Skip to content

Test-GitHubWebhookSignature

SYNOPSIS

Verifies a GitHub webhook signature using a shared secret.

SYNTAX

Test-GitHubWebhookSignature [-Secret] <String> [-Body] <String> [-Signature] <String>
 [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

This function validates the integrity and authenticity of a GitHub webhook request by comparing the received HMAC SHA-256 signature against a computed hash of the payload using a shared secret. It uses a constant-time comparison to mitigate timing attacks and returns a boolean indicating whether the signature is valid.

EXAMPLES

EXAMPLE 1

Test-GitHubWebhookSignature -Secret $env:WEBHOOK_SECRET -Body $Request.RawBody -Signature $Request.Headers['X-Hub-Signature-256']

Output:

True

Validates the provided webhook payload against the HMAC SHA-256 signature using the given secret.

PARAMETERS

-Secret

The secret key used to compute the HMAC hash. Example: 'mysecret'

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Body

The JSON body of the GitHub webhook request. This must be the compressed JSON payload received from GitHub. Example: '{"action":"opened"}'

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Signature

The signature received from GitHub to compare against. Example: 'sha256=abc123...'

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ProgressAction

{{ Fill ProgressAction Description }}

Type: ActionPreference
Parameter Sets: (All)
Aliases: proga

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

bool

NOTES

Returns True if the webhook signature is valid, otherwise False. Indicates whether the signature matches the computed value based on the payload and secret.

https://psmodule.io/GitHub/Functions/Webhooks/Test-GitHubWebhookSignature

https://docs.github.com/webhooks/using-webhooks/validating-webhook-deliveries