In April 2024, the Core Atlantis Team launched an anonymous survey to better understand our community's needs and help prioritize our roadmap.
If you're an Atlantis user, please take 5 minutes to fill it out: Survey Link
In April 2024, the Core Atlantis Team launched an anonymous survey to better understand our community's needs and help prioritize our roadmap.
If you're an Atlantis user, please take 5 minutes to fill it out: Survey Link
Atlantis uses Webhook secrets to validate that the webhooks it receives from your Git host are legitimate.
One way to confirm this would be to allowlist requests to only come from the IPs of your Git host but an easier way is to use a Webhook Secret.
NOTE
Webhook secrets are actually optional. However they're highly recommended for security.
NOTE
Azure DevOps uses Basic authentication for webhooks rather than webhook secrets.
NOTE
An app-wide token is generated during GitHub App setup. You can recover it by navigating to the GitHub app settings page and selecting "Edit" next to your Atlantis app's name. Token appears after clicking "Edit" under the Webhook header.
WARNING
Bitbucket.org does not support webhook secrets. To mitigate, use repo allowlists and IP allowlists. See Security for more information.
You can use any random string generator to create your Webhook secret. It should be > 24 characters.
For example:
ruby -rsecurerandom -e 'puts SecureRandom.hex(32)'
NOTE
You must use the same webhook secret for each repo.