Django Signals for Automated Webhook Notifications

[TBoykott]

The signals.py file in backend/core/ defines Django signal handlers that automatically monitor changes to two key models: ComplianceAssessment and AppliedControl. Whenever the status of these objects changes or a new object is created, the signals trigger and send a structured JSON payload to an external webhook URL (configured via the NOTIFICATION_WEBHOOK_URL environment variable).
This mechanism enables seamless integration with external systems (such as SIEM, ticketing, or monitoring tools) by providing real-time notifications about important compliance and control events within the application. The file centralizes and automates the notification logic, ensuring that key changes are always communicated to interested third-party services without manual intervention.

Summary by CodeRabbit

• New Features

  • Introduced webhook notifications for compliance and control status changes, enabling external systems to receive updates on key events.
  • Added support for configuring a webhook endpoint via an environment variable.
  • Displayed compliance and progress percentages for compliance assessments.

• Chores

  • Updated Docker and Docker Compose configurations to support webhook integration and optimize build context.
  • Revised Docker and Git ignore files to better manage excluded files and directories.

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[TBoykott]

I have read the CLA Document and I hereby sign the CLA

[coderabbitai]

Walkthrough

This update introduces webhook notification functionality for compliance and control status changes in the backend. It adds a new webhooks module, modifies model save methods to trigger notifications, updates environment and Docker settings for webhook configuration, and revises ignore files for both Docker and Git. Several utility and helper improvements are also included.

Changes

Cohort / File(s)	Change Summary
Webhook Notification Infrastructure backend/core/webhooks.py, backend/core/apps.py, backend/ciso_assistant/settings.py, docker-compose.yml	Adds a new webhooks module for sending notifications on status changes, integrates dynamic import of webhooks in app config, introduces a NOTIFICATION_WEBHOOK_URL environment variable in settings and Docker Compose.
Model Save Logic & Progress Calculation backend/core/models.py	Modifies save methods of AppliedControl and ComplianceAssessment to detect creation/status changes and trigger webhook notifications; refactors progress calculation; adds compliance percentage method.
Container and Build Config backend/Dockerfile, .dockerignore, backend/.gitignore	Updates Dockerfile to consolidate install steps; expands Docker and Git ignore rules for broader and more structured exclusion patterns.
Entry Point and Signal Handling backend/manage.py	Comments out a signals import statement; no functional change.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant DjangoModel
    participant WebhooksModule
    participant WebhookEndpoint

    User->>DjangoModel: Create or update AppliedControl/ComplianceAssessment
    DjangoModel->>DjangoModel: save()
    DjangoModel->>WebhooksModule: get_payload(instance, old_status, event_type)
    WebhooksModule->>WebhooksModule: send_webhook_notification(payload)
    WebhooksModule->>WebhookEndpoint: POST payload
    WebhookEndpoint-->>WebhooksModule: HTTP response

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Poem

🐇
A webhook hops with news to share,
Compliance changes fill the air.
Models now whisper when statuses shift,
While Docker and Git keep their tidy gift.
With settings tuned and signals trimmed,
The backend’s song is newly hymned!
—Rabbit, on notification winds

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b8dcccf and 8afc69b.

📒 Files selected for processing (1)

• backend/core/webhooks.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/core/webhooks.py

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (5)

backend/core/apps.py (1)

17-17: Use English for comment consistency.

The signal import is correctly placed, but the comment should be in English to maintain consistency with the rest of the codebase.

-        import core.signals  # Active les signaux personnalisés
+        import core.signals  # Activate custom signal handlers

docker-compose.yml (1)

4-4: Consider image consistency between backend and huey services.

The backend service now uses a local 'backend' image while the huey service still uses the remote image. This could lead to version mismatches. Consider whether both services should use the same image source for consistency.

