Intercept Security Scans with Vulnerability Webhooks

Intercept Security Scans with Vulnerability Webhooks

Security scanning provides an opportunity to target, track, and trace vulnerabilities introduced to your packages as soon as Cloudsmith has received a complete package upload. However what happens when you want to intercept the results of a scan immediately. An early warning can make a difference when distributing vulnerable packages to hundreds, thousands, or even millions of developers, devices, or systems globally.

Previously you could have rolled a custom solution using our API and polled it across your entire organization, dozens of repositories, and numerous packages; however, you don't even need to put in that kind of effort!

This is where vulnerability webhooks come to the rescue!

How do Vulnerability Webhooks Work?

Anytime a scan is completed, Cloudsmith will dispatch a corresponding vulnerability webhook to your source. A webhook event will identify a scanned package and a summary of the vulnerabilities found within the package. As a sanity check, this helps determine which completed images have vulnerabilities and the severity of those vulnerabilities.

If you are unfamiliar with everything that webhooks are useful for, check out our earlier post on Repository Webhooks: Notifications for DevOps.

Getting Started

Good news, everybody! If you already have a webhook set up and you are using "Send All Events" for your Event Subscription, you are already receiving "Package Security Scan Completed" events when a security scan completes. Simples! However, if you are using an event subscription with selected individual events, it's simple to add the "Package Security Scan Completed". Once updated, your webhook will start receiving these events.

If you have never set up a webhook, you can check our comprehensive docs on how to create, configure, and test a webhook.

Once configured, you can upload a new package that supports security scanning or rerun an existing security scan using "On-Demand Scanning", and when it completes the following event will be sent to your configured endpoint:

  "context": {
    "vulnerability_scan_results": {
      "created_at": "2020-11-10T15:49:10.824417Z",
      "has_vulnerabilities": false,
      "identifier": "QR8sWmaGkVgGSpF6",
      "max_severity": "Unknown",
      "num_vulnerabilities": 0,
      "scan_id": 1
  "data": {
    "architectures": [
        "description": null,
        "name": "amd64"
    "cdn_url": null,
    "checksum_md5": "",
    "checksum_sha1": "",
    "checksum_sha256": "",
    "checksum_sha512": "",
    "description": null,
    "distro": null,
    "distro_version": null,
    "downloads": 0,
    "epoch": null,
    "extension": ".docker",
    "filename": "insecure-docker-cli-example-16050233251.docker",
    "files": [],
    "format": "docker",

    "format_url": "",

    "identifier_perm": "ubBlkctmZsvG",
    "indexed": true,
    "is_sync_awaiting": false,
    "is_sync_completed": true,
    "is_sync_failed": false,
    "is_sync_in_flight": false,
    "is_sync_in_progress": false,
    "license": null,
    "name": "cloudsmith-docker-cli-example",
    "namespace": "monster-energy",
    "namespace_url": "",
    "num_files": 0,
    "package_type": 1,
    "release": null,
    "repository": "testing",
    "repository_url": "",
    "security_scan_completed_at": "2020-11-10T15:49:10.837661Z",
    "security_scan_started_at": null,
    "security_scan_status": "Scan Detected No Vulnerabilities",
    "security_scan_status_updated_at": "2020-11-10T15:49:10.837564Z",
    "self_html_url": ";xpo=linux/",
    "self_url": "",
    "size": 4675136,
    "slug": "insecure-docker-cli-example-16050233251docke-Rb1",
    "slug_perm": "ubBlkctmZsvG",
    "stage": 9,
    "stage_str": "Fully Synchronised",
    "stage_updated_at": "2020-11-10T15:49:04.041306Z",
    "status": 4,
    "status_reason": null,
    "status_str": "Completed",
    "status_updated_at": "2020-11-10T15:49:04.041271Z",
    "status_url": "",
    "subtype": null,
    "summary": null,
    "sync_finished_at": "2020-11-10T15:49:04.041292Z",
    "sync_progress": 100,
    "tags": {
      "version": [
    "tags_immutable": {},
    "type_display": "image",
    "uploaded_at": "2020-11-10T15:48:56.144478Z",
    "uploader": "lskillen",
    "uploader_url": "",
    "version": "38cfa3b1fff98e312a6978db421e4735e23a633c1ba9780acc15ee634d7ed722",
    "version_orig": "38cfa3b1fff98e312a6978db421e4735e23a633c1ba9780acc15ee634d7ed722",
    "vulnerability_scan_results_url": ""
  "meta": {
    "attempt_at": "2020-11-10T15:49:11.707128+00:00",
    "event_at": "2020-11-10T15:49:11.706873+00:00",
    "event_id": "package.security_scan_completed",
    "trigger_id": "0bfd4561-0ea5-47ec-8cc8-afb0ab9c49b3",
    "webhook_id": 1


It's that simple to configure and get started with Vulnerability webhooks. Create a Cloudsmith account with our 2-week free trial, give it a try and see for yourself!