SQ34255
Detected presence of inactive webhook service access keys.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
| None | pass | low | low | None | secrets: warning Reason: inactive web service credentials |
About the issueโ
Software as a Service (SaaS) platforms expose programmable interfaces for action automation and secure exchange of information. Webhooks are web callback interfaces that enable real-time event notifications. Applications provide a public-facing interface that the web service calls when a specific event occurs. Authentication is done by the application that the web service accesses through a secret key. Since the key is encoded in the webhook callback, the service interface parameters should never be included in a software release package, even if they are inactive or obfuscated by encryption on the client-side. Webhooks for supported web services are automatically validated via the least privilege APIs the service exposes. Detected webhooks have been refused by their associated service as either inactive or expired.
How to resolve the issueโ
- If webhook keys were published unintentionally and the software has been made public, you should file a security incident.
- Examples of webhook secrets that may have been detected include AWS, Slack, Office365 and others.
Incidence statisticsโ
Not relevant for this type of sensitive information.
Recommended readingโ
What is a webhook? (External resource - RedHat)
Introduction to Webhook security (External resource - webhooks.fyi)