If using local development setup:

 backend:
   container_name: backend
   image: backend
   
 huey:
   container_name: huey
-  image: ghcr.io/intuitem/ciso-assistant-community/backend:latest
-  pull_policy: always
+  image: backend

backend/core/signals.py (3)

1-9: Consolidate imports and remove verbose logging

1. Combine the signal imports from lines 2 and 6 into a single import statement
2. The module load logging on line 9 is unnecessary and will add noise to production logs

 import logging
-from django.db.models.signals import pre_save
+from django.db.models.signals import pre_save, post_save
 from django.dispatch import receiver
 from django.conf import settings
 from core.models import ComplianceAssessment, AppliedControl
-from django.db.models.signals import post_save

 logger = logging.getLogger(__name__)
-logger.info('signals.py loaded')

---

55-88: Translate comment and good defensive programming

The defensive programming for computed fields (lines 60-68) and attribute checks (lines 77, 84) is excellent. However, the French comment on line 87 should be in English.

         'compliance_percentage': compliance_percentage,
         'progress_percentage': progress_percentage,
-        # Ajoute d'autres champs si besoin
+        # Add other fields if needed
     }

---

14-141: Consider production-ready enhancements

For a production environment, consider these architectural improvements:

1. Bulk operations: Current signals fire for each instance in bulk updates, which could overwhelm the webhook endpoint
2. Async processing: Webhook calls are synchronous and could slow down save operations
3. Retry mechanism: Failed webhook calls are not retried
4. Dead letter queue: Failed notifications are lost

Consider using a task queue (like Celery) for asynchronous webhook delivery with retry logic.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 47e36f3 and 8c07104.

📒 Files selected for processing (8)

• .dockerignore (1 hunks)
• backend/.gitignore (1 hunks)
• backend/Dockerfile (1 hunks)
• backend/ciso_assistant/settings.py (1 hunks)
• backend/core/apps.py (1 hunks)
• backend/core/signals.py (1 hunks)
• backend/manage.py (1 hunks)
• docker-compose.yml (1 hunks)

🧠 Learnings (2)

docker-compose.yml (1)

Learnt from: ab-smith
PR: intuitem/ciso-assistant-community#0
File: :0-0
Timestamp: 2025-01-21T19:16:31.223Z
Learning: The new Helm chart for CISO Assistant supports both SQLite and PostgreSQL modes, with backend and frontend pods separated, and includes configurable security contexts (disabled by default).

backend/Dockerfile (1)

Learnt from: nas-tabchiche
PR: #1641
File: dispatcher/startup.sh:1-6
Timestamp: 2025-04-17T17:28:15.732Z
Learning: In the CISO Assistant project, the startup.sh script is an entrypoint script that's intended to be executed only inside Docker containers where the uv package manager is installed at build time. The uv run commands are appropriate in this context.

🧰 Additional context used

🧠 Learnings (2)

docker-compose.yml (1)

Learnt from: ab-smith
PR: intuitem/ciso-assistant-community#0
File: :0-0
Timestamp: 2025-01-21T19:16:31.223Z
Learning: The new Helm chart for CISO Assistant supports both SQLite and PostgreSQL modes, with backend and frontend pods separated, and includes configurable security contexts (disabled by default).

backend/Dockerfile (1)

Learnt from: nas-tabchiche
PR: #1641
File: dispatcher/startup.sh:1-6
Timestamp: 2025-04-17T17:28:15.732Z
Learning: In the CISO Assistant project, the startup.sh script is an entrypoint script that's intended to be executed only inside Docker containers where the uv package manager is installed at build time. The uv run commands are appropriate in this context.

🔇 Additional comments (6)

backend/ciso_assistant/settings.py (1)

499-499: No action needed—None/empty URL is handled in send_webhook_notification.

The signal handler in backend/core/signals.py already does:

• Retrieves WEBHOOK_URL with a default of None.
• Checks if not WEBHOOK_URL and logs a warning before skipping.

