Skip to main content

Overview

ZeroPath webhooks allow you to receive real-time HTTP notifications when important security events occur in your repositories. This enables you to build custom integrations, automate workflows, and stay informed about your security posture.

Quick Setup

Configure webhooks in your Organization Settings to start receiving real-time security notifications.

How Webhooks Work

When a subscribed event occurs, ZeroPath sends an HTTP POST request to your configured endpoint with a JSON payload containing detailed information about the event. You can use this data to:
  • Automate Security Workflows: Trigger automated responses to security events
  • Build Custom Integrations: Connect ZeroPath with your existing tools and platforms
  • Monitor Security Posture: Track vulnerabilities and scan results in real-time
  • Enhance Compliance: Log security events for audit trails

Supported Event Types

ZeroPath supports the following webhook event types:

SCAN_STARTED

When a full repository scan begins

SCAN_COMPLETE

When a full repository scan finishes successfully

SCAN_FAILED

When a scan fails to complete

SCAN_SCHEDULED

When a scan is scheduled

PR_SCAN_STARTED

When a pull request scan begins

PR_SCAN_COMPLETE

When a pull request scan completes

NEW_VULNERABILITIES_FULL_SCAN

When new vulnerabilities are detected in a full repository scan

NEW_VULNERABILITIES_PR

When new vulnerabilities are detected in a pull request

VULNERABILITY_PATCHED

When a vulnerability is fixed

VULNERABILITY_REOPENED

When a vulnerability reappears

PR_BLOCKED

When a pull request is blocked due to vulnerabilities

PR_MERGED_WITH_ISSUES

When a pull request is merged to main branch with open vulnerabilities

REPORT_COMPLETE

When a report is generated

LONG_RUNNING_SCAN

When a scan is taking unusually long

AUDIT_LOG_EVENT

Important audit log events

Webhook Payload Structure

All webhook payloads follow a consistent structure with event-specific data:

Common Fields

FieldTypeRequiredDescription
timeintegerYesUnix epoch seconds when the event was emitted
hoststringYesOrigin host (e.g., zeropath.com)
sourcestringYesSource system identifier
sourcetypeenumYesEvent type. One of SCAN_STARTED, SCAN_COMPLETE, PR_SCAN_STARTED, PR_SCAN_COMPLETE, NEW_VULNERABILITIES_PR, NEW_VULNERABILITIES_FULL_SCAN, VULNERABILITY_PATCHED, VULNERABILITY_REOPENED, AUDIT_LOG_EVENT, SCAN_FAILED, SCAN_SCHEDULED, LONG_RUNNING_SCAN, PR_BLOCKED, PR_MERGED_WITH_ISSUES, REPORT_COMPLETE
eventobjectYesEvent payload object containing details

event object

FieldTypeRequiredDescription
timestampstring (date-time)YesISO 8601 timestamp of the event
organizationobjectYesOrganization details
organization.idstringYesOrganization ID
organization.namestringNoOrganization name
repositoryobjectNoRepository details
repository.idstringYesRepository ID
repository.namestringYesRepository name
scanobjectNoScan details for scan-related events
scan.idstringYesScan ID
scan.typestringYesScan type (e.g., FullScan, PrScan)
scan.statusstringYesOne of started, completed, failed, scheduled, blocked, merged_with_issues, unknown
scan.duration_minutesintegerNoScan duration in minutes
scan.vulnerability_summary.totalintegerYesTotal vulnerabilities (when present)
scan.vulnerability_summary.by_severityobjectYesCounts for critical, high, medium, low, info
scan.urlstringYesLink to view the scan in ZeroPath
audit_logobjectNoPresent for AUDIT_LOG_EVENT
audit_log.idstringYesAudit log ID
audit_log.endpointstringYesAPI endpoint called
audit_log.argumentsobjectNoArguments passed to the endpoint
audit_log.callerobjectNoCaller info (id, email)
audit_log.timestampstring (date-time)YesWhen the audit event occurred
errorstringNoError message (present in failure events)
metadataobjectNoAdditional event-specific data
vulnerabilityobjectNoDetailed vulnerability information

