Security Scan Notifications : Slack & Discord
Overview
Codity can automatically scan your repositories for security vulnerabilities and send the results directly to your Slack or Discord channel. You can set up recurring scans on a schedule, or trigger them manually at any time.
Getting Started
Step 1 — Add a Notification Destination
Go to Settings → Security Notifications and add a webhook destination.
- Choose your platform: Slack or Discord
- Paste your incoming webhook URL
- Click Test to verify the connection before saving
Where to get a webhook URL:
- Slack: Create an Incoming Webhook app at api.slack.com/apps
- Discord: Open channel settings → Integrations → Webhooks → New Webhook
Step 2 — Create a Scan Schedule
Once a destination is saved, create a schedule:
- Select the repository and branch to scan
- Set how often to scan (e.g. every 60 minutes)
- Choose your notification preference:
- Always — notify on every scan, even if no issues are found
- Findings only — only notify when vulnerabilities are detected
- Link it to the destination you created in Step 1
Step 3 — Run
Scans run automatically on your chosen interval. You can also trigger a scan immediately using the Run Now button next to any schedule.
What Gets Scanned
Each scan runs two checks:
- Pattern scan — static analysis of your source code for known vulnerability patterns
- Dependency scan (SCA) — checks all declared dependencies against public vulnerability databases (CVEs)
What the Notifications Look Like
Slack
A text message containing:
- Repository name and branch
- Total number of vulnerabilities found
- Breakdown by severity: critical / high / medium / low
- Top 5 findings with package name and CVE ID
Discord
A rich embed message with the same information, color-coded by severity:
- Red — critical vulnerabilities found
- Amber — high severity findings
- Green — no critical or high severity issues
If a scan could not run because Codity lost access to the repository, both platforms receive a distinct auth-failure notification instead.
Managing Notifications
From Settings → Security Notifications you can:
| Action | Description |
|---|---|
| Add destination | Connect a new Slack or Discord webhook |
| Test destination | Send a test message to verify the webhook works |
| Edit destination | Update the webhook URL or name |
| Create schedule | Set up a recurring scan for a repo/branch |
| Edit schedule | Change interval, branch, or notification preference |
| Enable / Disable | Pause a schedule without deleting it |
| Run Now | Trigger an immediate scan |
| View History | See past scan results and delivery status |
Notification Delivery History
Every notification attempt is logged. Under History you can see:
- When each scan ran
- Whether the notification was delivered successfully
- The HTTP response from the webhook
- Any error details if delivery failed
Your Webhook URL is Kept Secure
Webhook URLs are encrypted before being stored and are only decrypted at the moment a notification is sent. They are never exposed in logs or API responses.