Skip to content

Add structured findings to webhook payload#38

Merged
lelia merged 7 commits intomainfrom
feature/structured-webhook-payload
Mar 3, 2026
Merged

Add structured findings to webhook payload#38
lelia merged 7 commits intomainfrom
feature/structured-webhook-payload

Conversation

@dc-larsen
Copy link
Contributor

@dc-larsen dc-larsen commented Feb 27, 2026

Summary

  • Each connector's webhook formatter now builds a findings array of structured objects alongside the markdown table
  • WebhookNotifier payload includes timestamp (ISO 8601), scan_type, summary (severity counts), and findings
  • Backward compatible: notification.content (markdown) still present
  • TruffleHog findings intentionally omit redacted secret values from structured output

New payload shape

{
  "repository": "...",
  "branch": "...",
  "scanner": "socket-security",
  "timestamp": "2026-02-27T19:49:33Z",
  "scan_type": "Socket CVE Scanning Results: Dockerfile",
  "summary": {"total": 71, "critical": 9, "high": 22, "medium": 12, "low": 10},
  "findings": [
    {"package": "bson", "version": "1.0.9", "ecosystem": "npm", "purl": "pkg:npm/bson@1.0.9", "cves": ["CVE-2020-7610"], "severity": "critical", "scanner": "trivy"}
  ],
  "notification": {"title": "...", "content": "markdown table..."}
}

Test plan

  • 125 tests pass (all existing + 25 new)
  • Push to dc-larsen/socket-basics-test, trigger workflow, verify payload on webhook.site
  • Confirm findings are structured JSON with proper ecosystems (no pkg:unknown/)

@dc-larsen
Add structured findings to webhook payload
1a4bdf1 
Webhook payloads now include a machine-readable findings array alongside
the existing markdown content. Each connector (Trivy, Socket Tier1,
OpenGrep, TruffleHog) builds structured finding objects during format.
The WebhookNotifier aggregates these into the payload with a severity
summary and ISO 8601 timestamp. The notification.content field remains
for backward compatibility.

TruffleHog findings intentionally omit redacted secret values from the
structured output.
@dc-larsen dc-larsen requested a review from a team as a code owner February 27, 2026 20:39
@dc-larsen dc-larsen requested a review from lelia February 27, 2026 20:45
@lelia lelia self-assigned this Mar 2, 2026
lelia
lelia approved these changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@lelia lelia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - as discussed, we've converged on the plural cves list to be used within the findings object, rather than have Trivy and Socket Tier 1 diverge.

@dc-larsen for posterity, here are some examples of what the new JSON output may look like in webhook form:

Basic example with cves:

{
  "repository": "demo/repo",
  "branch": "main",
  "scanner": "socket-security",
  "timestamp": "2026-03-03T00:35:19Z",
  "scan_type": "Socket CVE Scanning Results: Dockerfile",
  "summary": {
    "total": 1,
    "critical": 1,
    "high": 0,
    "medium": 0,
    "low": 0
  },
  "findings": [
    {
      "package": "bson",
      "version": "1.0.9",
      "ecosystem": "npm",
      "purl": "pkg:npm/bson@1.0.9",
      "cves": [
        "CVE-2020-7610"
      ],
      "severity": "critical",
      "scanner": "trivy"
    }
  ],
  "notification": {
    "title": "Socket CVE Scanning Results: Dockerfile",
    "content": "| a | b |\\n|---|---|\\n| x | y |"
  }
}

Representative SAST example:

{
  "repository": "local/app-tests-python",
  "branch": "local-test",
  "scanner": "socket-security",
  "timestamp": "2026-03-03T00:54:31Z",
  "scan_type": "SAST Python",
  "summary": {
    "total": 6,
    "critical": 5,
    "high": 1,
    "medium": 0,
    "low": 0
  },
  "findings": [
    {
      "rule": "python-command-injection",
      "severity": "critical",
      "file": "vulnerable_app.py",
      "path": "workspace/app_tests/python/vulnerable_app.py",
      "lines": "8-8",
      "language": "sast-python",
      "scanner": "opengrep"
    },
    {
      "rule": "python-start-process-with-shell",
      "severity": "critical",
      "file": "vulnerable_app.py",
      "path": "workspace/app_tests/python/vulnerable_app.py",
      "lines": "8-8",
      "language": "sast-python",
      "scanner": "opengrep"
    },
    {
      "rule": "python-subprocess-shell-true",
      "severity": "critical",
      "file": "vulnerable_app.py",
      "path": "workspace/app_tests/python/vulnerable_app.py",
      "lines": "8-8",
      "language": "sast-python",
      "scanner": "opengrep"
    },
    {
      "rule": "python-hardcoded-secret",
      "severity": "high",
      "file": "vulnerable_app.py",
      "path": "workspace/app_tests/python/vulnerable_app.py",
      "lines": "10-10",
      "language": "sast-python",
      "scanner": "opengrep"
    },
    {
      "rule": "python-pickle-usage",
      "severity": "critical",
      "file": "vulnerable_app.py",
      "path": "workspace/app_tests/python/vulnerable_app.py",
      "lines": "19-19",
      "language": "sast-python",
      "scanner": "opengrep"
    },
    {
      "rule": "python-unsafe-deserialization",
      "severity": "critical",
      "file": "vulnerable_app.py",
      "path": "workspace/app_tests/python/vulnerable_app.py",
      "lines": "19-19",
      "language": "sast-python",
      "scanner": "opengrep"
    }
  ],
  "notification": {
    "title": "SAST Python",
    "content": "Rule | Severity | File | Path | Lines | Code | SubType | Scanner\n--- | --- | --- | --- | --- | --- | --- | ---\npython-command-injection | critical | vulnerable_app.py | workspace/app_tests/python/vulnerable_app.py | 8-8 | os.system(user_input)  # Command injection vulnerability | sast-python | opengrep\npython-start-process-with-shell | critical | vulnerable_app.py | workspace/app_tests/python/vulnerable_app.py | 8-8 | os.system(user_input)  # Command injection vulnerability | sast-python | opengrep\npython-subprocess-shell-true | critical | vulnerable_app.py | workspace/app_tests/python/vulnerable_app.py | 8-8 | os.system(user_input)  # Command injection vulnerability | sast-python | opengrep\npython-hardcoded-secret | high | vulnerable_app.py | workspace/app_tests/python/vulnerable_app.py | 10-10 | password = \"hardcoded_password\"  # Hardcoded secret | sast-python | opengrep\npython-pickle-usage | critical | vulnerable_app.py | workspace/app_tests/python/vulnerable_app.py | 19-19 | data = pickle.loads(open(\"user_data.pkl\", \"rb\").read())  # Unsafe deserialization | sast-python | opengrep\npython-unsafe-deserialization | critical | vulnerable_app.py | workspace/app_tests/python/vulnerable_app.py | 19-19 | data = pickle.loads(open(\"user_data.pkl\", \"rb\").read())  # Unsafe deserialization | sast-python | opengrep"
  }
}

@lelia lelia merged commit 9467be6 into main Mar 3, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lelia lelia lelia approved these changes

Assignees

@lelia lelia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dc-larsen @lelia