Integrations
Webhooks
Set up webhooks to receive real-time notifications from CodeWall.
Webhooks send HTTP POST requests to your endpoint when events occur in CodeWall, enabling real-time integration with any system.
Setting up a webhook
- Go to Settings > Webhooks
- Click Add Webhook
- Enter the destination URL
- Select the channel type: Webhook (with HMAC signing), Slack, or Microsoft Teams
- Select which events to subscribe to
- For webhook channels, enter a signing secret (minimum 16 characters)
- Click Save
Events
| Event | Description |
|---|---|
finding.created | A new vulnerability was discovered |
finding.high | A high or critical severity finding was discovered |
run.completed | A test run finished successfully |
run.failed | A test run encountered an unrecoverable error |
approval.required | A phase or command approval gate is waiting for a decision |
Channel types
| Type | Description |
|---|---|
| Webhook | Standard HTTP POST with HMAC-SHA256 signing |
| Slack | Posts formatted messages to a Slack incoming webhook URL |
| Teams | Posts formatted messages to a Microsoft Teams incoming webhook URL |
Payload format
Webhook payloads are sent as JSON:
{
"id": "evt_abc123",
"event": "finding.created",
"timestamp": "2026-04-10T10:30:00Z",
"data": {
"id": "find_abc123",
"title": "SQL Injection in /api/users",
"severity": "critical",
"run_id": "run-20260410-103000-a1b2c3d4",
"target": "https://example.com"
}
}Verification
Each webhook request includes a signature header (X-CodeWall-Signature) that you can use to verify the payload came from CodeWall. The signature is an HMAC-SHA256 hash of the request body using your webhook secret.
Retry policy
Failed deliveries (non-2xx response) are retried up to 3 times with exponential backoff.
API management
You can also manage webhook endpoints programmatically via the API. See the Webhook Endpoints API for full details.