kkretsch
commented
2 years ago As alternative an authentication header in the outgoing request might help too. With this static auth I could trigger stuff to gitlab for example.
Open nscuro opened 2 years ago
kkretsch
commented
2 years ago As alternative an authentication header in the outgoing request might help too. With this static auth I could trigger stuff to gitlab for example.
mwerner96
commented
1 year ago Hi, is there anything new on this topic? I would like to use the GitLab alert integration, but this webhook only works with an authorization key. I can't enter this key anywhere in the Dependency Track alerts.
Current Behavior:
Alerts / notifications sent via Webhook are neither authenticated nor signed in any way. This makes it hard for receiving parties to verify whether a given notification was sent by DT.
Proposed Behavior:
For the Webhook alert type, allow for an optional shared secret to be provided. Before sending the webhook request, calculate an HMAC for the JSON payload, and include the resulting value in a request header (e.g.
X-Webhook-Signature).For reference, this is also how GitHub is doing it: https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks