Snyk Webhooks
Visit the Snyk API documentation for Webhooks to get information on consuming, validating, and examples.
Webhooks allow you to be notified of Snyk system events, enabling you to build notifications and react to changes in your projects. The current implementation supports events for recurring scans of open source and container image related projects.
When events are triggered, Snyk sends HTTP POST requests to URLs you have configured for those events, with all the information you need.
Receive instant notifications/alerts in your organization's business communication/collaboration software.
Respond to critical issues before they impact your business. Embrace modern incident management and Snyk to stay ahead of application security. Read more about this use case in the blog "Shifting left security incident management with the Snyk & Opsgenie integration".
Get real-time security alerts aggregated across various sources into a single platform. read more about Snyk's partnership with Rapid7 and how together we help organizations mitigate security risks.
Event messages are delivered with a
Content-Type
of application/json
, with the event payload as JSON in the request body. We also send the following headers:X-Snyk-Event
the name of the event and the version of the payload, such asping/v1
X-Snyk-Transport-ID
a GUID to identify this delivery-
X-Snyk-Timestamp
an ISO 8601 timestamp for when the event occurred, e.g.2020-09-25T15:27:53Z
X-Hub-Signature
the HMAC hex digest of the request body which is used to secure your webhooks and ensure the request did indeed come from SnykUser-Agent
identifies the origin of the request, e.g. Snyk-Webhooks/XXX
Each webhook receives all events.
Webhooks can only be configured for URLs using the HTTPS protocol. HTTP is not allowed.
When creating a webhook, you must provide a secret - this is a string that only you know that we will use to sign our transports to you so that you can ensure they come from Snyk. Your secret should be:
- A random string with high entropy
- Not be used for anything else
- Only known to Snyk and your webhook transport consuming code
All transports sent to your webhooks will have a
X-Hub-Signature
header, which contains the hash signature for the transport. The signature is a HMAC hexdigest of the request body, generated using sha256 and your secret as the HMAC key.X-Hub-Signature
always starts with sha256=