From aaa02b54fa5baaab77558440f8acc31cb091170c Mon Sep 17 00:00:00 2001
From: Tanjim Hossain <tanjimhossain.pro@gmail.com>
Date: Thu, 27 Nov 2025 16:32:40 +0000
Subject: [PATCH 01/17] feat: add CloudEvents webhook support for AWS ECR

Adds CloudEvents v1.0 webhook handler to support AWS ECR push events
via EventBridge, using the CloudEvents specification for a standardized
approach instead of registry-specific handlers.

Changes:
- Add pkg/webhook/cloudevents.go with CloudEvents webhook handler
- Add pkg/webhook/cloudevents_test.go with comprehensive test suite (60+ tests)
- Add --cloudevents-webhook-secret flag to webhook/run commands
- Add documentation in docs/configuration/webhook.md
- Add Terraform example for EventBridge setup
- Add trace logging for debugging webhook payloads
- Use crypto/subtle.ConstantTimeCompare for secret validation

Signed-off-by: Tanjim Hossain <tanjimhossain.pro@gmail.com>
---
 cmd/common.go                                 |   2 +
 cmd/run.go                                    |   1 +
 cmd/webhook.go                                |   4 +-
 config/examples/cloudevents/README.md         |  38 ++
 config/examples/cloudevents/terraform/main.tf | 145 +++++
 .../examples/cloudevents/terraform/outputs.tf |  19 +
 .../cloudevents/terraform/variables.tf        |  32 ++
 config/examples/cloudevents/test-webhook.sh   |  92 ++++
 docs/configuration/webhook.md                 |  72 ++-
 pkg/webhook/cloudevents.go                    | 268 ++++++++++
 pkg/webhook/cloudevents_test.go               | 495 ++++++++++++++++++
 11 files changed, 1166 insertions(+), 2 deletions(-)
 create mode 100644 config/examples/cloudevents/README.md
 create mode 100644 config/examples/cloudevents/terraform/main.tf
 create mode 100644 config/examples/cloudevents/terraform/outputs.tf
 create mode 100644 config/examples/cloudevents/terraform/variables.tf
 create mode 100755 config/examples/cloudevents/test-webhook.sh
 create mode 100644 pkg/webhook/cloudevents.go
 create mode 100644 pkg/webhook/cloudevents_test.go

diff --git a/cmd/common.go b/cmd/common.go
index 238319c6..5328536f 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -26,6 +26,7 @@ type WebhookConfig struct {
 	GHCRSecret                  string
 	QuaySecret                  string
 	HarborSecret                string
+	CloudEventsSecret           string
 	RateLimitNumAllowedRequests int
 }
 
@@ -117,6 +118,7 @@ func SetupWebhookServer(webhookCfg *WebhookConfig, reconciler *controller.ImageU
 	handler.RegisterHandler(webhook.NewGHCRWebhook(webhookCfg.GHCRSecret))
 	handler.RegisterHandler(webhook.NewHarborWebhook(webhookCfg.HarborSecret))
 	handler.RegisterHandler(webhook.NewQuayWebhook(webhookCfg.QuaySecret))
+	handler.RegisterHandler(webhook.NewCloudEventsWebhook(webhookCfg.CloudEventsSecret))
 
 	// Create webhook server
 	server := webhook.NewWebhookServer(webhookCfg.Port, handler, reconciler)
diff --git a/cmd/run.go b/cmd/run.go
index a1a13558..296cbd3f 100644
--- a/cmd/run.go
+++ b/cmd/run.go
@@ -304,6 +304,7 @@ This enables a CRD-driven approach to automated image updates with Argo CD.
 	controllerCmd.Flags().StringVar(&webhookCfg.GHCRSecret, "ghcr-webhook-secret", env.GetStringVal("GHCR_WEBHOOK_SECRET", ""), "Secret for validating GitHub Container Registry webhooks")
 	controllerCmd.Flags().StringVar(&webhookCfg.QuaySecret, "quay-webhook-secret", env.GetStringVal("QUAY_WEBHOOK_SECRET", ""), "Secret for validating Quay webhooks")
 	controllerCmd.Flags().StringVar(&webhookCfg.HarborSecret, "harbor-webhook-secret", env.GetStringVal("HARBOR_WEBHOOK_SECRET", ""), "Secret for validating Harbor webhooks")
+	controllerCmd.Flags().StringVar(&webhookCfg.CloudEventsSecret, "cloudevents-webhook-secret", env.GetStringVal("CLOUDEVENTS_WEBHOOK_SECRET", ""), "Secret for validating CloudEvents webhooks")
 	controllerCmd.Flags().IntVar(&webhookCfg.RateLimitNumAllowedRequests, "webhook-ratelimit-allowed", env.ParseNumFromEnv("WEBHOOK_RATELIMIT_ALLOWED", 0, 0, math.MaxInt), "The number of allowed requests in an hour for webhook rate limiting, setting to 0 disables ratelimiting")
 
 	return controllerCmd
diff --git a/cmd/webhook.go b/cmd/webhook.go
index 9fceb206..ff38784a 100644
--- a/cmd/webhook.go
+++ b/cmd/webhook.go
@@ -41,7 +41,8 @@ Supported registries:
 - Docker Hub
 - GitHub Container Registry (GHCR)
 - Quay
-- Harbor 
+- Harbor
+- AWS ECR (via EventBridge CloudEvents)
 `,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if err := log.SetLogLevel(cfg.LogLevel); err != nil {
@@ -89,6 +90,7 @@ Supported registries:
 	webhookCmd.Flags().StringVar(&webhookCfg.GHCRSecret, "ghcr-webhook-secret", env.GetStringVal("GHCR_WEBHOOK_SECRET", ""), "Secret for validating GitHub Container Registry webhooks")
 	webhookCmd.Flags().StringVar(&webhookCfg.QuaySecret, "quay-webhook-secret", env.GetStringVal("QUAY_WEBHOOK_SECRET", ""), "Secret for validating Quay webhooks")
 	webhookCmd.Flags().StringVar(&webhookCfg.HarborSecret, "harbor-webhook-secret", env.GetStringVal("HARBOR_WEBHOOK_SECRET", ""), "Secret for validating Harbor webhooks")
+	webhookCmd.Flags().StringVar(&webhookCfg.CloudEventsSecret, "cloudevents-webhook-secret", env.GetStringVal("CLOUDEVENTS_WEBHOOK_SECRET", ""), "Secret for validating CloudEvents webhooks")
 	webhookCmd.Flags().IntVar(&webhookCfg.RateLimitNumAllowedRequests, "webhook-ratelimit-allowed", env.ParseNumFromEnv("WEBHOOK_RATELIMIT_ALLOWED", 0, 0, math.MaxInt), "The number of allowed requests in an hour for webhook rate limiting, setting to 0 disables ratelimiting")
 
