StackHawk

Developing with Webhooks

Share on LinkedIn
Share on X
Share on Facebook
Share on Reddit
Send us an email
Brandon Ward Blog Image

A webhook, or event driven web callback, can best be described as a “Reverse API”, meaning that an external third party will provide the API specification / contract, but it is up to you, the consumer, to implement this API. You have probably come across webhooks in action, even without knowing it! If your organization automatically triggers source code builds from commits, chances are your source control is alerting your build system via a webhook! Did you know that StackHawk also provides a webhook ? It can programmatically keep you informed on all of your completed scans.

Tools

  • The webhook provider – this can be a third party such as GitHub, Jenkins, or StackHawk. For this post, we’ll be using StackHawk’s webhook.

  • ngrok – a networking tool to allow making your local API publicly accessible.

  • (optional) node – if you aren’t developing your own application (yet), you can use the provided and simpleecho.js
    script which will print out all inbound network requests. Feel free to use your own application framework and API as well!

(Optional) Run the sample application

If you haven’t started writing your own application yet, you can run this simple node js application (in the linked gist) that simply logs all requests. This simple node js application is also useful if you want to inspect the requests being sent by your webhook provider!(save asecho.js
):

https://gist.github.com/Bwvolleyball/c6315f3a744d2e3f52fece0cfd121dca

After you’ve saved this file, you can run it locally with this command:

SERVER_PORT=8080 node echo.js

Start ngrok

Next, you’ll want to start ngrok. After you’ve followed ngrok’s configuration instructions, just runngrok http 8080
(or whatever port your application is running on locally).You’ll notice that this command details a few forwarding entries, we’re most interested in thehttps
URL it creates for us, as many webhook providers (StackHawk included) require an SSL secured connection.

Configure Webhook Details

If you are following along with StackHawk, you’ll provide this URL to the StackHawk webhook configuration (or another webhook provider such as GitHub).

Developing with Webhooks - Picture 1
If you are using the suppliedecho.js
script, the values for authorization can be anything you’d like, or nothing at all. If you’re developing your own application, this value should be equivalent to how you expect StackHawk to authenticate with you.

Activate the Webhook!

Perform an operation that causes a webhook event!

The StackHawk webhook emits an event with each successful scan. Check out our docs to run your own scan , scan one of our sample applications , or read more about our webhook .

If you’re using something else like GitHub, push a commit to your repository!

If you are running the example node js application, you’ll see that it has logged the request from your webhook event.

Developing with Webhooks - Picture 2

And that’s it! Now you have all the tools you need to start quickly developing with webhooks!

More Hawksome Posts

Secure Software Development Lifecycle: The Complete Guide

Secure Software Development Lifecycle: The Complete Guide

Shifting security left isn’t enough—finding vulnerabilities early means nothing if you can’t fix them fast. A Secure Software Development Lifecycle (SSDLC) prevents issues during development, reduces risk, and helps teams ship confidently. Learn how to build it into your process in our complete guide.

A Developer’s Guide to Writing Secure Code with Windsurf

A Developer’s Guide to Writing Secure Code with Windsurf

Learn how to harness Windsurf’s powerful AI features while mitigating risks using StackHawk’s dynamic application security testing (DAST). From understanding how AI-generated code can inadvertently replicate insecure patterns to automating vulnerability remediation with real-time feedback, this guide shows you how to build fast and securely in the age of AI.

Top Code Security Scan Tools of 2025

Top Code Security Scan Tools of 2025

Code security scan tools are essential for catching vulnerabilities before they reach production. In this guide, we break down the top tools of 2025—including SAST, SCA, and DevSecOps solutions—that help development teams automate security checks, integrate scanning into CI/CD pipelines, and keep applications secure at scale.