This covers both None and empty values, so the new setting is safe as-is.

backend/.gitignore (1)

21-21: No action needed: root docker-compose.yml contains local overrides

The docker-compose.yml in the project root holds environment-specific settings (debug flags, webhook URLs, etc.) and isn’t meant to be version-controlled. The canonical compose definitions live under config/ (as templates and build scripts), so ignoring the root file prevents accidental commits of sensitive or local overrides.

backend/manage.py (1)

6-6: LGTM! Proper signal registration pattern.

Moving the signals import from manage.py to the app's ready() method is the correct Django approach. This ensures signal handlers are registered once during app initialization rather than on every management command execution.

backend/Dockerfile (1)

43-44: Good optimization: Consolidated RUN commands

Combining the poetry install and cache cleanup into a single RUN instruction reduces Docker layers, which improves build efficiency and reduces image size.

.dockerignore (1)

2-15: Improved Docker build context exclusions

The updated patterns provide better coverage:

• Recursive .DS_Store matching is more comprehensive
• Added cache directories (__pycache__, .pytest_cache, .ruff_cache) reduce context size
• Including db, static/, and test artifacts is appropriate
• Excluding .dockerignore and Dockerfile from the build context is a best practice

backend/core/signals.py (1)

91-141: Well-implemented signal handlers

The signal handlers are properly structured with:

• Clear separation between creation and update logic
• Comprehensive logging for debugging
• Proper handling of DoesNotExist exceptions
• Correct use of pre_save for status changes and post_save for creation notifications

[ab-smith]

Hello,
thank you for the contribution, we really appreciate it 🙏
This feature is currently being developed on our side, but we can consider a mixture between the two.

Two pointers:

• going with full signals is not prefered given their overhead on performance and how tricky they can be to debug. We believe that relevant changes to capture won't concern all objects and we can afford to override the save methods for relevant ones.
• you've made some strange changes on .gitignore. Was it a mistake?

[TBoykott]

Hello @ab-smith ,

I appreciate your feedback and am pleased to hear that this feature is being developed on your end.

Regarding your two points, I recognize that there's a performance issue, and I may address it in my next optimization. As for the .gitignore file, including it was an error.. There are URLs in the docker-compose that I prefer not to expose publicly.

[ab-smith]

Sure thing, we appreciate the effort 🙏
Tag me in once you update the files, and I'll review them. Notice that the signal usage is suboptimal given that you're focusing on presave, which can be replaced by an extension of the save method of the given objects.

[ab-smith]

see comments above

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (1)

backend/core/models.py (1)

715-744: Inconsistent error handling and potential performance impact.

The webhook notification logic is well-structured, but there are a few concerns:

1. Performance Impact: Each save now requires an additional database query to fetch the old instance, plus a potential HTTP request for webhook notifications. Consider if this overhead is acceptable for all save operations.

2. Error Handling: The webhook notification calls aren't wrapped in try-catch blocks, which means webhook failures could prevent the model from saving successfully.

Consider wrapping webhook calls in exception handling:

         # After save, check for status change or creation
         if is_new:
             payload = get_applied_control_payload(self, old_status=None)
             payload['type'] = 'applied_control_created'
-            send_webhook_notification(payload)
+            try:
+                send_webhook_notification(payload)
+            except Exception as e:
+                logger.warning(f"Failed to send webhook notification: {e}")
         elif old_status != self.status:
             payload = get_applied_control_payload(self, old_status)
             payload['type'] = 'applied_control_status_changed'
-            send_webhook_notification(payload)
+            try:
+                send_webhook_notification(payload)
+            except Exception as e:
+                logger.warning(f"Failed to send webhook notification: {e}")

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f018d70 and 638bfa6.

📒 Files selected for processing (2)

• backend/core/models.py (2 hunks)
• backend/core/signals.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/core/signals.py

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

backend/core/signals.py (1)

47-50: Consider performance optimization for related object queries

The function accesses multiple ManyToMany relationships (owner, assets, evidences, security_exceptions) which could result in N+1 database queries. Since this is called from the model's save() method, ensure that these relationships are prefetched when the instance is loaded to avoid performance issues.

