GitHub Webhook V2 Connector: CLv2 Migration Ensures Continued GitHub Advanced Security Ingestion

What Changed

Microsoft added the GitHub Webhook V2 data connector as the strategic replacement for the original GitHub Webhook connector. The V2 connector migrates from the deprecated HTTP Data Collector API (CLv1/ODS endpoint) to the supported Logs Ingestion API (CLv2) with Managed Identity authentication.

Data Source

This connector ingests GitHub Advanced Security webhook events for organizations using GitHub Enterprise features:

• Code Scanning Alert: Static analysis findings from CodeQL and third-party tools
• Repository Vulnerability Alert: Dependabot dependency vulnerability notifications
• Secret Scanning Alert: Exposed credential detections in repository code

Ingestion Mechanism

• V2 (new): Logs Ingestion API (CLv2) with Managed Identity (DefaultAzureCredential)
• V1 (legacy): HTTP Data Collector API (CLv1/ODS) with SharedKey authentication
• Table: GitHubAdvancedSecurityAlerts_CL (V2) vs githubscanaudit_CL (V1)
• Unified parser: githubscanaudit() unions both tables for backward compatibility

The V2 connector uses DCR/DCE architecture with the Function App system-assigned Managed Identity granted Monitoring Metrics Publisher role on the Data Collection Rule.

Security Impact (Visibility & Fidelity)

Migration urgency: The CLv1 HTTP Data Collector API is being replaced by Microsoft. Organizations still using the V1 GitHub Webhook connector will lose ingestion capability when CLv1 is deprecated. This creates a detection blind spot for:

• Supply chain compromise via dependency vulnerabilities (MITRE T1195.002)
• Credential exposure in code repositories
• SAST findings that detect injection flaws and other code-level vulnerabilities

Backward compatibility: Both V1 and V2 tables use identical column schemas with _s/_d/_b suffixes. All existing workbooks, analytic rules, hunting queries, and parsers (GitHubCodeScanningData, GitHubDependabotData, GitHubSecretScanningData) continue to function via the unified githubscanaudit() parser.

Detection Surface Unlocked

For new deployments, this connector provides visibility into:

• Code quality gates: Static analysis alerts that may indicate vulnerable coding patterns
• Dependency risk: Third-party library vulnerabilities flagged by Dependabot scanning
• Secrets exposure: Hardcoded API keys, tokens, and credentials committed to repositories

The connector supports HMAC-SHA256 signature validation (x-hub-signature-256) when GithubWebhookSecret is configured, ensuring webhook authenticity.

Affected Files

.script/tests/KqlvalidationsTests/CustomFunctions/githubscanaudit.json
.script/tests/KqlvalidationsTests/CustomTables/GitHubAdvancedSecurityAlerts_CL.json
Sample Data/GitHubAdvancedSecurityAlerts_CL.json
Solutions/GitHub/Data Connectors/GithubWebhookV2/GithubWebhookConnectorV2/__init__.py
Solutions/GitHub/Data Connectors/GithubWebhookV2/GithubWebhookConnectorV2/function.json
Solutions/GitHub/Data Connectors/GithubWebhookV2/GithubWebhookV2_API_FunctionApp.json
Solutions/GitHub/Data Connectors/GithubWebhookV2/README.md
Solutions/GitHub/Data Connectors/GithubWebhookV2/azuredeploy_GithubWebhookV2_API_FunctionApp.json
Solutions/GitHub/Data Connectors/GithubWebhookV2/host.json
Solutions/GitHub/Data Connectors/GithubWebhookV2/requirements.txt
Solutions/GitHub/Parsers/GitHubScanAudit.yaml
(packaging artefacts: 3.2.0.zip, GithubWebhookV2.zip, ReleaseNotes.md, Solution_GitHub.json, createUiDefinition.json, mainTemplate.json)