 	return webhookCmd
diff --git a/config/examples/cloudevents/README.md b/config/examples/cloudevents/README.md
new file mode 100644
index 00000000..d65f4423
--- /dev/null
+++ b/config/examples/cloudevents/README.md
@@ -0,0 +1,38 @@
+# CloudEvents Webhook Example
+
+Example Terraform configuration for setting up AWS EventBridge to send ECR push events to ArgoCD Image Updater via CloudEvents.
+
+## Quick Start
+
+### 1. Configure EventBridge with Terraform
+
+```bash
+cd terraform
+
+# Set your variables
+export TF_VAR_webhook_url="https://your-domain.com/webhook?type=cloudevents"
+export TF_VAR_webhook_secret="your-webhook-secret"
+export TF_VAR_aws_region="us-east-1"
+
+# Apply the configuration
+terraform init
+terraform apply
+
+# Return to parent directory
+cd ..
+```
+
+### 2. Test the Webhook
+
+```bash
+./test-webhook.sh https://your-webhook-url/webhook?type=cloudevents your-secret
+```
+
+## Files
+
+- `terraform/` - EventBridge configuration with input transformer for ECR events
+- `test-webhook.sh` - Script to test the webhook endpoint
+
+## Documentation
+
+For complete setup instructions, see the [webhook documentation](../../../docs/configuration/webhook.md#aws-ecr-via-eventbridge-cloudevents).
diff --git a/config/examples/cloudevents/terraform/main.tf b/config/examples/cloudevents/terraform/main.tf
new file mode 100644
index 00000000..449af207
--- /dev/null
+++ b/config/examples/cloudevents/terraform/main.tf
@@ -0,0 +1,145 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+# EventBridge Rule to capture ECR push events
+resource "aws_cloudwatch_event_rule" "ecr_push" {
+  name        = "argocd-image-updater-ecr-push"
+  description = "Capture ECR image push events for ArgoCD Image Updater"
+
+  event_pattern = jsonencode({
+    source      = ["aws.ecr"]
+    detail-type = ["ECR Image Action"]
+    detail = {
+      action-type = ["PUSH"]
+      result      = ["SUCCESS"]
+      # Filter for events with image tags (excludes untagged/manifest-only pushes)
+      image-tag = [{
+        exists = true
+      }]
+      # Optional: Filter by specific repositories
+      repository-name = length(var.ecr_repository_filter) > 0 ? var.ecr_repository_filter : null
+    }
+  })
+
+  tags = var.tags
+}
+
+# EventBridge Connection for API authentication
+resource "aws_cloudwatch_event_connection" "webhook" {
+  name               = "argocd-image-updater-webhook"
+  description        = "Connection to ArgoCD Image Updater webhook"
+  authorization_type = "API_KEY"
+
+  auth_parameters {
+    api_key {
+      key   = "X-Webhook-Secret"
+      value = var.webhook_secret
+    }
+  }
+}
+
+# API Destination pointing to ArgoCD Image Updater webhook
+resource "aws_cloudwatch_event_api_destination" "webhook" {
+  name                             = "argocd-image-updater-webhook"
+  description                      = "ArgoCD Image Updater CloudEvents webhook endpoint"
+  invocation_endpoint              = var.webhook_url
+  http_method                      = "POST"
+  invocation_rate_limit_per_second = 10
+  connection_arn                   = aws_cloudwatch_event_connection.webhook.arn
+}
+
+# IAM Role for EventBridge to invoke API Destination
+resource "aws_iam_role" "eventbridge" {
+  name               = "argocd-image-updater-eventbridge-role"
+  assume_role_policy = data.aws_iam_policy_document.eventbridge_assume_role.json
+  tags               = var.tags
+}
+
+data "aws_iam_policy_document" "eventbridge_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+# IAM Policy for EventBridge to invoke API Destination
+resource "aws_iam_role_policy" "eventbridge_invoke_api_destination" {
+  name   = "invoke-api-destination"
+  role   = aws_iam_role.eventbridge.id
+  policy = data.aws_iam_policy_document.eventbridge_invoke_api_destination.json
+}
+
+data "aws_iam_policy_document" "eventbridge_invoke_api_destination" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "events:InvokeApiDestination"
+    ]
+
+    resources = [
+      aws_cloudwatch_event_api_destination.webhook.arn
+    ]
+  }
+}
+
+# EventBridge Target with Input Transformer (ECR -> CloudEvents)
+resource "aws_cloudwatch_event_target" "api_destination" {
+  rule      = aws_cloudwatch_event_rule.ecr_push.name
+  target_id = "ArgocdImageUpdaterCloudEvent"
+  arn       = aws_cloudwatch_event_api_destination.webhook.arn
+  role_arn  = aws_iam_role.eventbridge.arn
+
+  input_transformer {
+    input_paths = {
+      id      = "$.id"
+      time    = "$.time"
+      account = "$.account"
+      region  = "$.region"
+      repo    = "$.detail.repository-name"
+      digest  = "$.detail.image-digest"
+      tag     = "$.detail.image-tag"
+    }
+
+    input_template = <<-EOF
+    {
+      "specversion": "1.0",
+      "id": "<id>",
+      "type": "com.amazon.ecr.image.push",
+      "source": "urn:aws:ecr:<region>:<account>:repository/<repo>",
+      "subject": "<repo>:<tag>",
+      "time": "<time>",
+      "datacontenttype": "application/json",
+      "data": {
+        "repositoryName": "<repo>",
+        "imageDigest": "<digest>",
+        "imageTag": "<tag>",
+        "registryId": "<account>"
+      }
+    }
+    EOF
+  }
+
+  retry_policy {
+    maximum_event_age_in_seconds = 3600
+    maximum_retry_attempts       = 3
+  }
+}
diff --git a/config/examples/cloudevents/terraform/outputs.tf b/config/examples/cloudevents/terraform/outputs.tf
new file mode 100644
index 00000000..61ecb44f
--- /dev/null
+++ b/config/examples/cloudevents/terraform/outputs.tf
@@ -0,0 +1,19 @@
+output "eventbridge_rule_arn" {
+  description = "ARN of the EventBridge rule"
+  value       = aws_cloudwatch_event_rule.ecr_push.arn
+}
+
+output "api_destination_arn" {
+  description = "ARN of the API destination"
+  value       = aws_cloudwatch_event_api_destination.webhook.arn
+}
+
+output "eventbridge_role_arn" {
+  description = "ARN of the EventBridge IAM role"
+  value       = aws_iam_role.eventbridge.arn
+}
+
+output "webhook_endpoint" {
+  description = "Configured webhook endpoint URL"
+  value       = var.webhook_url
+}
diff --git a/config/examples/cloudevents/terraform/variables.tf b/config/examples/cloudevents/terraform/variables.tf
new file mode 100644
index 00000000..862fac0a
--- /dev/null
+++ b/config/examples/cloudevents/terraform/variables.tf
@@ -0,0 +1,32 @@
+variable "aws_region" {
+  description = "AWS region for ECR and EventBridge"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "webhook_url" {
+  description = "ArgoCD Image Updater webhook endpoint URL"
+  type        = string
+  # Example: "https://image-updater-webhook.example.com/webhook?type=cloudevents"
+}
+
+variable "webhook_secret" {
+  description = "Secret for webhook authentication"
+  type        = string
+  sensitive   = true
+}
+
+variable "ecr_repository_filter" {
+  description = "List of ECR repository names to monitor (empty list = all repositories)"
+  type        = list(string)
+  default     = []
+}
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default = {
+    ManagedBy = "Terraform"
+    Purpose   = "ArgoCD-Image-Updater"
+  }
+}
diff --git a/config/examples/cloudevents/test-webhook.sh b/config/examples/cloudevents/test-webhook.sh
new file mode 100755
index 00000000..b6551326
--- /dev/null
+++ b/config/examples/cloudevents/test-webhook.sh
@@ -0,0 +1,92 @@
+#!/bin/bash
+# Test script for CloudEvents webhook
+# Usage: ./test-webhook.sh <webhook-url> <secret>
+
+set -e
+
+WEBHOOK_URL="${1:-http://localhost:8080/webhook?type=cloudevents}"
+SECRET="${2:-test-secret}"
+
+echo "Testing CloudEvents webhook..."
+echo "URL: ${WEBHOOK_URL}"
+echo ""
+
+# Test 1: ECR event
+echo "Test 1: AWS ECR push event"
+curl -X POST "${WEBHOOK_URL}" \
+  -H "Content-Type: application/json" \
+  -H "X-Webhook-Secret: ${SECRET}" \
+  -d '{
+    "specversion": "1.0",
+    "id": "test-ecr-event-001",
+    "type": "com.amazon.ecr.image.push",
+    "source": "urn:aws:ecr:us-east-1:123456789012:repository/my-app",
+    "subject": "my-app:v1.2.3",
+    "time": "2025-11-27T10:00:00Z",
+    "datacontenttype": "application/json",
+    "data": {
+      "repositoryName": "my-app",
+      "imageDigest": "sha256:abcdef1234567890",
+      "imageTag": "v1.2.3",
+      "registryId": "123456789012"
+    }
+  }' \
+  -w "\nHTTP Status: %{http_code}\n\n"
+
+# Test 2: Generic container event
+echo "Test 2: Generic container push event"
+curl -X POST "${WEBHOOK_URL}" \
+  -H "Content-Type: application/cloudevents+json" \
+  -H "X-Webhook-Secret: ${SECRET}" \
+  -d '{
+    "specversion": "1.0",
+    "id": "test-generic-event-001",
+    "type": "container.image.push",
+    "source": "https://registry.example.com",
+    "subject": "myapp/backend:v2.0.0",
+    "time": "2025-11-27T10:05:00Z",
+    "datacontenttype": "application/json",
+    "data": {
+      "repository": "myapp/backend",
+      "tag": "v2.0.0",
+      "digest": "sha256:fedcba0987654321",
+      "registryUrl": "registry.example.com"
+    }
+  }' \
+  -w "\nHTTP Status: %{http_code}\n\n"
+
+# Test 3: Missing secret (should fail)
+echo "Test 3: Missing secret (expected to fail)"
+curl -X POST "${WEBHOOK_URL}" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "specversion": "1.0",
+    "id": "test-fail-event-001",
+    "type": "com.amazon.ecr.image.push",
+    "source": "urn:aws:ecr:us-east-1:123456789012:repository/test",
+    "subject": "test:latest",
+    "data": {
+      "repositoryName": "test",
+      "imageTag": "latest",
+      "registryId": "123456789012"
+    }
+  }' \
+  -w "\nHTTP Status: %{http_code}\n\n" || echo "Expected failure"
+
+# Test 4: Invalid event type (should fail)
+echo "Test 4: Invalid event type (expected to fail)"
+curl -X POST "${WEBHOOK_URL}" \
+  -H "Content-Type: application/json" \
+  -H "X-Webhook-Secret: ${SECRET}" \
+  -d '{
+    "specversion": "1.0",
+    "id": "test-invalid-event-001",
+    "type": "com.example.database.updated",
+    "source": "https://db.example.com",
+    "data": {
+      "table": "users"
+    }
+  }' \
+  -w "\nHTTP Status: %{http_code}\n\n" || echo "Expected failure"
+
+echo "Testing complete!"
diff --git a/docs/configuration/webhook.md b/docs/configuration/webhook.md
index 506e7d77..d368cb3c 100644
--- a/docs/configuration/webhook.md
+++ b/docs/configuration/webhook.md
@@ -9,6 +9,7 @@ Currently Supported Registries:
 - GitHub Container Registry
 - Harbor
 - Quay
+- AWS ECR (via EventBridge CloudEvents)
 