Consider documenting that callers should use select_related() and prefetch_related() when loading instances that will trigger webhooks, or add a note about potential performance impact with large related object sets.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 638bfa6 and e104f2d.

📒 Files selected for processing (2)

• backend/core/models.py (2 hunks)
• backend/core/signals.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/core/models.py

🧰 Additional context used

🧬 Code Graph Analysis (1)

backend/core/signals.py (1)

backend/core/models.py (7)

• ComplianceAssessment (3682-4480)
• AppliedControl (2560-2819)
• RequirementAssessment (4483-4668)
• assets (5116-5117)
• get_requirement_assessments (3971-4002)
• Result (4490-4495)
• get_progress (4436-4449)

🔇 Additional comments (1)

backend/core/signals.py (1)

14-24: LGTM! Well-implemented webhook notification function

The function properly handles missing webhook URL, uses appropriate timeout, specific exception handling, and doesn't expose sensitive URLs in logs. All previous review feedback has been successfully incorporated.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Consider using existing model methods for compliance calculation

The compliance percentage calculation duplicates logic that might already exist in the model. Consider checking if there's an existing method like get_global_score() or similar that could be reused to maintain consistency and avoid code duplication.

---

🏁 Script executed:

#!/bin/bash
# Search for existing compliance calculation methods in ComplianceAssessment
ast-grep --pattern 'class ComplianceAssessment {
  $$$
  def get_$_($$$) {
    $$$
  }
  $$$
}'

# Also search for any method that calculates compliance or score
rg -A 10 'def get.*score|def get.*compliance' backend/core/models.py

Length of output: 1091

---

Extract compliance percentage into a reusable model method

The inline calculation in backend/core/signals.py (lines 60–66) duplicates business logic and there isn’t an existing model method that returns “compliance percentage” (the found get_global_score computes a different aggregate). To centralize this logic and avoid future drift:

• Define a new method on ComplianceAssessment (e.g. get_compliance_percentage(self)) that:
– Calls self.get_requirement_assessments(include_non_assessable=False)
– Computes int((compliant_count / total_count) * 100) (or 0 if no assessments)
• In backend/core/signals.py replace the block at lines 60–66 with:

-   # …existing inline calculation…
-   requirement_assessments = instance.get_requirement_assessments(include_non_assessable=False)
-   total_count = len(requirement_assessments)
-   compliant_count = sum(1 for ra in requirement_assessments if ra.result == RequirementAssessment.Result.COMPLIANT)
-   compliance_percentage = int((compliant_count / total_count) * 100) if total_count > 0 else 0
+   compliance_percentage = instance.get_compliance_percentage()

This ensures the percentage logic lives in one place on the model.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In backend/core/signals.py around lines 60 to 66, the compliance percentage
calculation duplicates business logic and should be centralized. To fix this,
define a new method get_compliance_percentage(self) on the ComplianceAssessment
model that calls self.get_requirement_assessments(include_non_assessable=False),
calculates the compliance percentage as int((compliant_count / total_count) *
100) or returns 0 if no assessments exist. Then replace the inline calculation
in signals.py with a call to this new model method to ensure the logic is
maintained in one place.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (3)

backend/core/signals.py (3)

1-4: Clean up unused imports

The code currently imports modules that are not used in this file. Based on past review comments, it appears Django signal imports were removed, but there may still be cleanup needed.

---

51-87: Address code duplication in compliance calculation

The inline compliance percentage calculation (lines 58-62) duplicates business logic. Based on past review comments, this should be extracted into a reusable model method to maintain consistency and avoid future drift.

---

80-81: Add defensive null checks for foreign key access

The code accesses framework.name and perimeter.name without null checks, which could cause AttributeError if these foreign keys are None.

🧹 Nitpick comments (2)

backend/core/signals.py (2)

24-49: Consider adding type validation for event types

The function hardcodes the event type as 'applied_control_status_changed', but this function might be used for creation events too. Consider making the event type a parameter to support different event types consistently.

