Documentation
¶
Overview ¶
Package webhook handles inbound webhook receivers — GitHub PR / push events + operator-defined generic webhooks. Every receiver verifies an HMAC-SHA256 signature against either a per-source secret (GitHub) or a per-row secret (generic), then queues a scan job via the same code path as POST /api/v1/scans.
The HMAC verification is constant-time. Signature format follows GitHub's "sha256=" + hex convention for both source types.
Index ¶
Constants ¶
const ( // MaxBodyBytes caps inbound payloads at 1 MB. GitHub events sit // well under that; the limit prevents a malicious sender from // pinning daemon memory. MaxBodyBytes = 1 << 20 // SignaturePrefix is the "sha256=" tag GitHub puts in the header // before the hex digest. Generic receivers use the same shape // for parity. SignaturePrefix = "sha256=" )
const SlackReplayWindow = 5 * time.Minute
SlackReplayWindow is the maximum age of an inbound request, rejecting anything older to mitigate replay attacks.
const SlackSignaturePrefix = "v0="
SlackSignaturePrefix is the version-prefix Slack puts on the signature header. v0 is the only spec'd value as of 2026.
Variables ¶
This section is empty.
Functions ¶
func SignBody ¶
SignBody is the helper test code (and the v1.4 settings UI "test this webhook" button) uses to produce a valid header for a body.
func VerifySignature ¶
VerifySignature is the constant-time HMAC-SHA256 check shared by both receivers. The header is expected as "sha256=<hex>" (GitHub convention); empty/malformed headers fail.
func VerifySlackSignature ¶ added in v1.8.0
VerifySlackSignature implements Slack's HMAC-SHA256-over- (v0:timestamp:body) recipe. Returns false on any structural error (missing/empty headers, stale timestamp, malformed hex). secret is the workspace signing-secret.
Types ¶
type Buf ¶
type Buf struct {
// contains filtered or unexported fields
}
Buf is the trimmed payload buffer wrapper. Used by tests + integration code that needs to inspect the verified body.
type Config ¶
type Config struct {
GitHubSecret string
SlackSigningSecret string
JiraSecret string
LinearSecret string
}
Config carries the operator-controlled inbound-secrets. v1.4 settings page wires this from the providers table; the CLI flag path is the v1.3 fallback.
type PRMapping ¶ added in v1.8.0
PRMapping holds one row in the github_pr_mapping table. The outbound github-pr notifier (or its v1.8.x adapter) constructs these alongside its post + persists them via PersistPRMapping.
type Receiver ¶
type Receiver struct {
// contains filtered or unexported fields
}
Receiver is the HTTP handler bundle for both inbound paths.
func New ¶
New constructs the receiver. nil cfg is fine — both inbound paths will then 403 every request (no secret = no verify = no trust).
func (*Receiver) Mount ¶
Mount installs /webhooks/{...} routes on r. No auth middleware here — the routes do their own signature verification.
func (*Receiver) PersistPRMapping ¶ added in v1.8.0
PersistPRMapping inserts the (repo, pr, comment_id, fingerprint) tuple. Idempotent via the composite PK ON CONFLICT DO NOTHING.
Source Files