# Webhooks

# Automation engine

In order to send a webhook request when an automation rule is triggered, add a "trigger webhook" action to the rule and enter the URL for the webhook in the URL field. When the rule is triggered, a POST request will be sent to the given URL with JSON-encoded data about the event.

Trigger webhook

The JSON will contain the following keys:

Key Type Description
repository string The name of the repository which was scanned.
branch string The name of the branch which was scanned.
commit string The name of the commit which was scanned.
commitLink string A link to debricked.com where scan results for this commit are available.
ruleId integer A unique identifier for the rule that was triggered.
ruleLink string A link to debricked.com where the triggered rule can be viewed or edited.
triggeredFor array An array of object where each element describes a combination of a vulnerability and a dependency which caused the rule to trigger.

Each element of triggeredFor will contain the following keys:

Key Type Description
dependency string The name of the dependency which caused the rule to trigger.
dependencyLicenses array An array of licenses affecting the dependency, each encoded as a string using the same name shown in the license view.
dependencyLink string A link to the dependency on debricked.com.
cve object or null Information about the vulnerability which caused the rule to trigger, or null if the rule doesn't have any conditions related to vulnerabilities.
cve.name string The name of the vulnerability which caused the rule to trigger.
cve.link string A link to the vulnerability on debricked.com.
cve.cvss2 number or null CVSS2 score for the vulnerability, or null if not available.
cve.cvss3 number or null CVSS3 score for the vulnerability, or null if not available.

# Sample Request

A sample webhook request can be sent to the specified URL by clicking "send sample request". The triggeredFor array will be populated using up to three vulnerabilities which were found the last time this repository was scanned. Note that these vulnerabilities may not necessarily satisfy the conditions specified in the rule.

# Verification Secret

To ensure that a webhook request was sent by Debricked, a key can specified in the "verification secret" field. When a verification secret is specified, webhook requests made by this rule will include the header X-Debricked-Signature, containing an SHA256-HMAC signature generated using the webhook payload and the verification secret.