DEV.co
Open-Source DevOps · adnanh

webhook

webhook is a lightweight Go server that converts HTTP requests into shell command execution. It listens for incoming webhooks, validates them against configurable rules, and runs specified scripts with request data passed as arguments or environment variables.

Source: GitHub — github.com/adnanh/webhook
12k
GitHub stars
868
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryadnanh/webhook
Owneradnanh
Primary languageGo
LicenseMIT — OSI-approved
Stars12k
Forks868
Open issues119
Latest release2.8.3 (2026-02-12)
Last updated2026-02-12
Sourcehttps://github.com/adnanh/webhook

What webhook is

A standalone HTTP endpoint server written in Go that parses incoming webhooks (headers, payload, query params), evaluates trigger rules, and executes configured shell commands. Supports JSON/YAML configuration, HTTPS, multipart form data, templates, Unix sockets, and systemd socket activation.

Quickstart

Get the webhook source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/adnanh/webhook.gitcd webhook# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

CI/CD Pipeline Triggers

Automatically redeploy applications when GitHub/GitLab pushes occur by configuring webhook endpoints that validate branch/payload conditions and execute deployment scripts.

Chat Platform Integrations

Route Slack/Mattermost outgoing webhooks to server-side commands, returning results back to chat channels using webhook's request-to-response flow.

Event-Driven Automation

Set up lightweight automation pipelines where external services (monitoring tools, form submissions, IoT devices) trigger server-side operations without building a full application layer.

Implementation considerations

  • Define trigger-rules carefully (branch matching, IP whitelists, secret validation) to prevent unauthorized command execution.
  • Shell commands execute with the privileges of the webhook process owner; isolate webhook to a minimal-permission user account.
  • Multipart form data parsing requires explicit configuration; default behavior ignores binary files unless marked as JSON.
  • When running behind a reverse proxy, IP-based rules cannot validate client IP—enforce restrictions at the proxy layer.
  • No built-in logging beyond verbose CLI output; integrate with external logging/monitoring if audit trail is required.

When to avoid it — and what to weigh

  • Complex Webhook Routing Logic — If you need sophisticated event transformation, retry logic, dead-letter queues, or multi-destination routing, specialized webhook platforms (Hookdeck, Hookdoo) are better suited.
  • High-Security Compliance Requirements — No built-in audit logging, encryption key management, or compliance frameworks. Requires external security infrastructure for PCI-DSS, SOC 2, or similar contexts.
  • Stateful Workflow Orchestration — webhook executes commands immediately; it does not maintain state, queue jobs, or coordinate multi-step workflows. Use workflow engines (Airflow, Temporal) for complex orchestration.
  • High-Volume Event Ingestion — Designed for moderate webhook traffic; lacks built-in horizontal scaling, load balancing, or performance monitoring that high-throughput systems require.

License & commercial use

MIT License grants permission to use, modify, and distribute webhook for any purpose (including commercial) with attribution and no warranty.

MIT is a permissive open-source license that explicitly allows commercial use. No commercial licensing, vendor lock-in, or usage restrictions apply. Deploy freely in production environments. However, verify your organization's open-source policy compliance and maintain attribution.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

webhook itself is a command execution layer with no built-in input sanitization; shell command arguments derive directly from HTTP request data. Risks include command injection if user-provided payloads are not validated by rules or scripts. No encryption of request bodies in transit (TLS must be configured). No authentication beyond trigger-rules; implement API key validation in rule logic. No rate limiting, DDoS mitigation, or request logging beyond verbose mode. Audit trail depends on OS/shell logging, not webhook itself. When exposing to the internet, deploy behind a WAF or API gateway and enforce strict trigger-rule validation.

Alternatives to consider

Hookdeck

Enterprise webhook gateway with event queuing, retry logic, filtering, transformation, monitoring, and replay—suited for mission-critical event routing and compliance scenarios.

Zapier / Make (Integromat)

Visual workflow builders with pre-built integrations, conditional logic, and multi-app orchestration; no coding or server infrastructure required.

AWS Lambda + API Gateway

Serverless, auto-scaling, built-in logging/monitoring, managed security, and integration with AWS ecosystem; higher operational overhead but greater reliability.

Software development agency

Build on webhook with DEV.co software developers

Evaluate webhook against your DevOps requirements. Check GitHub for installation, review Hook-Rules documentation for trigger validation, and test trigger-rule logic in your environment before production deployment.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

webhook FAQ

Can webhook validate webhook signatures (e.g., GitHub HMAC-SHA256)?
webhook does not implement cryptographic signature verification natively. Use trigger-rules to match headers and payloads, but signature validation logic must be embedded in your script or pre-proxy layer.
What happens if a command takes a long time to execute?
webhook blocks the HTTP request until the command completes (or times out). Long-running commands may cause HTTP timeouts. For async workloads, have your script enqueue to a job queue and return immediately.
Does webhook support environment-specific configuration?
Yes, via the `-template` CLI parameter which treats hooks.json/hooks.yaml as Go templates. Pass environment variables at startup to customize hook definitions.
Can I run webhook as a non-root user?
Yes. Run webhook under a dedicated user account with minimal filesystem and process privileges. Systemd socket activation can further restrict capabilities.

Custom software development services

Adopting webhook is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.

Ready to automate your workflows with webhooks?

Evaluate webhook against your DevOps requirements. Check GitHub for installation, review Hook-Rules documentation for trigger validation, and test trigger-rule logic in your environment before production deployment.