Notify results

Webhook

5 min

Enterprise feature: This feature is only available with TruffleHog Enterprise. Contact us to learn more.
﻿
Webhook notifiers allow for integrations which subscribe to found secret notifications. 
When a new secret is found, an HTTP POST payload will be sent to the webhook’s configured URL. Webhooks can be secured by using a token to generate and verify a signature of the payload.
Scanner Configuration
YAML
notifiers:
- connection:
    '@type': type.googleapis.com/notifiers.Webhook
    token: secret_token
    url: https://example.trufflesec.com:8081/webhook
    notifyOnRotation: false
  name: webhook secrets notifications
  # sourcesToNotify can also be set to ALL to receive
  # all notifications
  sourcesToNotify: SOURCES_IN_THIS_CONFIG
  type: NOTIFIER_TYPE_WEBHOOK
notifiers:
- connection:
    '@type': type.googleapis.com/notifiers.Webhook
    token: secret_token
    url: https://example.trufflesec.com:8081/webhook
    notifyOnRotation: false
  name: webhook secrets notifications
  # sourcesToNotify can also be set to ALL to receive
  # all notifications
  sourcesToNotify: SOURCES_IN_THIS_CONFIG
  type: NOTIFIER_TYPE_WEBHOOK
﻿
Options
Key
Description
Required
url
The webhook endpoint to send the notification to
Yes
token
Token to generate signature for webhook
No
notifyOnRotation
Set to true to send follow-up webhook notification when secret is rotated
No
signatureMethod
sha256 or hmac-sha256. Default: sha256
No
base64EncodedToken
Set to true if provided token is base64 encoded
No
﻿
Tokens
The signature is sent using in the X-Hub-Signature header. To verify the signature matches the payload, generate a SHA256 hash of the payload body prefixed with the token string.
X-HUB-SIGNATURE:5f246d1f78c832eee4d9b453742476a743a1c7fe73454b6b432b26868525423f
> BODY='{"source_type":"SourceType_SOURCE_TYPE_GIT",...}' 
> TOKEN="mySecretToken"
> echo -n "${TOKEN}${BODY}" | sha256sum
5f246d1f78c832eee4d9b453742476a743a1c7fe73454b6b432b26868525423f
Example payload body by source
Filesystem
Microsoft Teams
GitHub
JIRA
BitBucket
Confluence
GitLab
Slack
{
	"SourceType": "SOURCE_TYPE_SLACK",
	"Metadata": {
		"Data": {
			"Slack": {
				"channelID": "channel-1",
				"channelName": "some channel",
				"timestamp": "2020-05-01T00:00:00Z",
				"userId": "user-1",
				"link": "https://slack.com/app_redirect?channel=channel-1",
				"file": "file-1",
				"email": "test@slack.com"
			}
		}
	},
	"SecretType": "Github",
	"Secret": "SOMESECRET42",
	"Verified": true
}
{
	"SourceType": "SOURCE_TYPE_SLACK",
	"Metadata": {
		"Data": {
			"Slack": {
				"channelID": "channel-1",
				"channelName": "some channel",
				"timestamp": "2020-05-01T00:00:00Z",
				"userId": "user-1",
				"link": "https://slack.com/app_redirect?channel=channel-1",
				"file": "file-1",
				"email": "test@slack.com"
			}
		}
	},
	"SecretType": "Github",
	"Secret": "SOMESECRET42",
	"Verified": true
}
﻿
﻿
﻿

Key	Description	Required
url	The webhook endpoint to send the notification to	Yes
token	Token to generate signature for webhook	No
notifyOnRotation	Set to true to send follow-up webhook notification when secret is rotated	No
signatureMethod	sha256 or hmac-sha256. Default: sha256	No
base64EncodedToken	Set to true if provided token is base64 encoded	No

Stdout

Reverify secrets