DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.72k stars 580 forks source link

Provide signatures for webhook alerts #1555

Open nscuro opened 2 years ago

nscuro commented 2 years ago

Current Behavior:

Alerts / notifications sent via Webhook are neither authenticated nor signed in any way. This makes it hard for receiving parties to verify whether a given notification was sent by DT.

Proposed Behavior:

For the Webhook alert type, allow for an optional shared secret to be provided. Before sending the webhook request, calculate an HMAC for the JSON payload, and include the resulting value in a request header (e.g. X-Webhook-Signature).

For reference, this is also how GitHub is doing it: https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks

kkretsch commented 2 years ago

As alternative an authentication header in the outgoing request might help too. With this static auth I could trigger stuff to gitlab for example.

mwerner96 commented 1 year ago

Hi, is there anything new on this topic? I would like to use the GitLab alert integration, but this webhook only works with an authorization key. I can't enter this key anywhere in the Dependency Track alerts.