Skip to content

Alerts & Notifications

Configure email and webhook notifications to stay informed about expiring credentials, failed operations, and security events.

Overview

CertifyClouds alerts keep your team notified:

  • Multiple channels: Email, Slack, Microsoft Teams, custom webhooks
  • 11 alert types: Expiring, expired, rotation, sync, and scan events
  • Delivery modes: Real-time, daily digest, or both
  • Flexible scheduling: Configure when digests are sent
  • Subscription filtering: Scope alerts to specific Azure subscriptions

Alert Types

Discovery Alerts

Alert Type Trigger Severity
secret_expiring Secret expires within threshold Warning
secret_expired Secret has already expired Critical
key_expiring Key expires within threshold Warning
key_expired Key has already expired Critical
certificate_expiring Certificate expires within threshold Warning
certificate_expired Certificate has already expired Critical
scan_completed Discovery scan finished Info
vault_error Error accessing Key Vault Error

Rotation Alerts (PRO)

Alert Type Trigger Severity
rotation_success Credential successfully rotated Info
rotation_failed Rotation attempt failed Error

Sync Alerts (PRO)

Alert Type Trigger Severity
sync_success Secret synced to target cloud Info
sync_failed Sync operation failed Error

Notification Channels

Email

Send alerts to individuals or distribution lists.

Configuration (Settings > Alerts):

  1. Click Add Rule
  2. Select alert type (e.g., secret_expiring)
  3. Choose Email delivery
  4. Enter recipient(s)
  5. Set threshold (for expiring alerts)
  6. Save

SMTP Setup Required:

Configure email in your environment:

SMTP_HOST=mail.smtp2go.com
SMTP_PORT=2525
SMTP_USERNAME=<your-username>
SMTP_PASSWORD=<your-password>
SMTP_FROM_EMAIL=alerts@yourcompany.com

SENDGRID_API_KEY=<YOUR_SENDGRID_API_KEY>
SENDGRID_FROM_EMAIL=alerts@yourcompany.com

Slack

Post alerts to Slack channels using incoming webhooks.

Setup:

  1. In Slack, create an Incoming Webhook:
  2. Go to your Slack workspace settings
  3. Apps > Manage > Custom Integrations > Incoming Webhooks
  4. Create webhook and copy URL
  5. In CertifyClouds:
  6. Settings > Alerts > Add Rule
  7. Select Webhook delivery
  8. Choose type: Slack
  9. Paste webhook URL
  10. Save

Payload Format: 

{
  "attachments": [
    {
      "color": "#EF4444",
      "title": "Secret Expiring Alert",
      "text": "Found 3 secrets expiring within 30 days",
      "footer": "CertifyClouds",
      "fields": [
        {"title": "Vault", "value": "kv-production", "short": true},
        {"title": "Secrets", "value": "api-key, db-password", "short": true}
      ]
    }
  ]
}

Microsoft Teams

Post to Teams channels using Incoming Webhooks.

Setup:

  1. In Teams, create an Incoming Webhook:
  2. Go to channel settings > Connectors
  3. Add Incoming Webhook
  4. Copy webhook URL
  5. In CertifyClouds:
  6. Settings > Alerts > Add Rule
  7. Select Webhook delivery
  8. Choose type: Teams
  9. Paste webhook URL
  10. Save

Payload Format: 

{
  "@type": "MessageCard",
  "@context": "https://schema.org/extensions",
  "themeColor": "EF4444",
  "title": "Secret Expiring Alert",
  "text": "Found 3 secrets expiring within 30 days",
  "sections": [
    {
      "facts": [
        {"name": "Vault", "value": "kv-production"},
        {"name": "Secrets", "value": "api-key, db-password"}
      ]
    }
  ]
}

Generic Webhook

For custom integrations, PagerDuty, or other services.

Payload Format: 

{
  "title": "Secret Expiring Alert",
  "message": "Found 3 secrets expiring within 30 days",
  "color": "#EF4444",
  "timestamp": "2025-12-14T12:00:00.000000",
  "source": "CertifyClouds",
  "fields": [
    {"title": "Vault", "value": "kv-production"},
    {"title": "Secrets", "value": "api-key, db-password"}
  ]
}

Delivery Modes

Real-time

Alerts sent immediately when events occur.

