Skip to content

RHACS → ServiceNow Webhook

ACS → ServiceNow

Generic Webhook integration from Red Hat Advanced Cluster Security for Kubernetes to ServiceNow Scripted REST, creating Incident records from policy violations.

License: Apache 2.0

RHACS policy violation fires. ServiceNow Incident opens. One Scripted REST handler in the middle turns the RHACS payload into a populated Incident with severity-mapped urgency/impact, policy context, and the exact workload that tripped.

Pick A Starting Point

I know my problem, not the page Documentation Map Intent-first table routing operator problems to the correct page. I am evaluating fit Capabilities What the integration does, what it deliberately does not do, decision boundaries. I am installing the receiver ServiceNow Setup Scripted REST API + Resource definition and ACL requirements. I am configuring the sender RHACS Setup Generic Webhook notifier and policy attachment on the RHACS side. I want a real workflow Exec-into-Pod Triage Concrete end-to-end flow from exec violation to assigned SNOW Incident. I am reading the handler Handler Script Reference Field-by-field behavior of scripts/acs-alert.js.

How The Integration Shapes Up

sequenceDiagram
    autonumber
    participant P as RHACS Policy
    participant N as RHACS Notifier<br/>(Generic Webhook)
    participant SN as ServiceNow<br/>Scripted REST
    participant INC as Incident Table

    P->>N: Violation matched
    N->>SN: POST /api/rhacs/alert<br/>JSON payload
    SN->>SN: Parse policy + violation<br/>attrs (pod, container, user)
    SN->>SN: Map severity → urgency/impact
    SN->>INC: GlideRecord insert
    INC-->>SN: sys_id
    SN-->>N: 201 { sys_id }

Operating Model At A Glance

Layer Responsibility
RHACS policy Detects violation and triggers attached notifier
RHACS notifier POSTs JSON payload to ServiceNow endpoint
Scripted REST Parses payload, builds description, maps severity, writes Incident
Incident table Holds short_description, description, urgency, impact

Narrow on purpose. No queue, no dedup store, no retry layer baked in. See Capabilities for what the integration refuses and where to extend.

Page Families

External Reference