 Using webhooks can help reduce some of the stress that is put on the 
 container registries and where you are running Image Updater by reducing the 
@@ -84,17 +85,83 @@ can be found here:
 - [GitHub Container Registry](https://docs.github.com/en/webhooks/webhook-events-and-payloads)
 - [Harbor](https://goharbor.io/docs/1.10/working-with-projects/project-configuration/configure-webhooks/)
 - [Quay](https://docs.quay.io/guides/notifications.html)
+- [AWS ECR via EventBridge](#aws-ecr-via-eventbridge-cloudevents) (see below)
 
 For the URL that you set for the webhook, your link should go as the following:
-```
+
+```text
 https://app1.example.com/webhook?type=<YOUR_REGISTRY_TYPE>
 # Value of `type` for each supported container registry
 # Docker = docker.io
 # GitHub Container Registry = ghcr.io
 # Harbor = harbor
 # Quay = quay.io
+# AWS ECR (via CloudEvents) = cloudevents
 ```
 
+### AWS ECR via EventBridge CloudEvents
+
+AWS ECR doesn't have built-in webhook support, but you can use AWS EventBridge to
+transform ECR push events into CloudEvents format and send them to the webhook server.
+
+#### Prerequisites
+
+- AWS account with ECR repositories
+- EventBridge configured in the same region as your ECR
+- Network access from EventBridge to your webhook endpoint
+
+#### Setup Steps
+
+1. **Create an EventBridge Rule** to capture ECR push events
+2. **Configure an Input Transformer** to convert to CloudEvents format  
+3. **Create an API Destination** pointing to your webhook endpoint
+4. **Set up IAM permissions** for EventBridge to invoke the API destination
+
+#### Example Terraform Configuration
+
+See `config/examples/cloudevents/terraform/` for a complete Terraform module that sets up:
+
+- EventBridge rule for ECR push events
+- Input transformer converting to CloudEvents format
+- API destination with authentication
+- IAM roles and policies
+
+#### CloudEvents Payload Format
+
+The EventBridge input transformer creates CloudEvents v1.0 compliant payloads:
+
+```json
+{
+  "specversion": "1.0",
+  "id": "<event-id>",
+  "type": "com.amazon.ecr.image.push",
+  "source": "urn:aws:ecr:<region>:<account>:repository/<repo>",
+  "subject": "<repo>:<tag>",
+  "time": "<timestamp>",
+  "datacontenttype": "application/json",
+  "data": {
+    "repositoryName": "<repo>",
+    "imageDigest": "sha256:...",
+    "imageTag": "<tag>",
+    "registryId": "<account>"
+  }
+}
+```
+
+#### Webhook URL for ECR
+
+```text
+https://your-webhook.example.com/webhook?type=cloudevents&secret=<YOUR_SECRET>
+```
+
+Or use the `X-Webhook-Secret` header for authentication (recommended with EventBridge
+Connection authentication).
+
+For complete setup instructions and examples, see:
+- `config/examples/cloudevents/terraform/` - Terraform configuration
+- `config/examples/cloudevents/kubernetes/` - Kubernetes manifests
+
+
 ## Secrets
 
 To help secure the webhook server you can apply a secret that is used to 
@@ -107,6 +174,7 @@ stringData:
   webhook.ghcr-secret: <YOUR_SECRET>
   webhook.harbor-secret: <YOUR_SECRET>
   webhook.quay-secret: <YOUR_SECRET>
+  webhook.cloudevents-secret: <YOUR_SECRET>
 ```
 
 You also need to configure the webhook notification to use the secret based 
@@ -143,6 +211,7 @@ Supported Registries That Use This:
 
 - Docker Hub
 - Quay
+- AWS ECR (via CloudEvents/EventBridge)
 
 Also be aware that if the container registry has a built-in secrets method you will
 not be able to use this method.
@@ -183,6 +252,7 @@ environment variables. Below is the list of which variables correspond to which
 |`GHCR_WEBHOOK_SECRET` |`--gchr-webhook-secret`|
 |`HARBOR_WEBHOOK_SECRET` |`--harbor-webhook-secret`|
 |`QUAY_WEBHOOK_SECRET` |`--quay-webhook-secret`|
+|`CLOUDEVENTS_WEBHOOK_SECRET` |`--cloudevents-webhook-secret`|
 |`WEBHOOK_RATELIMIT_ALLOWED`|`--webhook-ratelimit-allowed`|
 
