-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add webhook API documentation (#215)
- Loading branch information
Showing
3 changed files
with
64 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| # API | ||
|
|
||
| This section documents the public API for Phylum's artifact repository offering. | ||
|
|
||
| ## Webhooks | ||
|
|
||
| Webhooks will send out notifications whenever a package that was accessed | ||
| through a repository proxy fails analysis. | ||
|
|
||
| To setup a new webhook, you can use the following curl command: | ||
|
|
||
| ```sh | ||
| # Phylum group used with the registry proxy. | ||
| export PHYLUM_GROUP=… | ||
| # https://docs.phylum.io/knowledge_base/api-keys#generate-an-api-key | ||
| export PHYLUM_API_KEY=… | ||
| # URL which will be called on analysis failure. | ||
| export WEBHOOK_URL=… | ||
| # Shared secret used to validate authenticity of webhook callbacks | ||
| export SECRET=… | ||
|
|
||
| curl \ | ||
| -X PUT \ | ||
| --user "$PHYLUM_GROUP:$PHYLUM_API_KEY" \ | ||
| --json "{\"url\": \"$WEBHOOK_URL\", \"secret\": \"$SECRET\"}" \ | ||
| "https://aviary.phylum.io/webhooks" | ||
| ``` | ||
|
|
||
| Once a webhook is registered, policy violations will be sent to it in the same | ||
| format as the [package check endpoint]. | ||
|
|
||
| Since these reports contain security advisories, it's important to make sure | ||
| that they were generated by Phylum and the endpoint wasn't called by a third | ||
| party. To make this possible, all official webhook notification calls will | ||
| include a `sha256` query parameter which contains a hexadecimal representation | ||
| of the SHA256-HMAC of the response body, generated with the shared secret | ||
| provided when registering the webhook. | ||
|
|
||
| ### Deleting Webhooks | ||
|
|
||
| If a webhook is no longer in use, it should be deleted: | ||
|
|
||
| ```sh | ||
| # Phylum group used with the registry proxy. | ||
| export PHYLUM_GROUP=… | ||
| # https://docs.phylum.io/knowledge_base/api-keys#generate-an-api-key | ||
| export PHYLUM_API_KEY=… | ||
| # URL-encoded URL used during webhook setup. | ||
| export WEBHOOK_URL=… | ||
|
|
||
| curl \ | ||
| -X DELETE \ | ||
| --user "$PHYLUM_GROUP:$PHYLUM_API_KEY" \ | ||
| "https://aviary.phylum.io/webhooks/$WEBHOOK_URL" | ||
| ``` | ||
|
|
||
| [package check endpoint]: https://api.phylum.io/api/v0/swagger/index.html#/Organizations/organizations_group_packages_check |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters