Skip to main content
When Root remediates a container image and creates a new Root Remediated Tag (RRT), it can send a webhook notification to an HTTPS endpoint you control. This lets you react immediately - for example, automatically copying the new image into your private registry the moment it’s ready.

Use Cases

  • Auto-mirror to a private registry - copy new remediated images to Amazon ECR, JFrog Artifactory, or any other registry as soon as Root publishes them
  • Trigger CI/CD pipelines - kick off a rebuild or redeploy whenever a base image is patched
  • Audit and logging - record remediation events in your own systems

How It Works

  1. You register a webhook endpoint URL with Root and specify which event types to subscribe to
  2. When a new RRT is created, Root sends a signed HTTP POST to your endpoint
  3. Your endpoint verifies the signature and processes the event

Setting Up a Webhook

Webhook subscriptions are managed via the Root API. UI support is coming soon.

Step 1 - Register your endpoint

curl -X POST https://api.root.io/v3/settings/webhooks \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://your-endpoint.example.com/",
    "description": "Mirror to ECR",
    "event_types": ["io.root.cr.image.created.v1"]
  }'
The response body includes a secret field - this is your webhook signing secret. Copy it now; Root uses it to sign every request so your endpoint can verify it came from Root.

Step 2 - Verify webhook signatures

Every webhook Root sends is signed with HMAC-SHA256 following the Standard Webhooks specification. Your endpoint should verify the signature on every incoming request before acting on it. The signature is included in the webhook-signature header. Requests with timestamps older than 5 minutes should be rejected to prevent replay attacks.
If you’re using the ecr-mirror-lambda reference implementation, signature verification is handled for you automatically.

Event Types

Event typeWhen it fires
io.root.cr.image.created.v1A new Root Remediated Tag has been created

Example: Auto-Mirror to Amazon ECR

ecr-mirror-lambda is a ready-to-deploy AWS Lambda that receives Root webhooks and automatically copies each new remediated image into your ECR. Deploy it once with Terraform and every new RRT will appear in your ECR without any manual steps.

ecr-mirror-lambda

Deploy a pre-built Lambda that mirrors Root remediated images to your ECR automatically.