If a Webhook secret is configured in SonarCloud's Github Application, Webhook calls received from Github will include a X-Hub-Signature header which can be used to validate integrity of the payload of the Webhook in addition to ensure the request came from Github.
The Github App's Webhook secret is provided to SonarQube through a property and the following logic should be applied:
- if property is not set, webhooks must have no X-Hub-Signature header
- if property is set, webhook must have a X-Hub-Signature header and the value must be valid
- otherwise, the webhook is ignored
In addition, since Github is not sending any HTTP parameter, the request should be rejected if it has any.
The only accepted IPs calling should be the public IPs from Github
(TODO: get the list of public IPs from Github)