-def get_applied_control_payload(instance, old_status):
+def get_applied_control_payload(instance, old_status, event_type='applied_control_status_changed'):
     return {
-        'type': 'applied_control_status_changed',
+        'type': event_type,

---

1-87: Consider renaming file to better reflect its purpose

The filename signals.py might be misleading since this module doesn't actually use Django signals but rather provides utility functions for webhook notifications called from model save() methods. Consider renaming to webhooks.py or notifications.py to better reflect its actual purpose.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e104f2d and cf478dc.

📒 Files selected for processing (2)

• backend/core/models.py (3 hunks)
• backend/core/signals.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/core/models.py

🧰 Additional context used

🧬 Code Graph Analysis (1)

backend/core/signals.py (1)

backend/core/models.py (7)

• ComplianceAssessment (3682-4486)
• AppliedControl (2560-2819)
• RequirementAssessment (4489-4674)
• assets (5122-5123)
• get_requirement_assessments (3971-4002)
• Result (4496-4501)
• get_progress (4436-4446)

🔇 Additional comments (1)

backend/core/signals.py (1)

11-21: LGTM! Webhook notification implementation is secure and robust

The function correctly handles missing webhook URLs, uses appropriate timeout settings, implements proper exception handling with requests.RequestException, and avoids logging sensitive URLs. The implementation follows Django best practices.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

backend/core/webhooks.py (3)

32-60: Potential non-JSON-serialisable fields in payload

priority, effort, control_impact, cost, and progress_field are likely Decimal or Enum instances.
json.dumps() inside requests will raise TypeError for non-primitives.

Either cast to float/str during construction or provide a custom encoder, e.g.:

-        'priority': instance.priority,
+        'priority': float(instance.priority) if instance.priority is not None else None,

Same applies to the compliance payload below.

---

55-58: Inefficient per-object queries

Even with the warning comment, the list-comprehensions invoke separate SQL queries if the caller forgot to prefetch.

A safer API is to require a fully-prefetched instance:

assert hasattr(instance, '_prefetched_objects_cache'), (
    "Instance must be fetched with prefetch_related for owners/assets/…"
)

This fails fast in dev and avoids silent N+1 issues in prod.

---

71-82: Logging exceptions on every save will flood logs

The defensive try/except around get_compliance_percentage and get_progress logs at INFO/WARN on every save. For large imports this produces noise.

Downgrade to debug or log only on exception:

-        logger.info(f'ComplianceAssessment {instance.pk}: compliance_percentage={compliance_percentage}%')
+        logger.debug("ComplianceAssessment %s compliance=%s%%", instance.pk, compliance_percentage)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf478dc and b8dcccf.

📒 Files selected for processing (3)

• backend/core/apps.py (2 hunks)
• backend/core/models.py (3 hunks)
• backend/core/webhooks.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• backend/core/apps.py
• backend/core/models.py

[coderabbitai]

🛠️ Refactor suggestion

Risk of circular imports and unused dependency

ComplianceAssessment and AppliedControl are imported but never referenced in this module.
More importantly, models.py now imports core.webhooks (to call these helpers) while this file imports core.models, forming a hard circular dependency that will break app start-up once both modules are imported at the top level.

Remove the model imports (the payload helpers already receive the instances), or fetch the classes lazily via apps.get_model() inside the helper if you really need the class.

🤖 Prompt for AI Agents

In backend/core/webhooks.py at lines 3 to 4, the imports of ComplianceAssessment
and AppliedControl from core.models are unused and cause a circular import
because core.models imports core.webhooks. Remove these model imports entirely
since the helper functions already receive the instances they need, or if the
classes are absolutely required, import them lazily inside the functions using
apps.get_model() to avoid the circular dependency.

[TBoykott]

Hello @ab-smith, Should be better now by using an extension of the save method of the given objects.