 ## Adding Support For Other Registries
diff --git a/pkg/webhook/cloudevents.go b/pkg/webhook/cloudevents.go
new file mode 100644
index 00000000..6696f3d5
--- /dev/null
+++ b/pkg/webhook/cloudevents.go
@@ -0,0 +1,268 @@
+package webhook
+
+import (
+	"crypto/subtle"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+
+	"github.com/argoproj-labs/argocd-image-updater/pkg/argocd"
+	"github.com/argoproj-labs/argocd-image-updater/registry-scanner/pkg/log"
+)
+
+// CloudEventsWebhook handles CloudEvents webhook events
+// CloudEvents is a CNCF specification for describing event data in a common way
+// This handler supports events transformed by AWS EventBridge from ECR push events.
+type CloudEventsWebhook struct {
+	secret string
+}
+
+// NewCloudEventsWebhook creates a new CloudEvents webhook handler
+func NewCloudEventsWebhook(secret string) *CloudEventsWebhook {
+	return &CloudEventsWebhook{
+		secret: secret,
+	}
+}
+
+// GetRegistryType returns the registry type this handler supports
+func (c *CloudEventsWebhook) GetRegistryType() string {
+	return "cloudevents"
+}
+
+// Validate validates the CloudEvents webhook payload
+func (c *CloudEventsWebhook) Validate(r *http.Request) error {
+	logCtx := log.NewContext().AddField("logger", "cloudevents-webhook")
+
+	logCtx.Tracef("Validating request: method=%s, content-type=%s", r.Method, r.Header.Get("Content-Type"))
+
+	if r.Method != http.MethodPost {
+		return fmt.Errorf("invalid HTTP method: %s", r.Method)
+	}
+
+	// CloudEvents can use either structured or binary content mode
+	// For structured mode, check Content-Type
+	contentType := r.Header.Get("Content-Type")
+	if contentType != "" && !strings.Contains(contentType, "application/json") &&
+		!strings.Contains(contentType, "application/cloudevents+json") {
+		return fmt.Errorf("invalid content type: %s", contentType)
+	}
+
+	// If secret is configured, validate it
+	// CloudEvents doesn't have a standard authentication mechanism,
+	// so we support a simple query parameter or header-based secret
+	if c.secret != "" {
+		// Check for secret in query parameter
+		secret := r.URL.Query().Get("secret")
+		if secret == "" {
+			// Check for secret in header
+			secret = r.Header.Get("X-Webhook-Secret")
+		}
+
+		if secret == "" {
+			return fmt.Errorf("missing webhook secret")
+		}
+
+		if subtle.ConstantTimeCompare([]byte(secret), []byte(c.secret)) != 1 {
+			return fmt.Errorf("invalid webhook secret")
+		}
+	}
+
+	return nil
+}
+
+// Parse processes the CloudEvents webhook payload and returns a WebhookEvent
+func (c *CloudEventsWebhook) Parse(r *http.Request) (*argocd.WebhookEvent, error) {
+	logCtx := log.NewContext().AddField("logger", "cloudevents-webhook")
+
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read request body: %w", err)
+	}
+
+	logCtx.Tracef("Received payload: %s", string(body))
+
+	// CloudEvents specification: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md
+	var payload struct {
+		SpecVersion     string                 `json:"specversion"`
+		Type            string                 `json:"type"`
+		Source          string                 `json:"source"`
+		Subject         string                 `json:"subject"`
+		ID              string                 `json:"id"`
+		Time            string                 `json:"time"`
+		DataContentType string                 `json:"datacontenttype"`
+		Data            map[string]interface{} `json:"data"`
+	}
+
+	if err := json.Unmarshal(body, &payload); err != nil {
+		return nil, fmt.Errorf("failed to parse webhook payload: %w", err)
+	}
+
+	logCtx.Tracef("Parsed CloudEvents: specversion=%s, type=%s, source=%s, subject=%s",
+		payload.SpecVersion, payload.Type, payload.Source, payload.Subject)
+
+	// Validate CloudEvents spec version
+	if payload.SpecVersion == "" {
+		return nil, fmt.Errorf("missing CloudEvents specversion")
+	}
+
+	if payload.Type == "" {
+		return nil, fmt.Errorf("missing CloudEvents type")
+	}
+
+	// Parse the event based on the type
+	return c.parseEvent(&payload, logCtx)
+}
+
+// parseEvent extracts webhook event data from CloudEvents payload
+func (c *CloudEventsWebhook) parseEvent(payload *struct {
+	SpecVersion     string                 `json:"specversion"`
+	Type            string                 `json:"type"`
+	Source          string                 `json:"source"`
+	Subject         string                 `json:"subject"`
+	ID              string                 `json:"id"`
+	Time            string                 `json:"time"`
+	DataContentType string                 `json:"datacontenttype"`
+	Data            map[string]interface{} `json:"data"`
+}, logCtx *log.LogContext) (*argocd.WebhookEvent, error) {
+	var repository, tag, digest, registryURL string
+
+	// If subject is in format "repo:tag", parse it first as fallback
+	// Use SplitN to handle tags containing colons (e.g., "repo:v1:hotfix")
+	if parts := strings.SplitN(payload.Subject, ":", 2); len(parts) == 2 {
+		repository = parts[0]
+		tag = parts[1]
+		logCtx.Tracef("Extracted from subject: repository=%s, tag=%s", repository, tag)
+	}
+
+	// Handle different event types
+	switch {
+	// AWS ECR push events
+	case strings.HasPrefix(payload.Type, "com.amazon.ecr."):
+		logCtx.Tracef("Processing AWS ECR event type: %s", payload.Type)
+
+		// Extract from data (overrides subject if present)
+		if repoName, ok := payload.Data["repositoryName"].(string); ok && repoName != "" {
+			repository = repoName
+		}
+		if imageTag, ok := payload.Data["imageTag"].(string); ok && imageTag != "" {
+			tag = imageTag
+		}
+		if imageDigest, ok := payload.Data["imageDigest"].(string); ok {
+			digest = imageDigest
+		}
+
+		logCtx.Tracef("Extracted from ECR data: repository=%s, tag=%s, digest=%s", repository, tag, digest)
+
+		// Extract registry URL from source
+		// Source format: urn:aws:ecr:<region>:<account>:repository/<repo>
+		registryURL = c.extractECRRegistryURL(payload.Source, payload.Data)
+		logCtx.Tracef("Extracted ECR registry URL: %s", registryURL)
+
+	// Generic container registry push events
+	case strings.Contains(payload.Type, "container") || strings.Contains(payload.Type, "image"):
+		logCtx.Tracef("Processing generic container/image event type: %s", payload.Type)
+
+		// Try to extract from data (overrides subject if present)
+		if repoName, ok := payload.Data["repositoryName"].(string); ok && repoName != "" {
+			repository = repoName
+		} else if repoName, ok := payload.Data["repository"].(string); ok && repoName != "" {
+			repository = repoName
+		}
+
+		if imageTag, ok := payload.Data["imageTag"].(string); ok && imageTag != "" {
+			tag = imageTag
+		} else if imageTag, ok := payload.Data["tag"].(string); ok && imageTag != "" {
+			tag = imageTag
+		}
+
+		if imageDigest, ok := payload.Data["imageDigest"].(string); ok {
+			digest = imageDigest
+		} else if imageDigest, ok := payload.Data["digest"].(string); ok {
+			digest = imageDigest
+		}
+
+		logCtx.Tracef("Extracted from data: repository=%s, tag=%s, digest=%s", repository, tag, digest)
+
+		// Try to extract registry URL from data or source
+		if regURL, ok := payload.Data["registryUrl"].(string); ok {
+			registryURL = regURL
+		} else if regURL, ok := payload.Data["registry"].(string); ok {
+			registryURL = regURL
+		} else {
+			registryURL = c.extractRegistryFromSource(payload.Source)
+		}
+
+		logCtx.Tracef("Extracted registry URL: %s", registryURL)
+
+	default:
+		return nil, fmt.Errorf("unsupported CloudEvents type: %s", payload.Type)
+	}
+
+	// Validate required fields
+	if repository == "" {
+		return nil, fmt.Errorf("repository name not found in CloudEvents payload")
+	}
+
+	if tag == "" {
+		return nil, fmt.Errorf("tag not found in CloudEvents payload")
+	}
+
+	if registryURL == "" {
+		return nil, fmt.Errorf("registry URL not found in CloudEvents payload")
+	}
+
+	logCtx.Tracef("Final webhook event: registry=%s, repository=%s, tag=%s, digest=%s",
+		registryURL, repository, tag, digest)
+
+	return &argocd.WebhookEvent{
+		RegistryURL: registryURL,
+		Repository:  repository,
+		Tag:         tag,
+		Digest:      digest,
+	}, nil
+}
+
+// extractECRRegistryURL extracts ECR registry URL from CloudEvents source
+// Source format: urn:aws:ecr:<region>:<account>:repository/<repo>
+func (c *CloudEventsWebhook) extractECRRegistryURL(source string, data map[string]interface{}) string {
+	// Try to extract from source URN
+	if strings.HasPrefix(source, "urn:aws:ecr:") {
+		parts := strings.Split(source, ":")
+		if len(parts) >= 5 {
+			region := parts[3]
+			account := parts[4]
+
+			// Use registryId from data if available (more reliable than source)
+			if registryID, ok := data["registryId"].(string); ok && registryID != "" {
+				account = registryID
+			}
+
+			return fmt.Sprintf("%s.dkr.ecr.%s.amazonaws.com", account, region)
+		}
+	}
+
+	return ""
+}
+
+// extractRegistryFromSource extracts registry URL from CloudEvents source field
+func (c *CloudEventsWebhook) extractRegistryFromSource(source string) string {
+	// If source is a URL, extract the host
+	if strings.HasPrefix(source, "http://") || strings.HasPrefix(source, "https://") {
+		parts := strings.Split(source, "/")
+		if len(parts) >= 3 {
+			return parts[2]
+		}
+	}
+
+	// If source contains a registry-like pattern (host.domain)
+	if strings.Contains(source, ".") {
+		parts := strings.Split(source, "/")
+		if len(parts) > 0 && strings.Contains(parts[0], ".") {
+			return parts[0]
+		}
+	}
+
+	return ""
+}
diff --git a/pkg/webhook/cloudevents_test.go b/pkg/webhook/cloudevents_test.go
new file mode 100644
index 00000000..72300af1
--- /dev/null
+++ b/pkg/webhook/cloudevents_test.go
@@ -0,0 +1,495 @@
+package webhook
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCloudEventsWebhook_GetRegistryType(t *testing.T) {
+	webhook := NewCloudEventsWebhook("")
+	assert.Equal(t, "cloudevents", webhook.GetRegistryType())
+}
+
+func TestCloudEventsWebhook_Validate(t *testing.T) {
+	tests := []struct {
+		name         string
+		method       string
+		contentType  string
+		secret       string
+		querySecret  string
+		headerSecret string
+		wantErr      bool
+		errContains  string
+	}{
+		{
+			name:        "valid request without secret",
+			method:      http.MethodPost,
+			contentType: "application/json",
+			secret:      "",
+			wantErr:     false,
+		},
+		{
+			name:        "valid request with CloudEvents content type",
+			method:      http.MethodPost,
+			contentType: "application/cloudevents+json",
+			secret:      "",
+			wantErr:     false,
+		},
+		{
+			name:        "valid request with query secret",
+			method:      http.MethodPost,
+			contentType: "application/json",
+			secret:      "test-secret",
+			querySecret: "test-secret",
+			wantErr:     false,
+		},
+		{
+			name:         "valid request with header secret",
+			method:       http.MethodPost,
+			contentType:  "application/json",
+			secret:       "test-secret",
+			headerSecret: "test-secret",
+			wantErr:      false,
+		},
+		{
+			name:        "invalid HTTP method",
+			method:      http.MethodGet,
+			contentType: "application/json",
+			wantErr:     true,
+			errContains: "invalid HTTP method",
+		},
+		{
+			name:        "invalid content type",
+			method:      http.MethodPost,
+			contentType: "text/plain",
+			wantErr:     true,
+			errContains: "invalid content type",
+		},
+		{
+			name:        "missing secret",
+			method:      http.MethodPost,
+			contentType: "application/json",
+			secret:      "test-secret",
+			wantErr:     true,
+			errContains: "missing webhook secret",
+		},
+		{
+			name:        "invalid secret",
+			method:      http.MethodPost,
+			contentType: "application/json",
+			secret:      "test-secret",
+			querySecret: "wrong-secret",
+			wantErr:     true,
+			errContains: "invalid webhook secret",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			webhook := NewCloudEventsWebhook(tt.secret)
