WebHook Registration - RDR3/cx-flow GitHub Wiki

The url/endpoint for all webhook registrations are as follows:
http://cxflow | https://cxflow
http://cxflow/cx | https://cxflow/cx
/cx is an applicable context that can be used, but the default / root context will
Note replace cxflow with end point/port that you are running the webservice (i.e. localhost:8080)

WebHooks can be registered at the namespace level (Organization in GitHub, Group within GitLab, Team in Bitbucket). This will apply the WebHook configuration globally for all Repositories underneath within the hierarchy.


When registering the webhook in GitHub, ensure the application/json Content type is selected. Form URL Encoded is not supported.
The secret must be the pre-shared token that the CxFlow webservice is using to validate and authenticate requests.
The supported events are Pull Request, which will by default produce feedback within the pull request itself, and Push Event, which will execute the desired bug tracker implementation.
Starting with version 1.6.0, Branch or tag deletion events are supported and will delete corresponding projects in CxSAST when scanned branches are deleted (which is frequently done after a pull request is successfully merged).


Azure DevOps requires a different endpoint for Pull and Push events due to the fact the payload and headers cannot be differentiated.

  • When registering Pull Create Events, use http:///ado/pull
  • When registering Push Events, use http:///ado/push Note Only Push/Pull Create events are currently supported. Token should be sent as Basic Authentication Header.

Similar to cloud, but requires a shared secret field, which is used to sign/authenticate the request.

Bitbucket cloud does not support a shared key/secret for digitally signing and verifying the request, so we require the token paramater to be passed:
example: http://cxflow?token=XXXXX)
XXXX is the pre-shared token that the CxFlow webservice is using to validate and authenticate requests.

⚠️ **GitHub.com Fallback** ⚠️