Skip to main content
  • Semgrep Cloud Platform
  • Team & Enterprise Tier

Enabling webhooks

Prerequisites
  • Webhooks can only be enabled through Semgrep Cloud Platform (SCP). Create an account to set up webhooks.
  • To receive alerts and notifications, you must add or onboard a project (repository) to Semgrep Cloud Platform for scanning.

Webhooks are a generic method for Semgrep Cloud Platform to post JSON-formatted findings after each scan to your URL endpoint.

SCP sends two types of JSON objects:

semgrep_scan JSON object
A semgrep_scan object contains information about the CI job and other scan parameters, such as ignored files. SCP sends a single semgrep_scan object every time a scan is run. This includes diff-aware scans, full scans, and scans that have no findings.
semgrep_finding JSON object
A semgrep_finding object is a single record of a new finding. SCP sends new semgrep_finding objects based on how you have configured your notifications in Policies. See Setting up webhooks to learn more.

Setting up webhooks

Perform these steps in Semgrep Cloud Platform to set up webhooks:

  1. Create a webhook integration:
    1. On the navigation menu, click Settings > Integrations > Add Integration.
    2. Click Webhook.
    3. In the Name field, enter a name for the integration.
    4. In the Webhook URL field, enter the target webhook URL for the integration.
    5. Optional: To ensure that Semgrep can post to your URL, click Test. The following screenshot displays the result of a successful webhook integration. Successful webhook integration test
    6. Click Save.
  2. Turn notifications on:
    1. Click Rules > Policies > Rule Modes.
    2. Click the Edit button of the Rule Mode for which you want to receive webhook notifications. For example, if you want to be notified of all blocking findings through webhooks, click the Edit button of the Block mode.
    3. Repeat the previous step for all Rule Modes that you want to receive notifications for.

Findings

The following is an example of a semgrep_finding object:

[
  {
    "semgrep_finding": {
      "id": "241dbe518caf15f800131d2d0c70bf08",
      "ref": "refs/pull/2658/merge",
      "start_date": "None",
      "check_id": "log-exc-info",
      "path": "server/semgrep_app/handlers/registry.py",
      "line": 185,
      "column": 9,
      "message": "Error messages should be logged with `exc_info=True` in order to propagate\nstack information to Sentry. Either change the logging level or raise an Exception.\n",
      "severity": 1,
      "index": 0,
      "end_line": 187,
      "end_column": 10,
      "commit_date": "2021-06-07T15:26:35+03:00",
      "first_seen_scan_id": "xnkPGY8VL20o",
      "category": "security",
      "cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
      "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
      "owasp": "A3: Sensitive Data Exposure",
      "references": ["https://tomcat.apache.org/tomcat-5.5-doc/servletapi/"],
      "source": "https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false",
      "technology": ["servlet",  "tomcat"],
      "vulnerability": "Insecure Transport",
      "metadata": {
        "dev.semgrep.actions": [],
        "semgrep.policy": {
          "id": 8168,
          "name": "Web Apps Notify Only",
          "slug": "web-apps-notify-only"
        },
        "semgrep.url": "https://semgrep.dev/s/johndoe:log-exc-info"
      }
    }
  }
]

Scans

The following is an example of a semgrep_scan object:

{
  "semgrep_scan": {
    "deployment_id": 1,
    "started_at": "2021-09-21T23:49:17.480929+00:00",
    "completed_at": null,
    "exit_code": null,
    "repository": "returntocorp/semgrep-app",
    "ci_job_url": "https://github.com/returntocorp/semgrep-app/actions/runs/1236121005",
    "environment": "",
    "commit": "e22f08e8e871bde8c100b3a4a6f8e9387d651223",
    "commit_committer_email": "",
    "commit_timestamp": "",
    "commit_author_email": "support@semgrep.com",
    "commit_author_name": "Semgrep User",
    "commit_author_username": "semgrepuser",
    "commit_author_image_url": "https://avatars.githubusercontent.com/u/29760937?s=200&v=4",
    "commit_authored_timestamp": "",
    "commit_title": "fixup",
    "config": "",
    "on": "pull_request",
    "branch": "refs/pull/3483/merge",
    "pull_request_timestamp": "",
    "pull_request_author_username": "semgrepuser",
    "pull_request_author_image_url": "https://avatars.githubusercontent.com/u/29760937?s=200&v=4",
    "pull_request_id": "3483",
    "pull_request_title": "test bad commit",
    "ignored_files": ["/server/semgrep_app/templates/"],
    "id": "xnkPGY8VL20o"
  }
}

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help, or check out other ways to get help.