Skip to Content
SCA & DependenciesWebhooks & Notifications

Webhooks

CodeStax can send real-time webhook notifications when important SCA events occur, keeping your team informed through the tools they already use.

Supported Channels

  • Slack — Posts formatted messages to a Slack channel via incoming webhook URL.
  • Microsoft Teams — Sends adaptive cards to a Teams channel connector.
  • Discord — Delivers embed messages to a Discord webhook.
  • PagerDuty — Triggers incidents for critical events via the Events API v2.
  • Generic — Sends a JSON POST to any HTTP endpoint you specify.

Configure webhooks under SCA > Settings > Webhooks. You can create multiple webhooks targeting different channels and event types.

Event Triggers

Select which events fire the webhook:

EventDescription
Scan CompleteA full SCA scan has finished
Critical VulnerabilityA new critical-severity vulnerability was detected
KEV FoundA vulnerability listed in CISA’s Known Exploited Vulnerabilities catalog was found
Policy ViolationA scan result violates an active policy rule
SLA BreachA vulnerability has exceeded its remediation deadline

Each webhook can subscribe to one or more events.

Payload Signing

Every webhook request includes an X-CodeStax-Signature header containing a cryptographic signature of the request body. To verify authenticity:

  1. Retrieve your webhook secret from the webhook configuration page.
  2. Compute the cryptographic signature of the raw request body using your webhook secret.
  3. Compare the result with the value in X-CodeStax-Signature using a constant-time comparison.

Reject any request where the signature does not match.

Webhook Payload Structure

All payloads follow a common envelope:

{
  "event": "critical_vulnerability",
  "timestamp": "2026-03-22T10:30:00Z",
  "repository": "myorg/backend-api",
  "data": { ... }
}

The data field varies by event type and contains relevant details such as CVE IDs, severity, package names, and scan identifiers.

Testing Webhooks

After creating a webhook, click Send Test to deliver a sample payload to your endpoint. The test event uses dummy data and is clearly marked with "test": true in the payload.

Delivery History and Logs

The Delivery Log tab shows the last 30 days of webhook deliveries, including:

  • Timestamp and event type
  • HTTP response status code
  • Response time
  • Request and response bodies (expandable)

Failed deliveries are retried with exponential backoff.

Security Recommendations

  • Always validate the X-CodeStax-Signature header before processing payloads.
  • Rotate your webhook secret periodically from the settings page.
  • Use HTTPS endpoints exclusively to protect payloads in transit.
  • Restrict your webhook endpoint to accept requests only from CodeStax IP ranges listed in the platform documentation.
Jira IntegrationSLA & Data Retention