+
+			req := httptest.NewRequest(tt.method, "/webhook", nil)
+			if tt.contentType != "" {
+				req.Header.Set("Content-Type", tt.contentType)
+			}
+			if tt.querySecret != "" {
+				q := req.URL.Query()
+				q.Set("secret", tt.querySecret)
+				req.URL.RawQuery = q.Encode()
+			}
+			if tt.headerSecret != "" {
+				req.Header.Set("X-Webhook-Secret", tt.headerSecret)
+			}
+
+			err := webhook.Validate(req)
+
+			if tt.wantErr {
+				require.Error(t, err)
+				if tt.errContains != "" {
+					assert.Contains(t, err.Error(), tt.errContains)
+				}
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestCloudEventsWebhook_Parse_ECR(t *testing.T) {
+	tests := []struct {
+		name            string
+		payload         map[string]interface{}
+		wantRegistryURL string
+		wantRepository  string
+		wantTag         string
+		wantDigest      string
+		wantErr         bool
+		errContains     string
+	}{
+		{
+			name: "valid ECR push event",
+			payload: map[string]interface{}{
+				"specversion":     "1.0",
+				"id":              "12345678-1234-1234-1234-123456789012",
+				"type":            "com.amazon.ecr.image.push",
+				"source":          "urn:aws:ecr:us-east-1:123456789012:repository/my-repo",
+				"subject":         "my-repo:v1.0.0",
+				"time":            "2025-11-27T10:00:00Z",
+				"datacontenttype": "application/json",
+				"data": map[string]interface{}{
+					"repositoryName": "my-repo",
+					"imageDigest":    "sha256:abcdef1234567890",
+					"imageTag":       "v1.0.0",
+					"registryId":     "123456789012",
+				},
+			},
+			wantRegistryURL: "123456789012.dkr.ecr.us-east-1.amazonaws.com",
+			wantRepository:  "my-repo",
+			wantTag:         "v1.0.0",
+			wantDigest:      "sha256:abcdef1234567890",
+			wantErr:         false,
+		},
+		{
+			name: "ECR event with namespace in repository name",
+			payload: map[string]interface{}{
+				"specversion":     "1.0",
+				"id":              "12345678-1234-1234-1234-123456789012",
+				"type":            "com.amazon.ecr.image.push",
+				"source":          "urn:aws:ecr:eu-west-1:987654321098:repository/team/my-app",
+				"subject":         "team/my-app:latest",
+				"time":            "2025-11-27T10:00:00Z",
+				"datacontenttype": "application/json",
+				"data": map[string]interface{}{
+					"repositoryName": "team/my-app",
+					"imageDigest":    "sha256:1234567890abcdef",
+					"imageTag":       "latest",
+					"registryId":     "987654321098",
+				},
+			},
+			wantRegistryURL: "987654321098.dkr.ecr.eu-west-1.amazonaws.com",
+			wantRepository:  "team/my-app",
+			wantTag:         "latest",
+			wantDigest:      "sha256:1234567890abcdef",
+			wantErr:         false,
+		},
+		{
+			name: "ECR event with subject fallback",
+			payload: map[string]interface{}{
+				"specversion":     "1.0",
+				"id":              "12345678-1234-1234-1234-123456789012",
+				"type":            "com.amazon.ecr.image.push",
+				"source":          "urn:aws:ecr:us-west-2:111111111111:repository/myrepo",
+				"subject":         "myrepo:v2.1.0",
+				"time":            "2025-11-27T10:00:00Z",
+				"datacontenttype": "application/json",
+				"data": map[string]interface{}{
+					"imageDigest": "sha256:fedcba0987654321",
+					"registryId":  "111111111111",
+				},
+			},
+			wantRegistryURL: "111111111111.dkr.ecr.us-west-2.amazonaws.com",
+			wantRepository:  "myrepo",
+			wantTag:         "v2.1.0",
+			wantDigest:      "sha256:fedcba0987654321",
+			wantErr:         false,
+		},
+		{
+			name: "missing repository name",
+			payload: map[string]interface{}{
+				"specversion":     "1.0",
+				"id":              "12345678-1234-1234-1234-123456789012",
+				"type":            "com.amazon.ecr.image.push",
+				"source":          "urn:aws:ecr:us-east-1:123456789012:repository/test",
+				"time":            "2025-11-27T10:00:00Z",
+				"datacontenttype": "application/json",
+				"data": map[string]interface{}{
+					"imageTag":   "v1.0.0",
+					"registryId": "123456789012",
+				},
+			},
+			wantErr:     true,
+			errContains: "repository name not found",
+		},
+		{
+			name: "missing tag",
+			payload: map[string]interface{}{
+				"specversion":     "1.0",
+				"id":              "12345678-1234-1234-1234-123456789012",
+				"type":            "com.amazon.ecr.image.push",
+				"source":          "urn:aws:ecr:us-east-1:123456789012:repository/test",
+				"time":            "2025-11-27T10:00:00Z",
+				"datacontenttype": "application/json",
+				"data": map[string]interface{}{
+					"repositoryName": "test",
+					"registryId":     "123456789012",
+				},
+			},
+			wantErr:     true,
+			errContains: "tag not found",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			webhook := NewCloudEventsWebhook("")
+
+			body, err := json.Marshal(tt.payload)
+			require.NoError(t, err)
+
+			req := httptest.NewRequest(http.MethodPost, "/webhook", bytes.NewReader(body))
+			req.Header.Set("Content-Type", "application/json")
+
+			event, err := webhook.Parse(req)
+
+			if tt.wantErr {
+				require.Error(t, err)
+				if tt.errContains != "" {
+					assert.Contains(t, err.Error(), tt.errContains)
+				}
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, event)
+				assert.Equal(t, tt.wantRegistryURL, event.RegistryURL)
+				assert.Equal(t, tt.wantRepository, event.Repository)
+				assert.Equal(t, tt.wantTag, event.Tag)
+				assert.Equal(t, tt.wantDigest, event.Digest)
+			}
+		})
+	}
+}
+
+func TestCloudEventsWebhook_Parse_Generic(t *testing.T) {
+	tests := []struct {
+		name            string
+		payload         map[string]interface{}
+		wantRegistryURL string
+		wantRepository  string
+		wantTag         string
+		wantDigest      string
+		wantErr         bool
+		errContains     string
+	}{
+		{
+			name: "generic container push event",
+			payload: map[string]interface{}{
+				"specversion":     "1.0",
+				"id":              "event-123",
+				"type":            "com.example.container.push",
+				"source":          "https://registry.example.com",
+				"subject":         "myapp:v1.2.3",
+				"time":            "2025-11-27T10:00:00Z",
+				"datacontenttype": "application/json",
+				"data": map[string]interface{}{
+					"repository":  "myapp",
+					"tag":         "v1.2.3",
+					"digest":      "sha256:abc123",
+					"registryUrl": "registry.example.com",
+				},
+			},
+			wantRegistryURL: "registry.example.com",
+			wantRepository:  "myapp",
+			wantTag:         "v1.2.3",
+			wantDigest:      "sha256:abc123",
+			wantErr:         false,
+		},
+		{
+			name: "generic image event with alternate field names",
+			payload: map[string]interface{}{
+				"specversion":     "1.0",
+				"id":              "event-456",
+				"type":            "org.container.image.published",
+				"source":          "https://registry.company.com",
+				"subject":         "project/app:2.0.0",
+				"time":            "2025-11-27T10:00:00Z",
+				"datacontenttype": "application/json",
+				"data": map[string]interface{}{
+					"repositoryName": "project/app",
+					"imageTag":       "2.0.0",
+					"imageDigest":    "sha256:def456",
+					"registry":       "registry.company.com",
+				},
+			},
+			wantRegistryURL: "registry.company.com",
+			wantRepository:  "project/app",
+			wantTag:         "2.0.0",
+			wantDigest:      "sha256:def456",
+			wantErr:         false,
+		},
+		{
+			name: "event with source URL extraction",
+			payload: map[string]interface{}{
+				"specversion":     "1.0",
+				"id":              "event-789",
+				"type":            "container.push",
+				"source":          "https://ghcr.io/owner/repo",
+				"subject":         "owner/repo:v3.0.0",
+				"time":            "2025-11-27T10:00:00Z",
+				"datacontenttype": "application/json",
+				"data": map[string]interface{}{
+					"repository": "owner/repo",
+					"tag":        "v3.0.0",
+				},
+			},
+			wantRegistryURL: "ghcr.io",
+			wantRepository:  "owner/repo",
+			wantTag:         "v3.0.0",
+			wantErr:         false,
+		},
+		{
+			name: "missing specversion",
+			payload: map[string]interface{}{
+				"id":              "event-123",
+				"type":            "container.push",
+				"source":          "https://registry.example.com",
+				"datacontenttype": "application/json",
+				"data": map[string]interface{}{
+					"repository": "myapp",
+					"tag":        "v1.0.0",
+				},
+			},
+			wantErr:     true,
+			errContains: "missing CloudEvents specversion",
+		},
+		{
+			name: "missing type",
+			payload: map[string]interface{}{
+				"specversion":     "1.0",
+				"id":              "event-123",
+				"source":          "https://registry.example.com",
+				"datacontenttype": "application/json",
+				"data": map[string]interface{}{
+					"repository": "myapp",
+					"tag":        "v1.0.0",
+				},
+			},
+			wantErr:     true,
+			errContains: "missing CloudEvents type",
+		},
+		{
+			name: "unsupported event type",
+			payload: map[string]interface{}{
+				"specversion":     "1.0",
+				"id":              "event-123",
+				"type":            "com.example.database.updated",
+				"source":          "https://db.example.com",
+				"datacontenttype": "application/json",
+				"data": map[string]interface{}{
+					"table": "users",
+				},
+			},
+			wantErr:     true,
+			errContains: "unsupported CloudEvents type",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			webhook := NewCloudEventsWebhook("")
+
+			body, err := json.Marshal(tt.payload)
+			require.NoError(t, err)
+
+			req := httptest.NewRequest(http.MethodPost, "/webhook", bytes.NewReader(body))
+			req.Header.Set("Content-Type", "application/json")
+
+			event, err := webhook.Parse(req)
+
+			if tt.wantErr {
+				require.Error(t, err)
+				if tt.errContains != "" {
+					assert.Contains(t, err.Error(), tt.errContains)
+				}
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, event)
+				assert.Equal(t, tt.wantRegistryURL, event.RegistryURL)
+				assert.Equal(t, tt.wantRepository, event.Repository)
+				assert.Equal(t, tt.wantTag, event.Tag)
+				if tt.wantDigest != "" {
+					assert.Equal(t, tt.wantDigest, event.Digest)
+				}
+			}
+		})
+	}
+}
+
+func TestCloudEventsWebhook_ExtractECRRegistryURL(t *testing.T) {
+	tests := []struct {
+		name   string
+		source string
+		data   map[string]interface{}
+		want   string
+	}{
+		{
+			name:   "valid ECR URN",
+			source: "urn:aws:ecr:us-east-1:123456789012:repository/myrepo",
+			data:   map[string]interface{}{},
+			want:   "123456789012.dkr.ecr.us-east-1.amazonaws.com",
+		},
+		{
+			name:   "ECR URN with registryId fallback",
+			source: "urn:aws:ecr:eu-west-1:987654321098:repository/test",
+			data: map[string]interface{}{
+				"registryId": "987654321098",
+			},
+			want: "987654321098.dkr.ecr.eu-west-1.amazonaws.com",
+		},
+		{
+			name:   "invalid source format",
+			source: "invalid-source",
+			data:   map[string]interface{}{},
+			want:   "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			webhook := NewCloudEventsWebhook("")
+			got := webhook.extractECRRegistryURL(tt.source, tt.data)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestCloudEventsWebhook_ExtractRegistryFromSource(t *testing.T) {
+	tests := []struct {
+		name   string
+		source string
+		want   string
+	}{
+		{
+			name:   "https URL",
+			source: "https://registry.example.com/repo",
+			want:   "registry.example.com",
+		},
+		{
+			name:   "http URL",
+			source: "http://localhost:5000/myrepo",
+			want:   "localhost:5000",
+		},
+		{
+			name:   "domain pattern",
+			source: "ghcr.io/owner/repo",
+			want:   "ghcr.io",
+		},
+		{
+			name:   "no domain pattern",
+			source: "myrepo",
+			want:   "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			webhook := NewCloudEventsWebhook("")
+			got := webhook.extractRegistryFromSource(tt.source)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

