GitHub Security Notifications for Discord

A practical guide for setting up automated security notifications from GitHub repositories to Discord channels.

Why Security Notifications Matter

Security events in your repositories need immediate attention. This guide helps you configure automated notifications so your team stays informed about:

• Vulnerability discoveries and fixes
• Security feature bypasses or disabled protections
• Unauthorized access changes
• Secret leaks and scanning results

Important Security Limitations

⚠️ Discord Webhook Security Notice:

• Discord webhooks have no built-in authentication mechanism
• Anyone with the webhook URL can send messages to your channel
• There is no way to verify that messages come from GitHub
• Treat webhook URLs as secrets and never expose them publicly

Discord Setup

1. Create a Private Security Channel

Right-click your Discord server → Create Channel
Name: #security (or #security-alerts)
Type: Text Channel
Private Channel: ✅ Enable
Permissions: Only security team members

2. Generate Webhook URL

Channel Settings → Integrations → Webhooks → New Webhook
Name: GitHub Security
Avatar: Upload GitHub logo (optional)
Copy Webhook URL → Save for GitHub configuration

GitHub Configuration

1. Repository Webhooks

Navigate to: Settings → Webhooks → Add webhook

Payload URL: [Your Discord webhook URL]/github
Content type: application/json
Secret: [Optional - validates requests FROM GitHub, but Discord cannot verify signatures]
SSL verification: Enable SSL verification

⚠️ Important: GitHub secrets only validate that webhooks come FROM GitHub to prevent spoofing. Discord webhooks have NO signature validation capability - Discord accepts any properly formatted request to the webhook URL. For signature validation, use a proxy service between GitHub and Discord.

2. Critical Security Events

Enable these events for immediate notification:

☑️ Code scanning alerts - Code scanning alert created, fixed in branch, or closed
☑️ Secret scanning alerts - Secrets scanning alert created, resolved, reopened, validated, or publicly leaked
☑️ Secret scanning alert locations - Secrets scanning alert location created
☑️ Dependabot alerts - Dependabot alert auto_dismissed, auto_reopened, created, dismissed, reopened, fixed, or reintroduced
☑️ Repository vulnerability alerts - (Note: Being deprecated, use Dependabot alerts)
☑️ Security and analyses - When security features are enabled/disabled
☑️ Repository advisories - Security advisories published for the repo

3. Access Control Events

Enable for access monitoring:

☑️ Branch protection configurations - All protections enabled/disabled
☑️ Branch protection rules - Individual rules created/edited/deleted
☑️ Collaborator add, remove, or changed - Team member access changes
☑️ Deploy keys - Deployment key additions/removals
☑️ Visibility changes - Repository made public/private

4. Security Bypass Events

Enable for policy compliance:

☑️ Dismissal requests for code scanning alerts - Alert dismissal tracking
☑️ Dismissal requests for secret scanning alerts - Secret dismissal tracking
☑️ Bypass requests for push rulesets - Push rule bypass requests
☑️ Bypass requests for secret scanning push protections - Secret push bypass

Best Practices

Channel Management

• Keep the security channel private and restricted
• Add only security team members and repository maintainers
• Use thread discussions for detailed investigation
• Pin important security policies and contacts

Notification Hygiene

• Start with critical events only, expand gradually
• Review and tune notifications weekly for first month
• Document response procedures for each alert type
• Set up on-call rotation for critical alerts

Response Workflows

• Acknowledge alerts within 15 minutes during business hours (organizational policy)
• Assign owner for each security issue
• Use GitHub issue templates for security incident tracking
• Post resolution summaries back to the channel

Note: Response times are organizational recommendations based on industry standards for critical security incidents, not technical requirements from GitHub or Discord.

Testing Your Setup

1. Configure the webhook in your repository
2. Make a simple change (e.g., push a commit or create an issue)
3. Check Discord channel for the notification
4. Note: The GitHub "Test" button returns a 400 error because GitHub's test payload format doesn't match Discord's expected message schema. This is normal - the webhook is working correctly.
5. For security events, try creating a test file with a fake API key to trigger secret scanning

Event Priority Levels

🚨 Critical (Immediate Response Required)

• Secret scanning alerts (publicly leaked)
• Code scanning alerts (high/critical severity)
• Repository vulnerability alerts (high/critical CVEs)
• Security features disabled

⚠️ High (Response Within Hours)

• Dependabot alerts (high/critical)
• Branch protection disabled
• Unauthorized collaborator changes
• Deploy key modifications

ℹ️ Medium (Monitor and Review)

• Security bypass requests
• Alert dismissal requests
• Branch protection rule changes
• Completed security scans

Advanced Configuration (Optional)

Multiple Repositories

For teams managing multiple repositories:

• Use organization-level webhooks for centralized management
• Create separate channels for different severity levels (#security-critical, #security-info)
• Start simple: same webhook for all repos, then customize as needed

Simple Enhancements

• GitHub Actions: Filter events before sending to Discord (example: only notify for public repos)
• Discord Bots: Use bots for two-way communication (acknowledge alerts from Discord)
• Monitoring: Set up a simple daily/weekly summary of security events

Troubleshooting

Webhook not triggering:

• Verify webhook URL format includes /github suffix (required for GitHub integration)
• Check GitHub webhook delivery logs in Settings → Webhooks → Recent Deliveries
• Ensure Discord channel permissions allow webhook posts
• Note: GitHub's "test" payload will show a 400 error - this is normal

Missing notifications:

• Review selected events in GitHub webhook configuration
• Test with a simple push event first
• Check Discord server notification settings

Too many notifications:

• Start with critical events only
• Use Discord thread mode for detailed discussions
• Consider time-based filtering for non-critical events
• Discord rate limit: ~5 requests per 2 seconds per webhook

---

Security Best Practices

Webhook URL Protection

• Never expose webhook URLs in client-side code or public repositories
• Store webhook URLs in environment variables or secure secret management systems
• Rotate webhook URLs quarterly or immediately if exposed
• Use .gitignore to exclude any files containing webhook URLs

Webhook Rotation Procedure

1. Create new webhook in Discord (keep old one active)
2. Update GitHub webhook configuration with new URL
3. Test new webhook with a commit or issue
4. Once confirmed working, delete old Discord webhook
5. Document rotation in security log

Additional Security Measures

• Consider using a proxy service between GitHub and Discord for additional validation
• Implement monitoring for unusual webhook activity patterns
• Use Discord bots with proper authentication for sensitive operations
• Restrict channel access to security team members only

Security Reminder: Discord webhooks cannot authenticate senders. Any service or person with the webhook URL can post messages. This is a fundamental limitation of Discord's webhook system.

🚨 Critical: If a webhook URL is ever exposed or leaked, rotate it immediately. Exposed webhook URLs are compromised security credentials.