Understanding Webhooks

Veracode Software Composition Analysis

A webhook allows Veracode Software Composition Analysis to notify you when certain events occur in your project. When the event is triggered, Veracode sends an HTTP POST request with a payload to your configured URL.

Adding a Webhook to a Project

Navigate to your project in the Veracode Platform. Click the Settings action to open the Project Settings page. Click Notifications in the left navigation, as seen below. Click Actions > Create to enter your payload URL and the events to which you want to subscribe.

Note: The payload URL must be accessible from the internet and accept HTTP HEAD requests.

Events

These events can trigger notifications:

Event Description
Scan When a project has been scanned successfully.
Vulnerability issues discovered in project library after a scan When a Veracode researcher has released a new vulnerability that affects your project
Vulnerability issues changed in project library after a scan When a Veracode researcher has updated a vulnerability that affects your project

Payload

Each event will trigger a particular type of payload with the relevant information. The following are examples of the payloads that you can expect from each event.

  • Event: scan success
    {
      "event": "SCAN_SUCCESS",
      "organization": {
        "id": 310,
        "name": "Veracode",
        "planType": "ENTERPRISE"
      },
      "workspace": {
        "id": 4788,
        "name": "Webhooks"
      },
      "user": {
        "id": 2910,
        "name": "John Smith"
      },
      "scan": {
        "id": 1099430,
        "commit": "2bedd63b8e3019121c89108bfccb2421b08e28e9",
        "branch": "New_demo_branch",
        "tag": null,
        "reportLink": "<LINK TO REPORT>",
        "vulnIssuesCount": 31,
        "outofDateIssuesCount": 9,
        "licenseIssuesCount": 0
      },
      "project": {
        "id": 20757,
        "name": "example-javascript"
      }
    }
  • Event: vulnerability issues discovered
    {
      "event": "VULN_ISSUES_DISCOVERED_AFTER_SCAN",
      "organization": {
        "id": 310,
        "name": "Veracode",
        "planType": "ENTERPRISE"
      },
      "workspace": {
        "id": 4788,
        "name": "Webhooks"
      },
      "user": null,
      "issues": [
        {
          "id": 111967,
          "status": "NEW",
          "issueUrl": "<LINK TO ISSUE>",
          "vuln": {
            "id": 16462,
            "title": “Title of vulnerability",
            "cvssScore": 4.3,
            "cvss3Score": 5.9,
            "cve": null,
            "cveStatus": "NA",
            "stage": "RELEASED",
            "disclosureDate": null,
            "hasExploits": false,
            "vulnerabilityTypes": [],
            "overview": null
          }
        }
      ],
      "project": {
        "id": 20757,
        "name": "example-javascript"
      }
    }
  • Event: vulnerability issues changed
    {
      "event": "VULN_ISSUES_CHANGED_AFTER_SCAN",
      "organization": {
        "id": 310,
        "name": "Veracode",
        "planType": "ENTERPRISE"
      },
      "workspace": {
        "id": 4788,
        "name": "Webhooks"
      },
      "user": null,
      "issues": [
        {
          "id": 111967,
          "status": "RESOLVED",
          "issueUrl": “<LINK TO ISSUE>”,
          "vuln": {
            "id": 16462,
            "title": "Title of vulnerability",
            "cvssScore": 7.8,
            "cvss3Score": 5.9,
            "cve": null,
            "cveStatus": "NA",
            "stage": "RELEASED",
            "disclosureDate": null,
            "hasExploits": false,
            "vulnerabilityTypes": [],
            "overview": null
          }
        }
      ],
      "project": {
        "id": 20757,
        "name": "example-javascript"
      }
      }