I also set up report of security alerts with the same app. This also works and I can see code_scanning_alert webhooks delivered successfully with 202. But, I also see other webhook events like check_suite.requested, installation_repositories.added and installation_repositories.removed with 404:
{“errors”:[{“msg”:“No GitHub webhook handler found for this event check_suite”}]}
what have you tried so far to achieve this: I tried rerouting the packages via gh cli to see if the package is malformed, capturing the raw bytes, too. Since I don’t own the SonarQube GitHub App, there is no way for me to reason if all fields are correct, or if this is a signature mismatch issue.
Apologies for the errors in the webhook handler. Are you experiencing any functional issues with the GitHub integration otherwise?
The 404 responses you’re seeing for check_suite, installation_repositories, and similar events are expected and harmless. SonarQube’s webhook endpoint currently only processes code_scanning_alert events, and returns a 404 for any other event type. That said, I agree we shouldn’t be returning errors for events we simply don’t handle, so I’ll be looking into returning a proper 200 response for those instead.
One small clarification: you mentioned that you don’t own the SonarQube GitHub App, but you actually do! When you followed the guide to register a GitHub App for your SonarQube instance, that app was created under your GitHub organization. SonarSource doesn’t create or manage it. It’s fully yours. So if you ever need to adjust its permissions, event subscriptions, or webhook configuration, you can do so directly in your GitHub org’s settings.
Thank you for the clarification on webhook response behavior. I will verify if all permissions are set according to the guide just for completeness’ sake, but the answer is already sufficient.
One question, maybe: Is it already on the roadmap (suppressing these 404 logs)?
Thanks for confirming. We’ve raised a ticket to address the 404 responses for unhandled webhook events. I don’t have a timeline for when it’ll be picked up, but it’s on our radar.