Jira (PUP-10261) X-Hub-Signature check

[Dirk (JIRA)]

Dirk created an issue

Puppet / PUP-10261 X-Hub-Signature check Issue Type: New Feature Assignee: Unassigned Components: Networking Created: 2020/01/31 5:06 AM Labels: github Priority: Normal Reporter: Dirk Dear puppet team, we got a request from the AXA security team to check with you if it would be possible to enhance the puppet enterprise code manage with a verification that an received webhook was send by the AXA enterprise Github: "<...>, there are some ways to ensure the hook is coming from github: https://developer.github.com/enterprise/2.17/webhooks/ https://developer.github.com/webhooks/securing/ github is sending some headers X-Github-xxx and a user-agent, so a first check is possible here A header is called X-Hub-Signature, containing a hash (HMAC hex digest) based on a secret. Some tools are able to check this signature to validate <...> Based on the Puppet version you’re using, can you contact the Puppet Support Team and ask them if there’s a way to implement the X-Hub-Signature check when they receive a payload from github ?" If you need any further information please contact me. Best regards and many thanks in advance, Dirk Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Patrick Grant (JIRA)]

Patrick Grant updated an issue

Puppet / PUP-10261 X-Hub-Signature check

Change By: Patrick Grant Zendesk Ticket IDs: 37914

Add Comment

[Rob Braden (JIRA)]

Rob Braden updated an issue

Puppet / PUP-10261 X-Hub-Signature check

Change By: Rob Braden Team: Froyo

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-10261

Re: X-Hub-Signature check It sounds like this is a feature request for Puppet Enterprise Code Manager? Assuming yes, I'm going to move this ticket to that project.

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)