "scan-uuid-3456", "url": "https://app.corgea.com/issue/issue-uuid-5678/" } } ``` ```json scan-completed.json theme={null} { "event_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "event_type": "scan.completed", "timestamp": "2025-01-15T15:45:00.000Z", "data": { "company": "comp-uuid-1234", "scan_id": "scan-uuid-7890", "run_id": "run-12345", "project": { "id": "proj-uuid-9012", "name": "Production API" }, "branch": "main", "engine": "corgea-blast", "scan_type": "full", "issues_found": 8, "processed_at": "2025-01-15T15:45:00.000Z", "created_at": "2025-01-15T15:40:00.000Z" } } ``` ```json issue-assigned.json theme={null} { "event_id": "c3d4e5f6-a7b8-9012-cdef-123456789012", "event_type": "issue.assigned", "timestamp": "2025-01-15T16:00:00.000Z", "data": { "company": "comp-uuid-1234", "issue_id": "issue-uuid-5678", "classification": "Cross-Site Scripting (XSS)", "urgency": "ME", "status": "open", "assigned_to": { "id": "user-uuid-1111", "email": "jane.doe@company.com", "name": "Jane Doe" }, "previously_assigned_to": { "id": "user-uuid-2222", "email": "john.smith@company.com", "name": "John Smith" }, "project": { "id": "proj-uuid-9012", "name": "Production API" }, "url": "https://app.corgea.com/issue/issue-uuid-5678/" } } ``` ```json user-login.json theme={null} { "event_id": "d4e5f6a7-b8c9-0123-def0-123456789012", "event_type": "user.login", "timestamp": "2025-01-15T16:10:00.000Z", "data": { "company": "comp-uuid-1234", "user_id": 123, "username": "jane.doe", "email": "jane.doe@company.com", "first_name": "Jane", "last_name": "Doe", "user_agent": "Mozilla/5.0", "path": "/login/" } } ``` ```json user-login-failed.json theme={null} { "event_id": "e5f6a7b8-c9d0-1234-ef01-234567890123", "event_type": "user.login_failed", "timestamp": "2025-01-15T16:12:00.000Z", "data": { "company": "comp-uuid-1234", "username": "jane.doe", "user_agent": "Mozilla/5.0", "path": "/login/" } } ``` *** ## FAQ Yes! Your endpoint will receive an `X-Corgea-Event` header and `event_type` field to identify the event. There's no hard limit, but we recommend organizing by purpose (e.g., one per team or tool). Corgea will retry 3 times with exponential backoff. After 10 consecutive failures, the webhook auto-pauses. Yes! Use the "Test Webhook" button to send a sample payload without waiting for real events. Yes! Use custom headers to include authentication tokens, or use HMAC signature verification. Not directly, but you can filter by project. You can also filter on the received payload in your endpoint. Payloads are sent over HTTPS (TLS), providing encryption in transit. Use HMAC signatures for verification. Delivery logs are retained for compliance and debugging. Check with your plan for specific retention periods. Yes! Go to the webhook delivery history and click "Retry" on any failed delivery. Contact support for the current list of IP addresses to whitelist in your firewall. *** **Questions or issues?** Contact [Corgea Support](mailto:support@corgea.com)