Skip to content

Test-GitHubWebhookSignature

SYNOPSIS

Verifies a GitHub webhook signature using a shared secret.

SYNTAX

ByBody (Default)

Test-GitHubWebhookSignature -Secret <string> -Body <string> -Signature <string> [<CommonParameters>]

ByRequest

Test-GitHubWebhookSignature -Secret <string> -Request <psobject> [<CommonParameters>]

ALIASES

This cmdlet has the following aliases, {{Insert list of aliases}}

DESCRIPTION

This function validates the integrity and authenticity of a GitHub webhook request by comparing the received HMAC signature against a computed hash of the payload using a shared secret. It uses the SHA-256 algorithm and employs a constant-time comparison to mitigate timing attacks. The function returns a boolean indicating whether the signature is valid.

EXAMPLES

EXAMPLE 1

Test-GitHubWebhookSignature -Secret $env:WEBHOOK_SECRET -Body $Request.RawBody -Signature $Request.Headers['X-Hub-Signature-256']

Output:

True

Validates the provided webhook payload against the HMAC SHA-256 signature using the given secret.

EXAMPLE 2

Test-GitHubWebhookSignature -Secret $env:WEBHOOK_SECRET -Request $Request

Output:

True

Validates the webhook request using the entire request object, automatically extracting the body and signature.

PARAMETERS

-Body

The JSON body of the GitHub webhook request. This must be the compressed JSON payload received from GitHub. Example: '{"action":"opened"}'

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: ByBody
  Position: Named
  IsRequired: true
  ValueFromPipeline: false
  ValueFromPipelineByPropertyName: false
  ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Request

The entire request object containing RawBody and Headers. Used in Azure Function Apps or similar environments.

Type: System.Management.Automation.PSObject
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: ByRequest
  Position: Named
  IsRequired: true
  ValueFromPipeline: false
  ValueFromPipelineByPropertyName: false
  ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Secret

The secret key used to compute the HMAC hash. Example: 'mysecret'

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
  Position: Named
  IsRequired: true
  ValueFromPipeline: false
  ValueFromPipelineByPropertyName: false
  ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Signature

The signature received from GitHub to compare against. Example: 'sha256=abc123...'

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: ByBody
  Position: Named
  IsRequired: true
  ValueFromPipeline: false
  ValueFromPipelineByPropertyName: false
  ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

bool

{{ Fill in the Description }}

System.Boolean

{{ Fill in the Description }}

NOTES

Validating Webhook Deliveries | GitHub Docs Webhook events and payloads | GitHub Docs