# Webhook events and payloads Webhooks are delivered with a `Content-Type` of `application/json`, with the event payload as JSON in the request body. We also send the following headers: * `X-Snyk-Event` - the name of the event * `X-Snyk-Transport-ID` - a GUID to identify this delivery * `X-Snyk-Timestamp` - an ISO 8601 timestamp for when the event occurred, for example: `2020-09-25T15:27:53Z` * `X-Hub-Signature` - the HMAC hex digest of the request body, used to secure your webhooks and ensure the request did indeed come from Snyk * `User-Agent` - identifies the origin of the request, for example: `Snyk-Webhooks/XXX` After your server is configured to receive payloads, it listens for any payload sent to the endpoint you configured. For security reasons, you should limit requests to those coming from Snyk. While consuming a webhook event, `X-Snyk-Event` header must be checked, as an end-point may receive multiple event types as described. ## **ping** The ping event happens after a new webhook is created, and can also be manually triggered using the ping webhook API. This is useful to test that your webhook receives data from Snyk correctly. The `ping` event makes the following request: ```shell POST /webhook-handler/snyk123 HTTP/1.1 Host: my.app.com X-Snyk-Event: ping/v0 X-Snyk-Transport-ID: 998fe884-18a0-45db-8ae0-e379eea3bc0a X-Snyk-Timestamp: 2020-09-25T15:27:53Z X-Hub-Signature: sha256=7d38cdd689735b008b3c702edd92eea23791c5f6 User-Agent: Snyk-Webhooks/044aadd Content-Type: application/json { "webhookId": "d3cf26b3-2d77-497b-bce2-23b33cc15362" } ``` ## **project\_snapshot** This event is triggered every time an existing project is tested and a new snapshot is created. It is triggered on every test of a project, whether or not there are new issues. This event is not triggered when a new project is created or imported. Currently supported targets/scan types are Open Source and container. ```sh POST /webhook-handler/snyk123 HTTP/1.1 Host: my.app.com X-Snyk-Event: project_snapshot/v0 X-Snyk-Transport-ID: 998fe884-18a0-45db-8ae0-e379eea3bc0a X-Snyk-Timestamp: 2020-09-25T15:27:53Z X-Hub-Signature: sha256=7d38cdd689735b008b3c702edd92eea23791c5f6 User-Agent: Snyk-Webhooks/044aadd Content-Type: application/json { "project": { ... }, // project object matching API responses "org": { ... }, // organization object matching API responses "group": { ... }, // group object matching API responses "newIssues": [], // array of issues object matching API responses "removedIssues": [], // array of issues object matching API responses } ``` ## **Detailed example of a payload** ### **project** See [Projects (v1)](https://docs.snyk.io/snyk-api/reference/projects-v1) APIs. ```json "project": { "name": "snyk/goof", "id": "af137b96-6966-46c1-826b-2e79ac49bbd9", "created": "2018-10-29T09:50:54.014Z", "origin": "github", "type": "maven", "readOnly": false, "testFrequency": "daily", "totalDependencies": 42, "issueCountsBySeverity": { "low": 13, "medium": 8, "high": 4, "critical": 5 }, "imageId": "sha256:caf27325b298a6730837023a8a342699c8b7b388b8d878966b064a1320043019", "imageTag": "latest", "imageBaseImage": "alpine:3", "imagePlatform": "linux/arm64", "imageCluster": "Production", "hostname": null, "remoteRepoUrl": "https://github.com/snyk/goof.git", "lastTestedDate": "2019-02-05T08:54:07.704Z", "browseUrl": "https://app.snyk.io/org/4a18d42f-0706-4ad0-b127-24078731fbed/project/af137b96-6966-46c1-826b-2e79ac49bbd9", "importingUser": { "id": "e713cf94-bb02-4ea0-89d9-613cce0caed2", "name": "example-user@snyk.io", "username": "exampleUser", "email": "example-user@snyk.io" }, "isMonitored": false, "branch": null, "targetReference": null, "tags": [ { "key": "example-tag-key", "value": "example-tag-value" } ], "attributes": { "criticality": [ "high" ], "environment": [ "backend" ], "lifecycle": [ "development" ] }, "remediation": { "upgrade": {}, "patch": {}, "pin": {} } } ``` ### **org** See [Organizations (v1)](https://docs.snyk.io/snyk-api/reference/organizations-v1) APIs. ```json "org": { "name": "My Org", "id": "a04d9cbd-ae6e-44af-b573-0556b0ad4bd2", "slug": "my-org", "url": "https://api.snyk.io/v1/org/my-org", "created": "2020-11-18T10:39:00.983Z" } ``` ### **group** See [Groups (v1)](https://docs.snyk.io/snyk-api/reference/groups-v1) APIs. ```json "group": { "name": "ACME Inc.", "id": "a060a49f-636e-480f-9e14-38e773b2a97f" } ``` ### **issue** ```json { "id": "npm:ms:20170412", "issueType": "vuln", "pkgName": "ms", "pkgVersions": [ "1.0.0" ], "issueData": { "id": "npm:ms:20170412", "title": "Regular Expression Denial of Service (ReDoS)", "severity": "low", "url": "https://snyk.io/vuln/npm:ms:20170412", "description": "Lorem ipsum", "identifiers": { "CVE": [], "CWE": [ "CWE-400" ], "ALTERNATIVE": [ "SNYK-JS-MS-10509" ] }, "credit": [ "Snyk Security Research Team" ], "exploitMaturity": "no-known-exploit", "semver": { "vulnerable": [ ">=0.7.1 <2.0.0" ] }, "publicationTime": "2017-05-15T06:02:45Z", "disclosureTime": "2017-04-11T21:00:00Z", "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "cvssScore": 3.7, "language": "js", "patches": [ { "id": "patch:npm:ms:20170412:2", "urls": [ "https://snyk-patches.s3.amazonaws.com/npm/ms/20170412/ms_071.patch" ], "version": "=0.7.1", "comments": [], "modificationTime": "2019-12-03T11:40:45.866206Z" } ], "nearestFixedInVersion": "2.0.0" }, "isPatched": false, "isIgnored": false, "fixInfo": { "isUpgradable": false, "isPinnable": false, "isPatchable": true, "nearestFixedInVersion": "2.0.0" }, "priority": { "score": 399, "factors": [ { "name": "isFixable", "description": "Has a fix available" }, { "name": "cvssScore", "description": "CVSS 3.7" } ] } } ```