Understanding Webhooks

Veracode Software Composition Analysis

A webhook allows Veracode Software Composition Analysis to notify you when certain events occur in your project. When the event is triggered, Veracode sends an HTTP POST request with a payload to your configured URL.

Adding a Webhook to a Project

Navigate to your project in the Veracode Platform. Click the Settings action to open the Project Settings page. Click Notifications in the left navigation, as seen below. Click Actions > Create to enter your payload URL and the events to which you want to subscribe.

Note: The payload URL must be accessible from the internet and accept HTTP HEAD requests.

Events

These events can trigger notifications:

Event Description
Scan When a project has been scanned successfully.
Vulnerability issues discovered in project library after a scan When a Veracode researcher has released a new vulnerability that affects your project
Vulnerability issues changed in project library after a scan When a Veracode researcher has updated a vulnerability that affects your project

Payload

Each event will trigger a particular type of payload with the relevant information. The following are examples of the payloads that you can expect from each event.

  • Event: scan success 
    {
  "event": "SCAN_SUCCESS",
  "organization": {
    "id": 310,
    "name": "Veracode",
    "planType": "ENTERPRISE"
  },
  "workspace": {
    "id": 4788,
    "name": "Webhooks"
  },
  "user": {
    "id": 2910,
    "name": "John Smith"
  },
  "scan": {
    "id": 1099430,
    "commit": "2bedd63b8e3019121c89108bfccb2421b08e28e9",
    "branch": "New_demo_branch",
    "tag": null,
    "reportLink": "<LINK TO REPORT>",
    "vulnIssuesCount": 31,
    "outofDateIssuesCount": 9,
    "licenseIssuesCount": 0
  },
  "project": {
    "id": 20757,
    "name": "example-javascript"
  }
}
  • Event: vulnerability issues discovered
    {
  "event": "VULN_ISSUES_DISCOVERED_AFTER_SCAN",
  "organization": {
    "id": 310,
    "name": "Veracode",
    "planType": "ENTERPRISE"
  },
  "workspace": {
    "id": 4788,
    "name": "Webhooks"
  },
  "user": null,
  "issues": [
    {
      "id": 111967,
      "status": "NEW",
      "issueUrl": "<LINK TO ISSUE>",
      "vuln": {
        "id": 16462,
        "title": “Title of vulnerability",
        "cvssScore": 4.3,
        "cvss3Score": 5.9,
        "cve": null,
        "cveStatus": "NA",
        "stage": "RELEASED",
        "disclosureDate": null,
        "hasExploits": false,
        "vulnerabilityTypes": [],
        "overview": null
      }
    }
  ],
  "project": {
    "id": 20757,
    "name": "example-javascript"
  }
}
  • Event: vulnerability issues changed
    {
  "event": "VULN_ISSUES_CHANGED_AFTER_SCAN",
  "organization": {
    "id": 310,
    "name": "Veracode",
    "planType": "ENTERPRISE"
  },
  "workspace": {
    "id": 4788,
    "name": "Webhooks"
  },
  "user": null,
  "issues": [
    {
      "id": 111967,
      "status": "RESOLVED",
      "issueUrl": “<LINK TO ISSUE>”,
      "vuln": {
        "id": 16462,
        "title": "Title of vulnerability",
        "cvssScore": 7.8,
        "cvss3Score": 5.9,
        "cve": null,
        "cveStatus": "NA",
        "stage": "RELEASED",
        "disclosureDate": null,
        "hasExploits": false,
        "vulnerabilityTypes": [],
        "overview": null
      }
    }
  ],
  "project": {
    "id": 20757,
    "name": "example-javascript"
  }
  }