BUG: Webhook check complains about inactive webhooks

[laurentsimon]

@evverx can you describe the repo you tried it on?

I'm wondering whether it's still useful to report inactive web hook: if it's inactive, should users remove it?

[evverx]

@evverx can you describe the repo you tried it on?

As far as I can remember it was systemd. scorecard complained about at least two inactive webhooks.

if it's inactive, should users remove it?

I think it depends. If webhooks are no longer used they should probably be removed but if they are temporarily broken due to outages or something like that it makes sense to temporarily turn them off.

[evverx]

I can imagine another scenario where webhooks are turned off until secret tokens are supported there. I don't think it makes sense to remove them, fix endpoints and then bring them back. It seems to be easier to keep them without actually using them in this particular case.

[cpanato]

maybe we can log that and remove that from the count, since it is inactive, if they become active and the scorecard runs again it will be part.

I think we should just log the inactive ones

[evverx]

FWIW as discussed in #1655 (comment) I think this whole check is
kind of misleading:

having played with this check a bit more I don't think it makes sense to keep it because regardless of what scorecard says all webhooks have to be audited manually to make sure that secrets are actually used on the receiving end. I think it's helpful in terms of raising awareness so to speak though