Configuring webhooks for your organization
Webhooks notify external services when a SonarQube Cloud project analysis is complete.
This page explains how to manage webhooks for your SonarQube Cloud organization. For more information about the feature, see Webhooks. You must be an organization admin to be able to manage webhooks for your organization.
You can configure up to 10 webhooks for your organization.
Organization-level webhooks are not replaced by project-level webhooks. All webhooks at both levels will be executed.
Creating a webhook
This paragraph explains how to create webhooks in the UI for your organization. You can also use the Web API.
Retrieve your organization. For more information, see Retrieving your organizations.
Go to Administration > Webhooks.
Select Create. The Create Webhook dialog is displayed.
Enter the webhook name.
Enter the URL to which the webhook is to be delivered.
Enter a secret if you want to protect the webhook with HMAC. See Securing webhooks below.
Test your webhook. To do so, you can use various webhook testing/debugging tools.
Updating or deleting a webhook
Retrieve your organization. For more information, see Retrieving your organizations.
Go to Administration > Webhooks.
In the three-dot menu at the far right of the webhook row, select the corresponding command.
Monitoring the webhook delivery
You can monitor the delivery of your webhooks configured for your organization in the SonarQube UI. You can also use the Web API to retrieve the webhook deliveries.
Each webhook’s delivery status is indicated. A delivery is marked as failed if the URL doesn’t respond within 10 seconds. Response records are purged after 30 days.
SonarQube Cloud doesn’t retry to deliver failed webhook deliveries. You may use the Web API to implement an automatic redelivering mechanism.
If you downgraded your organization to the Free plan, existing webhooks are still visible on the UI but won’t be invoked by SonarQube Cloud. If you upgrade your organization, you regain access to them.
To monitor your organization's webhooks:
Retrieve your organization. For more information, see Retrieving your organizations.
Go to Administration > Webhooks. The page shows the result and timestamp of each webhook’s most recent delivery.
To view the payload of the last delivery, select the link in the Last delivery column of the webhook row.
To view the results and payloads of earlier deliveries, select the three-dot menu at the far right of the webhook row.
Securing webhooks
After you’ve configured your server to receive payloads, you want to be sure that the payloads you receive are initiated by SonarQube Cloud and not by attackers. You can do this by validating a hash signature that ensures that requests originate from SonarQube Cloud.
A basic authentication mechanism is supported by providing user/password in the URL of the Webhook such as https://myLogin:myPassword@my_server/foo.
Set your secret
Retrieve your organization. For more information, see Retrieving your organizations.
Go to Administration > Webhooks.
You can either select Create to create a new webhook or click an existing webhook’s settings drop-down and select Update.
Enter a random string in the Secret text box. This is used as the key to generate the HMAC hex digest value in the
X-Sonar-Webhook-HMAC-SHA256header.Select Update.
Validate the received payload
After setting your secret, it’s used by SonarQube Cloud to create a hash signature with each payload that’s passed using the X-Sonar-Webhook-HMAC-SHA256 HTTP header. The header value needs to match the signature you are expecting to receive. SonarQube Cloud uses a HMAC lower-case SHA256 digest to compute the signature of the request body. Below is some sample Java code for your server. In this example, we are using the lib from apache commons-codec HmacUtils class.
If the signatures don’t match, then the payload should be ignored.
Related pages
Webhooks (solution overview)
Last updated
Was this helpful?