Conversation
Signed-off-by: Sebastian Kawelke <sebastian.kawelke@l3montree.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the webhook delivery path by implementing the previously stubbed first-party vulnerability webhook sender, broadening “success” handling to accept any 2xx response, and wiring the webhook integration into the aggregated third-party integrations so it can receive events.
Changes:
- Treat any 2xx HTTP response as success for SBOM and vulnerability webhook deliveries.
- Implement
SendFirstPartyVulnerabilitiesto actually POST a payload to the configured webhook endpoint. - Add
WebhookControllerto the integration aggregate; adjust webhook event logging; removeCLAUDE.md.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| services/webhook_service.go | Implements first-party vulnerability webhook sending and updates HTTP success checks to use 2xx. |
| integrations/providers.go | Wires WebhookController into the integration aggregate via Fx. |
| controllers/webhook_controller.go | Logs webhook send success per event type (SBOM / first-party vulns / dependency vulns). |
| CLAUDE.md | Removes the developer-facing project overview/commands doc. |
Comments suppressed due to low confidence (1)
services/webhook_service.go:152
- SendFirstPartyVulnerabilities now has real behavior (JSON encoding + outbound POST + error handling), but the existing tests in this package only cover CreateRequest. Consider adding httptest-based coverage that verifies it sends the expected webhook type/payload and handles non-2xx responses correctly.
func (c *webhookClient) SendFirstPartyVulnerabilities(ctx context.Context, vuln []dtos.FirstPartyVulnDTO, org shared.OrgObject, project shared.ProjectObject, asset shared.AssetObject, assetVersion shared.AssetVersionObject) error {
body := WebhookStruct{
Organization: org,
Project: project,
Asset: asset,
AssetVersion: assetVersion,
Payload: vuln,
Type: WebhookTypeFirstPartyVulnerabilities,
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…t response Signed-off-by: Sebastian Kawelke <sebastian.kawelke@l3montree.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
services/webhook_service.go:168
- SendFirstPartyVulnerabilities is now enabled (previously effectively a stub) and is called from WebhookController.HandleEvent, but there are no tests covering its request body/type/status handling. Adding a unit test similar to the CreateRequest tests would help prevent regressions (e.g., ensuring it sends the expected JSON with type=firstPartyVulnerabilities and treats non-2xx as errors).
func (c *webhookClient) SendFirstPartyVulnerabilities(ctx context.Context, vuln []dtos.FirstPartyVulnDTO, org shared.OrgObject, project shared.ProjectObject, asset shared.AssetObject, assetVersion shared.AssetVersionObject) error {
body := WebhookStruct{
Organization: org,
Project: project,
Asset: asset,
AssetVersion: assetVersion,
Payload: vuln,
Type: WebhookTypeFirstPartyVulnerabilities,
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Sebastian Kawelke <sebastian.kawelke@l3montree.com>
timbastin
approved these changes
Apr 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.