Whitelist webhook destinations

  • ALM used: Azure DevOps
  • CI system used: Azure DevOps
  • Scanner command used when applicable: n/a
  • Languages of the repository: n/a
  • Steps to reproduce: n/a
  • Potential workaround: unknown

To prevent data exfiltration using webhooks, is it possible to restrict destination domains that can be used within webhooks in a SonarCloud Organisation?

1 Like

As of today there is no such feature to restrict destination domains in webhooks. Note that only project administrators can define webhooks. For such feature to make sense, I assume you would need more granular permissions too, to separate the users that can define whitelisted domains, and the users that can define webhooks. Do I understand your request correctly?

We don’t need granular permissions for non admin users. Rather some assurance that webhooks can’t be created to send data to unauthorised domains. If we were self hosting a solution firewall rules or a proxy would be used as a secondary line of defence. If nothing exists, well have to mitigate the risk by beefing up our operational procedure.


1 Like