Skip to main content

Webhooks

Vibgrate's outbound webhook framework is live: pick event types, get an HMAC-signed POST per event, and every webhook is bounded by an immutable snapshot of its creator's permissions at creation time — it can never see more than they could.

Status
Available now
Phase
Phase 1

What's live today

Workspace admins can create webhooks scoped to specific event types (scan created, todo CRUD, drift-budget CRUD and breach, workflow CRUD/publish, approval requested/decided, policy template installed, SBOM imported, DriftScore distributed). Each delivery is signed with X-Vibgrate-Webhook-Signature (HMAC-SHA256) and logged with retry attempts. Every webhook's visibility is frozen to its creator's permissions and entity scope at creation time, so it can never see more than they could — even if their live permissions later change.

This is the pattern every other outbound integration (Slack, Jira, Linear, Datadog) reuses under the hood — see the Enterprise Integration Plan.