Best for:

  • Critical alerts (expired secrets)
  • Rotation failures
  • Security events

Digest

Alerts batched and sent on a schedule.

Best for:

  • Warning-level alerts (expiring soon)
  • Reducing notification fatigue
  • Non-urgent monitoring

Both

Send critical alerts immediately AND include in digest.

Scheduling

Digest Schedule

Configure when digest emails are sent:

Schedule Description
Daily 8:00 AM Once per day
Daily 9:00 AM + 5:00 PM Twice per day
Weekly Monday 9:00 AM Weekly summary

Configure Schedule

  1. Go to Settings > Alerts
  2. Click Digest Settings
  3. Select timezone
  4. Set delivery times
  5. Save

Creating Alert Rules

Step-by-Step

  1. Navigate: Settings > Alerts
  2. Add Rule: Click "Add Rule" button
  3. Configure:
  4. Name: Descriptive rule name
  5. Alert Type: What triggers the alert
  6. Threshold: Days before expiry (for expiring alerts)
  7. Delivery: Email, Webhook, or both
  8. Mode: Real-time, Digest, or Both
  9. Recipients/URL: Destination for alerts
  10. Filter (optional):
  11. Specific subscriptions
  12. Specific vaults
  13. Asset types
  14. Save: Enable and save the rule

Example Rules

Critical: Expired secrets (real-time)

  • Type: secret_expired
  • Delivery: Email + Slack
  • Mode: Real-time
  • Recipients: security-team@company.com

Warning: Secrets expiring in 30 days (digest)

  • Type: secret_expiring
  • Threshold: 30 days
  • Delivery: Email
  • Mode: Digest (daily)
  • Recipients: ops-team@company.com

Info: Rotation success (real-time)

  • Type: rotation_success
  • Delivery: Teams webhook
  • Mode: Real-time

Testing Alerts

Test Button

Each alert rule has a "Test" button:

  1. Go to Settings > Alerts
  2. Find the rule to test
  3. Click Test
  4. Verify notification received

API Test

curl -X POST http://localhost:8080/alerts/test \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "rule_id": "rule-123",
    "test_payload": {
      "vault": "kv-test",
      "secret": "test-secret"
    }
  }'

Alert History

View all sent alerts:

  1. Go to Alerts tab
  2. Click History
  3. Filter by:
  4. Date range
  5. Alert type
  6. Delivery status

Statuses

Status Description
Delivered Successfully sent
Failed Delivery failed (check logs)
Pending In digest queue
Retrying Retry in progress

Retry Logic

For failed webhook deliveries:

Attempt Delay
1 Immediate
2 2 seconds
3 5 seconds
4 10 seconds (final)

After 4 attempts, the alert is marked as failed.

Troubleshooting

Emails not received

  1. Check SMTP configuration in environment variables
  2. Verify recipient email address
  3. Check spam/junk folder
  4. Review application logs for errors

Webhook failures

  1. Verify webhook URL is correct
  2. Check if endpoint is accessible from CertifyClouds
  3. Ensure endpoint accepts POST requests
  4. Check for firewall/network restrictions

Duplicate notifications

  1. Check for overlapping rules
  2. Review threshold settings
  3. Ensure you don't have both real-time AND digest for the same alert

API Reference

List Alert Rules

GET /alerts/rules

Create Alert Rule

POST /alerts/rules
Content-Type: application/json

{
  "name": "Expiring Secrets Alert",
  "alert_type": "secret_expiring",
  "threshold_days": 30,
  "delivery_method": "email",
  "delivery_mode": "digest",
  "recipients": ["team@company.com"],
  "enabled": true
}

Update Alert Rule

PUT /alerts/rules/{rule_id}

Delete Alert Rule

DELETE /alerts/rules/{rule_id}

Get Alert History

GET /alerts/history?start_date=2025-01-01&end_date=2025-01-31

Best Practices

  1. Don't over-alert: Use digests for warnings, real-time for critical
  2. Route appropriately: Send security alerts to security team, ops alerts to ops
  3. Test regularly: Use the test button to verify delivery
  4. Monitor failures: Check alert history for delivery issues
  5. Use thresholds wisely: 30 days gives time to act without noise