Event-specific requirements

  • SCAN_STARTED: event.scan required
  • PR_SCAN_STARTED: event.scan required
  • SCAN_COMPLETE: event.scan required
  • PR_SCAN_COMPLETE: event.scan required
  • SCAN_FAILED: event.scan and event.error required
  • NEW_VULNERABILITIES_PR: either event.vulnerability or event.scan required
  • NEW_VULNERABILITIES_FULL_SCAN: either event.vulnerability or event.scan required
  • LONG_RUNNING_SCAN: event.metadata.runningMinutes required
  • AUDIT_LOG_EVENT: event.audit_log required
  • SCAN_SCHEDULED: event.metadata with scheduleId, crontab, isEnabled, action required
  • PR_BLOCKED: event.metadata.prId and event.metadata.prNumber required
  • PR_MERGED_WITH_ISSUES: event.metadata.prUrl and event.metadata.targetBranch required
  • VULNERABILITY_REOPENED/VULNERABILITY_PATCHED: either event.metadata or event.vulnerability required
  • REPORT_COMPLETE: event.metadata.reportId required

Event Payload Examples

{
  "time": 1729101000,
  "host": "zeropath.com",
  "source": "zeropath",
  "sourcetype": "SCAN_COMPLETE",
  "event": {
    "timestamp": "2025-10-16T12:34:56Z",
    "organization": { "id": "org_123", "name": "Acme Corp" },
    "repository": { "id": "repo_123", "name": "backend-api" },
    "scan": {
      "id": "scan_abc",
      "type": "FullScan",
      "status": "completed",
      "duration_minutes": 8,
      "vulnerability_summary": {
        "total": 3,
        "by_severity": { "critical": 0, "high": 1, "medium": 1, "low": 1, "info": 0 }
      },
      "url": "https://zeropath.com/scans/scan_abc"
    }
  }
}

Configuring Webhooks

Integrations

Add and manage webhook endpoints

Notifications

Configure which events trigger webhooks

Setting Up Webhooks

Webhook configuration in ZeroPath is a two-step process that gives you granular control over which events you receive:

Step 1: Add a Webhook Integration

  1. Navigate to zeropath.com/app/settings/integrations
  2. Click “Add Integration” and select “Webhook”
  3. Configure your webhook endpoint:
    • Name: A descriptive name for this webhook
    • URL: Your HTTPS endpoint that will receive webhook payloads
    • Custom Headers: Add custom headers for authentication (e.g., Authorization: Bearer your-secret-token)

Step 2: Create Notification Settings

After adding a webhook integration, configure which events trigger notifications:
  1. Go to zeropath.com/app/settings/notifications
  2. Click “Create Notification Setting”
  3. Configure your notification preferences:
    • Notification Channel: Select “Webhook” from the available channels
    • Webhook: Choose from your list of webhook integrations
    • Repositories: Select specific repositories or choose “All Repositories”
    • Event Types: Select which events should trigger notifications
    • Vulnerability Score Threshold: For vulnerability events, set the minimum threshold (Info, Low, Medium, High, or Critical)
The vulnerability score threshold only applies to vulnerability-related events like NEW_VULNERABILITIES_FULL_SCAN and NEW_VULNERABILITIES_PR. Other events like SCAN_COMPLETE will always be sent regardless of this setting.
ZeroPath supports multiple notification channels. When creating a notification setting, you’ll first select “Webhook” as your channel type, then choose from your configured webhook integrations. Other notification channels may include email, Slack, or other integrations.

Example Configuration

Here’s an example of a typical webhook configuration:
1

Create Webhook Integration

Add a webhook endpoint in Integrations:
  • Name: “Production Security Alerts”
  • URL: https://api.example.com/webhooks/zeropath
  • Custom Headers:
    • Authorization: Bearer prod-webhook-token-123
    • X-Environment: production
2

Configure Notifications

Create notification settings:
  • Notification Channel: “Webhook”
  • Webhook: “Production Security Alerts” (from your webhook list)
  • Repositories: “backend-api”, “frontend-app”
  • Events: NEW_VULNERABILITIES_FULL_SCAN, NEW_VULNERABILITIES_PR, PR_BLOCKED
  • Vulnerability Score Threshold: High
3

Result

You’ll receive webhooks only for:
  • New vulnerabilities with High or Critical scores in selected repos
  • Blocked PRs in selected repos
  • No notifications for vulnerabilities below High threshold

Repository Filtering

You can configure webhooks at different scopes:
  • All Repositories
  • Specific Repositories
Select “All Repositories” to receive notifications for events across your entire organization. New repositories are automatically included.

Vulnerability Score Filtering

The vulnerability score threshold helps reduce noise by filtering out lower-priority vulnerabilities. ZeroPath uses a 0-100 scoring system categorized into five levels:
Threshold LevelScore RangeDescriptionTypical Use Case
Critical90-100Immediate action requiredProduction systems, zero-tolerance environments
High70-89Serious issues requiring prompt attentionImportant systems, should be addressed soon
Medium40-69Moderate risk vulnerabilitiesStandard threshold for most projects
Low10-39Minor issues with limited impactDevelopment environments, code quality
Info0-9Informational findingsAudit trails, compliance tracking
When you select a threshold level (e.g., “High”), you’ll receive notifications for all vulnerabilities at that level and above. For example, selecting “High” will notify you of both High and Critical vulnerabilities.

