Generic Webhooks

Generic webhooks deliver every supported event as a JSON POST to a URL of your choice. Useful for SIEM pipelines, internal automation, custom dashboards, Zapier/Make/Tray flows, or anything else not covered by the first-party integrations.

Setup

1. Open Settings → Integrations and click Add Webhook.
2. Enter your endpoint URL (HTTPS recommended).
3. Optionally add custom headers (for example Authorization: Bearer your-token-for-auth).
4. Pick events and apply filters.
5. Click Test — Vygl POSTs a canned event_type: "test" payload to your URL. Verify your endpoint received it.

Payload format

Every event POST is a JSON object with this shape:

{
  "event_id": "550e8400-e29b-41d4-a716-446655440000",
  "event_type": "critical_finding",
  "org_id": "01HZK...",
  "timestamp": "2026-04-17T12:34:56Z",
  "data": {
    // event-specific payload
  }
}

The data block varies per event type:

Event	Key fields in data
scan_completed	scan_id, project_id, branch, commit, severity_counts, duration_ms
critical_finding / high_finding	finding_id, severity, rule_id, file_path, line, ai_verdict
cve_critical / cve_high	cve_id, package_name, package_version, affected_projects
cve_batch_summary	total_alerts, by_severity, top_packages

Retries

Response	Behavior
2xx	Success — done
3xx	Followed (one redirect max)
4xx	Logged, not retried (your endpoint signaled the request is bad)
5xx / connection error	Retried up to 3x with exponential backoff

After all retries fail, the delivery is logged with the last error and given up.

Idempotency

Each event has a stable event_id (UUID). On retries, the same event_id is sent — your endpoint should be idempotent on this field to handle duplicate deliveries gracefully.

URL validation

Vygl rejects URLs that resolve to private/reserved IP ranges (RFC 1918, loopback, link-local, etc.) to prevent SSRF. Public-internet URLs are allowed; if you’re forwarding to a private endpoint, run an HTTPS reverse proxy on the public internet.

Custom headers

Set headers like Authorization: Bearer ... in the integration config. Common patterns:

• Secret bearer token that your endpoint validates server-side.
• Custom signature header that your endpoint hashes the body against (HMAC).

Headers store unencrypted

Custom header values are stored in the integration config (JSONB) without field-level encryption — they’re protected only by the database’s at-rest encryption. Treat tokens placed there as sensitive; rotate periodically and prefer narrow-scope tokens.

Payload signing — coming

HMAC payload signing (a Vygl-Signature header consumers can verify) is on the roadmap. Until then, validate payload authenticity with a custom-header secret you control end-to-end.