From 8d158071a57fca419a690c5d91b9b617736462a5 Mon Sep 17 00:00:00 2001
From: audacioustux <contact@audacioustux.com>
Date: Thu, 27 Nov 2025 23:15:15 +0600
Subject: [PATCH 02/17] fix(docs): correct typo in GHCR webhook secret flag
 name (gchr -> ghcr)

Signed-off-by: audacioustux <contact@audacioustux.com>
---
 docs/configuration/webhook.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/configuration/webhook.md b/docs/configuration/webhook.md
index d368cb3c..71f07c39 100644
--- a/docs/configuration/webhook.md
+++ b/docs/configuration/webhook.md
@@ -249,7 +249,7 @@ environment variables. Below is the list of which variables correspond to which
 |`ENABLE_WEBHOOK`|`--enable-webhook`|
 |`WEBHOOK_PORT`|`--webhook-port`|
 |`DOCKER_WEBHOOK_SECRET` |`--docker-webhook-secret`|
-|`GHCR_WEBHOOK_SECRET` |`--gchr-webhook-secret`|
+|`GHCR_WEBHOOK_SECRET` |`--ghcr-webhook-secret`|
 |`HARBOR_WEBHOOK_SECRET` |`--harbor-webhook-secret`|
 |`QUAY_WEBHOOK_SECRET` |`--quay-webhook-secret`|
 |`CLOUDEVENTS_WEBHOOK_SECRET` |`--cloudevents-webhook-secret`|

From 08d544ea19e1aeb8915addaa5edbee2196df92e3 Mon Sep 17 00:00:00 2001
From: audacioustux <contact@audacioustux.com>
Date: Thu, 27 Nov 2025 23:58:17 +0600
Subject: [PATCH 03/17] docs: add inline field comments to WebhookConfig struct

Improves documentation completeness by adding inline comments
to each field in the WebhookConfig struct, following Go
documentation best practices.

Signed-off-by: audacioustux <contact@audacioustux.com>
---
 cmd/common.go | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/cmd/common.go b/cmd/common.go
index 5328536f..42eed5b9 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -21,12 +21,19 @@ import (
 
 // WebhookConfig holds the options for the webhook server
 type WebhookConfig struct {
-	Port                        int
-	DockerSecret                string
-	GHCRSecret                  string
-	QuaySecret                  string
-	HarborSecret                string
-	CloudEventsSecret           string
+	// Port is the port number for the webhook server to listen on
+	Port int
+	// DockerSecret is the secret for validating Docker Hub webhooks
+	DockerSecret string
+	// GHCRSecret is the secret for validating GitHub Container Registry webhooks
+	GHCRSecret string
+	// QuaySecret is the secret for validating Quay webhooks
+	QuaySecret string
+	// HarborSecret is the secret for validating Harbor webhooks
+	HarborSecret string
+	// CloudEventsSecret is the secret for validating CloudEvents webhooks
+	CloudEventsSecret string
+	// RateLimitNumAllowedRequests is the number of allowed requests per hour for rate limiting
 	RateLimitNumAllowedRequests int
 }
 

From 0b0f8c23358628c6d12bd6796b169bbbbdfe836a Mon Sep 17 00:00:00 2001
From: audacioustux <contact@audacioustux.com>
Date: Fri, 28 Nov 2025 01:48:30 +0600
Subject: [PATCH 04/17] docs: clarify that 0 disables rate limiting in
 WebhookConfig

Updates the RateLimitNumAllowedRequests field comment to explicitly
state that setting it to 0 disables rate limiting, helping operators
understand the configuration behavior.

Signed-off-by: audacioustux <contact@audacioustux.com>
---
 cmd/common.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/common.go b/cmd/common.go
index 42eed5b9..647916d8 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -33,7 +33,7 @@ type WebhookConfig struct {
 	HarborSecret string
 	// CloudEventsSecret is the secret for validating CloudEvents webhooks
 	CloudEventsSecret string
-	// RateLimitNumAllowedRequests is the number of allowed requests per hour for rate limiting
+	// RateLimitNumAllowedRequests is the number of allowed requests per hour for rate limiting (0 disables rate limiting)
 	RateLimitNumAllowedRequests int
 }
 

From 2b4505b13de3d450689c5618dca9413816c2b806 Mon Sep 17 00:00:00 2001
From: audacioustux <contact@audacioustux.com>
Date: Thu, 4 Dec 2025 18:43:12 +0600
Subject: [PATCH 05/17] Refactor CloudEvents logging to match server.go pattern

Updated Validate(), Parse(), and parseEvent() to use context-based logging.
Added tests, documentation, and Kubernetes manifests for webhook secret.

Signed-off-by: Tanjim H. <contact@audacioustux.com>
---
 cmd/run_test.go               |  1 +
 cmd/webhook_test.go           |  1 +
 config/install.yaml           |  6 ++++++
 config/manager/manager.yaml   |  6 ++++++
 docs/configuration/webhook.md |  2 +-
 docs/install/cmd/run.md       |  6 ++++++
 docs/install/cmd/webhook.md   |  7 +++++++
 pkg/webhook/cloudevents.go    | 20 ++++++++++++++++----
 8 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/cmd/run_test.go b/cmd/run_test.go
index f358eaa5..da94c3c6 100644
--- a/cmd/run_test.go
+++ b/cmd/run_test.go
@@ -64,6 +64,7 @@ func TestNewRunCommand(t *testing.T) {
 	asser.Equal(env.GetStringVal("GHCR_WEBHOOK_SECRET", ""), controllerCommand.Flag("ghcr-webhook-secret").Value.String())
 	asser.Equal(env.GetStringVal("QUAY_WEBHOOK_SECRET", ""), controllerCommand.Flag("quay-webhook-secret").Value.String())
 	asser.Equal(env.GetStringVal("HARBOR_WEBHOOK_SECRET", ""), controllerCommand.Flag("harbor-webhook-secret").Value.String())
+	asser.Equal(env.GetStringVal("CLOUDEVENTS_WEBHOOK_SECRET", ""), controllerCommand.Flag("cloudevents-webhook-secret").Value.String())
 	asser.Equal(strconv.Itoa(env.ParseNumFromEnv("WEBHOOK_RATELIMIT_ALLOWED", 0, 0, math.MaxInt)), controllerCommand.Flag("webhook-ratelimit-allowed").Value.String())
 