Multiple Webhook Configurations

You can create multiple webhook integrations and notification settings to handle different scenarios. Each notification setting can use the “Webhook” channel with different webhook integrations:

Critical Alerts

Use Case: Immediate notifications for critical issues
  • Webhook: PagerDuty integration
  • Repositories: Production repos only
  • Events: NEW_VULNERABILITIES_FULL_SCAN, PR_BLOCKED
  • Vulnerability Score Threshold: Critical

Team Updates

Use Case: Daily team notifications
  • Webhook: Slack channel
  • Repositories: All repositories
  • Events: SCAN_COMPLETE, REPORT_COMPLETE
  • Vulnerability Score Threshold: Medium

Audit Trail

Use Case: Compliance logging
  • Webhook: SIEM system
  • Repositories: All repositories
  • Events: All event types
  • Vulnerability Score Threshold: Info (capture everything)

PR Workflow

Use Case: Developer notifications
  • Webhook: GitHub Actions
  • Repositories: Active development repos
  • Events: PR_SCAN_COMPLETE, NEW_VULNERABILITIES_PR
  • Vulnerability Score Threshold: High

Managing Notification Settings

You can create multiple notification settings using the same webhook integration with different configurations. This allows you to route different types of events or vulnerability score thresholds to the same endpoint but with different filtering rules.
To manage your webhook configurations:
  1. View All Settings: Navigate to zeropath.com/app/settings/notifications to see all active configurations
  2. Edit Settings: Click on any notification setting to modify repositories, events, or vulnerability score thresholds
  3. Enable/Disable: Temporarily disable notifications without deleting the configuration
  4. Test Webhooks: Use the “Test” button to send a sample payload to verify your endpoint is working

Webhook Security

Always use HTTPS endpoints for webhooks to ensure data is encrypted in transit.

Authentication with Custom Headers

ZeroPath allows you to add custom headers to webhook requests for authentication. This flexible approach lets you implement security that matches your infrastructure: Common Authentication Patterns: 
// Example 1: Bearer Token
// Custom Header: Authorization: Bearer your-secret-token

app.post('/webhooks/zeropath', (req, res) => {
  const authHeader = req.headers['authorization'];
  if (authHeader !== 'Bearer your-secret-token') {
    return res.status(401).send('Unauthorized');
  }
  // Process webhook...
});

// Example 2: API Key
// Custom Header: X-API-Key: your-api-key

app.post('/webhooks/zeropath', (req, res) => {
  const apiKey = req.headers['x-api-key'];
  if (apiKey !== process.env.WEBHOOK_API_KEY) {
    return res.status(401).send('Invalid API key');
  }
  // Process webhook...
});

// Example 3: Custom Secret Header
// Custom Header: X-Webhook-Secret: your-webhook-secret

app.post('/webhooks/zeropath', (req, res) => {
  const secret = req.headers['x-webhook-secret'];
  if (secret !== process.env.ZEROPATH_WEBHOOK_SECRET) {
    return res.status(401).send('Invalid webhook secret');
  }
  // Process webhook...
});
You can add multiple custom headers for enhanced security, such as combining an API key with a timestamp for replay attack prevention.
Benefits of Custom Headers:
  • Flexibility: Use any authentication scheme that fits your infrastructure
  • Compatibility: Works with existing API gateways and authentication middleware
  • Multiple Headers: Add multiple headers for different purposes (auth, routing, metadata)
  • Standard Patterns: Use industry-standard authentication patterns like Bearer tokens

Best Practices

Webhooks may be delivered more than once. Use the event ID to ensure you process each event only once.
Your endpoint should return a 2xx status code within 10 seconds. Process webhook data asynchronously if needed.
ZeroPath will retry failed webhook deliveries with exponential backoff. Ensure your endpoint can handle duplicate events.
Set up monitoring for your webhook endpoints to ensure they’re receiving and processing events correctly.
Only subscribe to events you need to reduce noise and processing overhead.

Error Handling

ZeroPath uses the following retry policy for failed webhook deliveries:
  • Initial Retry: 30 seconds after first failure
  • Subsequent Retries: Exponential backoff (1min, 2min, 4min, 8min, 16min)
  • Max Retries: 6 attempts over ~30 minutes
  • Final Action: Webhook marked as failed and notification sent

Need Help?

Contact Support

Having issues with webhooks? Our support team is here to help.
 For more detailed API information, check our API Reference or join our Discord community for help from other developers.