SonarQube Reporting Webhooks
Learn how SonarQube webhooks work in Procurize AI, including setup, payload structure, security validation, and retry behavior.
Overview
Procurize webhooks allow external systems to receive notifications when new SonarQube reports are ingested or updated.
Configuring webhooks
Webhooks can be added or edited it in the Organization’s settings panel, Security reports section at https://dashboard.procurize.ai. Please note that access to the settings panel requires authorization, and access to the organization’s settings panel requires a user role of at least Administrator in that organization.
To check webhooks, you can use popular online services such as https://webhook-test.com
Webhook Payload
Webhook events are delivered as HTTP POST requests with a JSON payload.
Example Payload
{
"organizationId": "00000000-0000-0000-0000-000000000001",
"reports": [
{
"projectName": "Test product",
"id": "00000000-0000-0000-0000-000000000002",
"reportType": "CWE Top 25",
"reportVersion": 2024,
"projectVersion": "1.0",
"date": "2025-12-17T09:05:48.5946432+00:00",
"uploadDate": "2025-12-17T09:05:48.5946432+00:00",
"vulnerabilitiesCount": 0,
"securityRating": "A"
}
]
}
Webhook Security
To ensure authenticity, webhook requests include a signature header generated using a shared secret.
- The signature is calculated using HMAC-SHA256
- Clients should verify the signature before processing the payload
This prevents unauthorized or spoofed webhook deliveries.
Delivery and Retries
- Webhooks expect a
2xxresponse to be considered successfully delivered - Failed deliveries are automatically retried hourly.
- Events may be delivered more than once; consumers should implement idempotent processing
Typical Use Cases
- Automatically ingest SonarQube findings into internal security dashboards
- Trigger compliance workflows when quality gates fail
- Archive security reports for audits and vendor risk reviews
- Keep third-party systems synchronized with the latest code security posture