Webhooks Should Be Configured With A Secret
policy name: repository_webhook_no_secret
Webhooks are not configured with a shared secret to validate the origin and content of the request. This could allow your webhook to be triggered by any bad actor with the URL.
Not using a webhook secret makes the service receiving the webhook unable to determine the authenticity of the request. This allows attackers to masquerade as your repository, potentially creating an unstable or insecure state in other systems.
- Make sure you can manage webhooks for the repository
- Go to the repository settings page
- Select “Webhooks”
- Press on the insecure webhook
- Confiure a secret
- Click “Update webhook”