Using Webhooks – Start DevSecOps

In this article:

How to use webhooks for scripting the Crashtest Security Suite functionalities. Allows integration in your continuous integration / continuous deployment (CI/CD) pipeline to pentest every release.

To run an automated security scan after a deployment (or other triggers), you can create a custom webhook in the project settings. This page explains how to create a webhook and the different payloads that you can execute.

We also have a complete example of a Circle CI pipeline setup, an app deployed via Circle CI, and running our scans for every deployment here. You can also define different rules for passing or failing builds.

Generating a webhook

Go to the project settings page and scroll down to the webhook settings in the Automation section. Then, click on “Generate” to create a new webhook for the project.

Crashtest Security Suite Generating Webhook

You can now send a POST request to the webhook whenever you want to start a scan for the project. The following examples show how to send the request.

Send Webhook

The following section explains how to trigger the webhook in the following software:

  • cURL
  • Heroku
  • TeamCity


To run the webhook manually, you can use the following cURL command. To start the scan from a shell script, integrate this command:

curl -X POST --data ""


You can set up Heroku to automatically call the webhook after a successful deployment:

heroku addons:create deployhooks:http --url=


In TeamCity, you can create a new build step where you run the webhook:

TeamCity Webhook Integration Setup

Webhook Payload

It is possible to send a payload containing authentication data and/or the Swagger file using an API scan. This data will be used to configure your project before starting the scan. Please note that previous user credentials will be overwritten, and the credentials will be stored for the next scan. To send a webhook request with payload data, you may use the following request:

curl -X POST -H "content-type: application-json" --data-binary @- << EOF
"system_authentication": {
"basic_auth": {
"username": "username",
"password": "password"
"application_authentication": [
"username": "username",
"password": "password",
"url": ""
"parameter_authentication": [
"type": "HEADER",
"key": "Authorization",
"value": "Bearer 12345678"
"specs": {
"api_spec": {
"swagger": "2.0",
"info": [],
"host": "",
"basePath": "/v1",
"schemes": [
"paths": []

Please note that you can send a full API Specification file such as Swagger or OpenAPI file as part of the api_spec section.

The part application_authentication is not available for use with API scan targets as a UI-based login form cannot be mixed with the scanning of APIs.

Manual Login Flow

Let’s assume that you have a REST API at, which uses JWT Tokens for authentication. The token is generated by a POST request to /login with the username ‘username’ and password.’

$ curl --data '{"username": "username", "password": "password"}' -X POST
    "token_type": "Bearer",
    "expires_in": 86400,
    "access_token": "ABCDEF",
    "refresh_token": "ABCDEF",
    "concurrent_sessions": 1,
    "max_current_sessions": 40,

You may use this to generate a script that logs you in before starting the security scan. The token generated by the login request is then used for the security scan.

ACCESS_TOKEN=`curl --data '{"username": "username", "password": "password"}' -X POST | jq -r '.access_token'`
curl --data "{
  \"parameter_authentication\": [
      \"type\": \"HEADER\",
      \"key\": \"Authorization\",
      \"value\": \"Bearer $ACCESS_TOKEN\"
}" -X POST


The following JSON responses inform you about the result of the webhook call:

{"message": "webhook_scan_started", "data": {"scanId": SCAN_ID}}    # Success Case
{"message": "Scan is already running"}                              # Failure Case

Retrieve Scan Report using Webhook

You can start the scan using a webhook and retrieve the report in JUnit XML format. The following script will start the scan for your project and periodically poll the status of the scan. When the scan is finished, the report will be downloaded to the file report.xml. For this script to run properly, you will need to have the following requirements installed: curl, jq

#!/usr/bin/env sh
# TODO: Set WEBHOOK to webhook ID (without URL)
# Start Scan and get scan ID
SCAN_ID=`curl --silent -X POST --data "" $API_ENDPOINT/$WEBHOOK | jq .data.scanId`
echo "Started Scan for Webhook $WEBHOOK. Scan ID is $SCAN_ID."
# Refresh Scan status
while [[ $STATUS -le "101" ]]
    echo "Scan Status currently is $STATUS (101 = Running)"
    # Only poll every minute
    sleep 60
    # Refresh status
    STATUS=`curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/status | jq .data.status.code`
echo "Scan finished with status $STATUS."

Get a quick security audit of your website for free now

We are analyzing
Scanning target
Scan status: In progress
Scan target:
Date: 16/09/2023
Crashtest Security Suite will be checking for:
Information disclosure Known vulnerabilities SSL misconfiguration Open ports
Complete your scan request
Please fill in your details receive the
quick security audit by email.
Security specialist is analyzing your scan report.
То verify your identity please provide your phone/mobile:
Thank you.
We have received your request.
As soon as your security audit is ready, we will notify you.