CodeWallDocs
Integrations

Action Tokens

Trigger CodeWall actions from Slack, CI/CD pipelines, and other external systems.

Action tokens let external systems trigger CodeWall actions via simple HTTP requests. Each token is scoped to specific actions and tied to your organisation, so you can grant granular access without sharing user credentials.

Common use cases include triggering an emergency stop from a Slack slash command, pausing schedules during a change freeze, or kicking off a pentest from a CI/CD pipeline after a deployment.

Creating a token

  1. Go to Settings > Webhooks
  2. Click Add > Action Token
  3. Enter a label (e.g. "Slack Emergency Stop")
  4. Select which actions this token can perform
  5. Optionally set an expiry date
  6. Click Create Token
  7. Copy the token immediately --- it is only shown once

Available actions

ActionEndpointDescription
emergency_stopPOST /v1/actions/emergency-stopKill all active pentest runs immediately
pause_all_schedulesPOST /v1/actions/pause-schedulesPause all active recurring schedules
resume_all_schedulesPOST /v1/actions/resume-schedulesResume all paused schedules
approve_phasePOST /v1/actions/approve-phaseApprove or reject a pending phase gate
trigger_retestPOST /v1/actions/trigger-retestRe-run a finding retest
trigger_runPOST /v1/actions/trigger-runStart a new pentest run against a target

Authentication

Include your token in the Authorization header:

Authorization: Bearer cwa_your_token_here

Or pass it as a query parameter (useful for simpler integrations):

POST /v1/actions/emergency-stop?token=cwa_your_token_here

Examples

Emergency stop

curl -X POST https://api.codewall.ai/v1/actions/emergency-stop \
  -H "Authorization: Bearer cwa_your_token_here"

Response:

{
  "response_type": "in_channel",
  "text": "Emergency stop executed. 3 run(s) terminated.",
  "stopped": ["run-abc", "run-def", "run-ghi"],
  "count": 3
}

Pause all schedules

curl -X POST https://api.codewall.ai/v1/actions/pause-schedules \
  -H "Authorization: Bearer cwa_your_token_here"

Resume all schedules

curl -X POST https://api.codewall.ai/v1/actions/resume-schedules \
  -H "Authorization: Bearer cwa_your_token_here"

Approve a phase gate

curl -X POST https://api.codewall.ai/v1/actions/approve-phase \
  -H "Authorization: Bearer cwa_your_token_here" \
  -H "Content-Type: application/json" \
  -d '{"run_id": "run-abc123", "decision": "approve"}'

The decision field accepts "approve" or "reject". When rejecting, you can optionally set rejection_action to "cancel" (default) or "skip_to_report".

Trigger a finding retest

curl -X POST https://api.codewall.ai/v1/actions/trigger-retest \
  -H "Authorization: Bearer cwa_your_token_here" \
  -H "Content-Type: application/json" \
  -d '{"finding_id": 42}'

Trigger a new pentest run

curl -X POST https://api.codewall.ai/v1/actions/trigger-run \
  -H "Authorization: Bearer cwa_your_token_here" \
  -H "Content-Type: application/json" \
  -d '{"target_url": "https://staging.example.com", "mode": "quick", "name": "Post-deploy scan"}'

Optional fields: project_id (defaults to the org's default project), mode ("quick" or "thorough", defaults to "quick"), name (human-readable label).

Slack integration

Action tokens are designed to work seamlessly with Slack. Two common setups:

Slack Workflow Builder

  1. Create a new Workflow in Slack
  2. Add a trigger (e.g. emoji reaction, slash command, or button)
  3. Add a Send a web request step
  4. Set the URL to https://api.codewall.ai/v1/actions/emergency-stop
  5. Set method to POST
  6. Add a header: Authorization: Bearer cwa_your_token_here
  7. The response text field will be displayed in Slack

Slack slash command

  1. Create a Slack app at api.slack.com/apps
  2. Add a slash command (e.g. /codewall-stop)
  3. Set the Request URL to https://api.codewall.ai/v1/actions/emergency-stop?token=cwa_your_token_here
  4. The response includes response_type: "in_channel" so the result is visible to the channel

CI/CD integration

Trigger pentests automatically after deployments:

# GitHub Actions example
- name: Trigger pentest
  run: |
    curl -X POST https://api.codewall.ai/v1/actions/trigger-run \
      -H "Authorization: Bearer ${{ secrets.CODEWALL_ACTION_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"target_url": "https://staging.example.com", "name": "Post-deploy: ${{ github.sha }}"}'

Security

  • Tokens are stored as SHA-256 hashes --- CodeWall never stores the plaintext token
  • Each token is scoped to specific actions and bound to a single organisation
  • Tokens can be revoked instantly in Settings
  • Tokens can be given an optional expiry date
  • All token usage is recorded in the Audit Log
  • Action endpoints are rate-limited to prevent abuse (3--10 requests per minute depending on the action)

Rate limits

EndpointLimit
Emergency stop3/minute
Pause/resume schedules3/minute
Approve phase10/minute
Trigger retest5/minute
Trigger run5/minute

Webhooks

Set up webhooks to receive real-time notifications from CodeWall.

Ticketing Integrations

Automatically create tickets for findings in Jira, ServiceNow, Linear, or Azure DevOps.

On this page

Creating a tokenAvailable actionsAuthenticationExamplesEmergency stopPause all schedulesResume all schedulesApprove a phase gateTrigger a finding retestTrigger a new pentest runSlack integrationSlack Workflow BuilderSlack slash commandCI/CD integrationSecurityRate limits