 	asser.Nil(controllerCommand.Help())
diff --git a/cmd/webhook_test.go b/cmd/webhook_test.go
index 548a3fc2..0c174d03 100644
--- a/cmd/webhook_test.go
+++ b/cmd/webhook_test.go
@@ -42,6 +42,7 @@ func TestNewWebhookCommand(t *testing.T) {
 	asser.Equal(env.GetStringVal("GHCR_WEBHOOK_SECRET", ""), controllerCommand.Flag("ghcr-webhook-secret").Value.String())
 	asser.Equal(env.GetStringVal("QUAY_WEBHOOK_SECRET", ""), controllerCommand.Flag("quay-webhook-secret").Value.String())
 	asser.Equal(env.GetStringVal("HARBOR_WEBHOOK_SECRET", ""), controllerCommand.Flag("harbor-webhook-secret").Value.String())
+	asser.Equal(env.GetStringVal("CLOUDEVENTS_WEBHOOK_SECRET", ""), controllerCommand.Flag("cloudevents-webhook-secret").Value.String())
 	asser.Equal(strconv.Itoa(env.ParseNumFromEnv("WEBHOOK_RATELIMIT_ALLOWED", 0, 0, math.MaxInt)), controllerCommand.Flag("webhook-ratelimit-allowed").Value.String())
 
 	asser.Nil(controllerCommand.Help())
diff --git a/config/install.yaml b/config/install.yaml
index 596c653e..246ef049 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -942,6 +942,12 @@ spec:
               key: webhook.harbor-secret
               name: argocd-image-updater-secret
               optional: true
+        - name: CLOUDEVENTS_WEBHOOK_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: webhook.cloudevents-secret
+              name: argocd-image-updater-secret
+              optional: true
         - name: WEBHOOK_RATELIMIT_ALLOWED
           valueFrom:
             configMapKeyRef:
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index a9f152b0..47910228 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -169,6 +169,12 @@ spec:
                 name: argocd-image-updater-secret
                 key: webhook.harbor-secret
                 optional: true
+          - name: CLOUDEVENTS_WEBHOOK_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: argocd-image-updater-secret
+                key: webhook.cloudevents-secret
+                optional: true
           - name: WEBHOOK_RATELIMIT_ALLOWED
             valueFrom:
               configMapKeyRef:
diff --git a/docs/configuration/webhook.md b/docs/configuration/webhook.md
index 71f07c39..011cbb35 100644
--- a/docs/configuration/webhook.md
+++ b/docs/configuration/webhook.md
@@ -85,6 +85,7 @@ can be found here:
 - [GitHub Container Registry](https://docs.github.com/en/webhooks/webhook-events-and-payloads)
 - [Harbor](https://goharbor.io/docs/1.10/working-with-projects/project-configuration/configure-webhooks/)
 - [Quay](https://docs.quay.io/guides/notifications.html)
+- [CloudEvents Specification](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md)
 - [AWS ECR via EventBridge](#aws-ecr-via-eventbridge-cloudevents) (see below)
 
 For the URL that you set for the webhook, your link should go as the following:
@@ -159,7 +160,6 @@ Connection authentication).
 
 For complete setup instructions and examples, see:
 - `config/examples/cloudevents/terraform/` - Terraform configuration
-- `config/examples/cloudevents/kubernetes/` - Kubernetes manifests
 
 
 ## Secrets
diff --git a/docs/install/cmd/run.md b/docs/install/cmd/run.md
index e30bfbd7..4ca28c4a 100644
--- a/docs/install/cmd/run.md
+++ b/docs/install/cmd/run.md
@@ -31,6 +31,12 @@ Secret for validating Docker Hub webhooks.
 
 Can also be set with the `DOCKER_WEBHOOK_SECRET` environment variable.
 
+**--cloudevents-webhook-secret *secret***
+
+Secret for validating CloudEvents webhooks from AWS EventBridge and other CloudEvents sources.
+
+Can also be set with the `CLOUDEVENTS_WEBHOOK_SECRET` environment variable.
+
 **--enable-http2 *disabled***
 
 If set, HTTP/2 will be enabled for the metrics and webhook servers.
diff --git a/docs/install/cmd/webhook.md b/docs/install/cmd/webhook.md
index ee287d12..b35991e1 100644
--- a/docs/install/cmd/webhook.md
+++ b/docs/install/cmd/webhook.md
@@ -14,6 +14,7 @@ Supported Registries:
 - GitHub Container Registry (GHCR)
 - Quay
 - Harbor
+- AWS EventBridge (CloudEvents)
 
 ### Flags
 
@@ -33,6 +34,12 @@ Secret for validating Docker Hub webhooks.
 
 Can also be set with the `DOCKER_WEBHOOK_SECRET` environment variable.
 
+**--cloudevents-webhook-secret *secret***
+
+Secret for validating CloudEvents webhooks from AWS EventBridge and other CloudEvents sources.
+
+Can also be set with the `CLOUDEVENTS_WEBHOOK_SECRET` environment variable.
+
 **--ghcr-webhook-secret *secret***
 
 Secret for validating GitHub container registry secrets.
diff --git a/pkg/webhook/cloudevents.go b/pkg/webhook/cloudevents.go
index 6696f3d5..99bb5f01 100644
--- a/pkg/webhook/cloudevents.go
+++ b/pkg/webhook/cloudevents.go
@@ -1,6 +1,7 @@
 package webhook
 
 import (
+	"context"
 	"crypto/subtle"
 	"encoding/json"
 	"fmt"
@@ -10,6 +11,7 @@ import (
 
 	"github.com/argoproj-labs/argocd-image-updater/pkg/argocd"
 	"github.com/argoproj-labs/argocd-image-updater/registry-scanner/pkg/log"
+	"github.com/sirupsen/logrus"
 )
 
 // CloudEventsWebhook handles CloudEvents webhook events
@@ -33,7 +35,11 @@ func (c *CloudEventsWebhook) GetRegistryType() string {
 
 // Validate validates the CloudEvents webhook payload
 func (c *CloudEventsWebhook) Validate(r *http.Request) error {
-	logCtx := log.NewContext().AddField("logger", "cloudevents-webhook")
+	webhookLogger := log.Log().WithFields(logrus.Fields{
+		"logger": "cloudevents-webhook",
+	})
+	ctx := log.ContextWithLogger(r.Context(), webhookLogger)
+	logCtx := log.LoggerFromContext(ctx)
 
 	logCtx.Tracef("Validating request: method=%s, content-type=%s", r.Method, r.Header.Get("Content-Type"))
 
@@ -74,7 +80,11 @@ func (c *CloudEventsWebhook) Validate(r *http.Request) error {
 
 // Parse processes the CloudEvents webhook payload and returns a WebhookEvent
 func (c *CloudEventsWebhook) Parse(r *http.Request) (*argocd.WebhookEvent, error) {
-	logCtx := log.NewContext().AddField("logger", "cloudevents-webhook")
+	webhookLogger := log.Log().WithFields(logrus.Fields{
+		"logger": "cloudevents-webhook",
+	})
+	ctx := log.ContextWithLogger(r.Context(), webhookLogger)
+	logCtx := log.LoggerFromContext(ctx)
 
 	body, err := io.ReadAll(r.Body)
 	if err != nil {
@@ -112,7 +122,7 @@ func (c *CloudEventsWebhook) Parse(r *http.Request) (*argocd.WebhookEvent, error
 	}
 
 	// Parse the event based on the type
-	return c.parseEvent(&payload, logCtx)
+	return c.parseEvent(&payload, ctx)
 }
 
 // parseEvent extracts webhook event data from CloudEvents payload
@@ -125,7 +135,9 @@ func (c *CloudEventsWebhook) parseEvent(payload *struct {
 	Time            string                 `json:"time"`
 	DataContentType string                 `json:"datacontenttype"`
 	Data            map[string]interface{} `json:"data"`
-}, logCtx *log.LogContext) (*argocd.WebhookEvent, error) {
+}, ctx context.Context) (*argocd.WebhookEvent, error) {
+	logCtx := log.LoggerFromContext(ctx)
+
 	var repository, tag, digest, registryURL string
 
 	// If subject is in format "repo:tag", parse it first as fallback

From 22ae8f0c62ca392425b81eb8f259139d890aa8b8 Mon Sep 17 00:00:00 2001
From: "Tanjim H." <contact@audacioustux.com>
Date: Thu, 4 Dec 2025 18:57:41 +0600
Subject: [PATCH 06/17] Fix import grouping in cloudevents.go

Reordered imports to match project convention:
- Standard library
- Third-party packages (logrus)
- Project packages (argocd-image-updater)

Signed-off-by: Tanjim H. <contact@audacioustux.com>
---
 pkg/webhook/cloudevents.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/webhook/cloudevents.go b/pkg/webhook/cloudevents.go
index 99bb5f01..c3d0c1bb 100644
--- a/pkg/webhook/cloudevents.go
+++ b/pkg/webhook/cloudevents.go
@@ -9,9 +9,10 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/sirupsen/logrus"
+
 	"github.com/argoproj-labs/argocd-image-updater/pkg/argocd"
 	"github.com/argoproj-labs/argocd-image-updater/registry-scanner/pkg/log"
-	"github.com/sirupsen/logrus"
 )
 
 // CloudEventsWebhook handles CloudEvents webhook events

From d90c5b7afa8cbd8265228045b50e93e68efb0783 Mon Sep 17 00:00:00 2001
From: "Tanjim H." <contact@audacioustux.com>
Date: Thu, 4 Dec 2025 19:43:07 +0600
Subject: [PATCH 07/17] Improve CloudEvents webhook security and robustness

Remove full payload logging to prevent potential leakage of secrets or PII.
Add support for ARN prefix in ECR registry URL extraction alongside existing URN format.

Signed-off-by: Tanjim H. <contact@audacioustux.com>
---
 pkg/webhook/cloudevents.go | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/pkg/webhook/cloudevents.go b/pkg/webhook/cloudevents.go
index c3d0c1bb..ad3fed90 100644
--- a/pkg/webhook/cloudevents.go
+++ b/pkg/webhook/cloudevents.go
@@ -92,8 +92,6 @@ func (c *CloudEventsWebhook) Parse(r *http.Request) (*argocd.WebhookEvent, error
 		return nil, fmt.Errorf("failed to read request body: %w", err)
 	}
 
-	logCtx.Tracef("Received payload: %s", string(body))
-
 	// CloudEvents specification: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md
 	var payload struct {
 		SpecVersion     string                 `json:"specversion"`
@@ -238,10 +236,10 @@ func (c *CloudEventsWebhook) parseEvent(payload *struct {
 }
 
 // extractECRRegistryURL extracts ECR registry URL from CloudEvents source
-// Source format: urn:aws:ecr:<region>:<account>:repository/<repo>
+// Source format: urn:aws:ecr:<region>:<account>:repository/<repo> or arn:aws:ecr:<region>:<account>:repository/<repo>
 func (c *CloudEventsWebhook) extractECRRegistryURL(source string, data map[string]interface{}) string {
-	// Try to extract from source URN
-	if strings.HasPrefix(source, "urn:aws:ecr:") {
+	// Try to extract from source URN/ARN
+	if strings.HasPrefix(source, "urn:aws:ecr:") || strings.HasPrefix(source, "arn:aws:ecr:") {
 		parts := strings.Split(source, ":")
 		if len(parts) >= 5 {
 			region := parts[3]

From ea60a5947b2f32297721861d165eba5b0f8df0e9 Mon Sep 17 00:00:00 2001
From: "Tanjim H." <contact@audacioustux.com>
Date: Thu, 4 Dec 2025 20:28:09 +0600
Subject: [PATCH 08/17] docs: reorganize CloudEvents documentation structure

Move CloudEvents spec reference from registry docs section to ECR
setup context where it's more relevant. Add CloudEvents to example
payloads section for consistency with other registry types.

Signed-off-by: Tanjim H. <contact@audacioustux.com>
---
 docs/configuration/webhook.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/configuration/webhook.md b/docs/configuration/webhook.md
index 011cbb35..0b6e74db 100644
--- a/docs/configuration/webhook.md
+++ b/docs/configuration/webhook.md
@@ -85,7 +85,6 @@ can be found here:
 - [GitHub Container Registry](https://docs.github.com/en/webhooks/webhook-events-and-payloads)
 - [Harbor](https://goharbor.io/docs/1.10/working-with-projects/project-configuration/configure-webhooks/)
 - [Quay](https://docs.quay.io/guides/notifications.html)
-- [CloudEvents Specification](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md)
 - [AWS ECR via EventBridge](#aws-ecr-via-eventbridge-cloudevents) (see below)
 
 For the URL that you set for the webhook, your link should go as the following:
@@ -105,6 +104,8 @@ https://app1.example.com/webhook?type=<YOUR_REGISTRY_TYPE>
 AWS ECR doesn't have built-in webhook support, but you can use AWS EventBridge to
 transform ECR push events into CloudEvents format and send them to the webhook server.
 
+For more information about the CloudEvents specification, see the [CloudEvents v1.0 spec](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md).
+
 #### Prerequisites
 
 - AWS account with ECR repositories
@@ -274,6 +275,7 @@ registries supported.
 (View JSON Payload Format Section)
 - [Quay](https://docs.quay.io/guides/notifications.html)
 (View Repository Push Section)
+- [CloudEvents](#aws-ecr-via-eventbridge-cloudevents) (AWS ECR via EventBridge)
 
 ## Troubleshooting
 

From 865c4fd126c53d9a37050a48056b7acc9f79ee11 Mon Sep 17 00:00:00 2001
From: Tanjim Hossain <tangimhossain1@gmail.com>
Date: Thu, 4 Dec 2025 20:50:56 +0600
Subject: [PATCH 09/17] Update config/examples/cloudevents/test-webhook.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Tanjim Hossain <tangimhossain1@gmail.com>
---
 config/examples/cloudevents/test-webhook.sh | 60 +++++++++++----------
 1 file changed, 32 insertions(+), 28 deletions(-)

diff --git a/config/examples/cloudevents/test-webhook.sh b/config/examples/cloudevents/test-webhook.sh
index b6551326..fac5b3b5 100755
--- a/config/examples/cloudevents/test-webhook.sh
+++ b/config/examples/cloudevents/test-webhook.sh
@@ -57,36 +57,40 @@ curl -X POST "${WEBHOOK_URL}" \
 
 # Test 3: Missing secret (should fail)
 echo "Test 3: Missing secret (expected to fail)"
-curl -X POST "${WEBHOOK_URL}" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "specversion": "1.0",
-    "id": "test-fail-event-001",
-    "type": "com.amazon.ecr.image.push",
-    "source": "urn:aws:ecr:us-east-1:123456789012:repository/test",
-    "subject": "test:latest",
-    "data": {
-      "repositoryName": "test",
-      "imageTag": "latest",
-      "registryId": "123456789012"
-    }
-  }' \
-  -w "\nHTTP Status: %{http_code}\n\n" || echo "Expected failure"
+(
+  curl -X POST "${WEBHOOK_URL}" \
+    -H "Content-Type: application/json" \
+    -d '{
+      "specversion": "1.0",
+      "id": "test-fail-event-001",
+      "type": "com.amazon.ecr.image.push",
+      "source": "urn:aws:ecr:us-east-1:123456789012:repository/test",
+      "subject": "test:latest",
+      "data": {
+        "repositoryName": "test",
+        "imageTag": "latest",
+        "registryId": "123456789012"
+      }
+    }' \
+    -w "\nHTTP Status: %{http_code}\n\n"
+) || echo "Expected failure"
 
 # Test 4: Invalid event type (should fail)
 echo "Test 4: Invalid event type (expected to fail)"
-curl -X POST "${WEBHOOK_URL}" \
-  -H "Content-Type: application/json" \
-  -H "X-Webhook-Secret: ${SECRET}" \
-  -d '{
-    "specversion": "1.0",
-    "id": "test-invalid-event-001",
-    "type": "com.example.database.updated",
-    "source": "https://db.example.com",
-    "data": {
-      "table": "users"
-    }
-  }' \
-  -w "\nHTTP Status: %{http_code}\n\n" || echo "Expected failure"
+(
+  curl -X POST "${WEBHOOK_URL}" \
+    -H "Content-Type: application/json" \
+    -H "X-Webhook-Secret: ${SECRET}" \
+    -d '{
+      "specversion": "1.0",
+      "id": "test-invalid-event-001",
+      "type": "com.example.database.updated",
+      "source": "https://db.example.com",
+      "data": {
+        "table": "users"
+      }
+    }' \
+    -w "\nHTTP Status: %{http_code}\n\n"
+) || echo "Expected failure"
 
 echo "Testing complete!"

From d3c7f2cb5668387df0b3c12f56216079f8674642 Mon Sep 17 00:00:00 2001
From: Tanjim Hossain <tangimhossain1@gmail.com>
Date: Thu, 4 Dec 2025 20:51:24 +0600
Subject: [PATCH 10/17] Update docs/configuration/webhook.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Tanjim Hossain <tangimhossain1@gmail.com>
---
 docs/configuration/webhook.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/configuration/webhook.md b/docs/configuration/webhook.md
index 0b6e74db..c232a1de 100644
--- a/docs/configuration/webhook.md
+++ b/docs/configuration/webhook.md
@@ -115,7 +115,7 @@ For more information about the CloudEvents specification, see the [CloudEvents v
 #### Setup Steps
 
 1. **Create an EventBridge Rule** to capture ECR push events
-2. **Configure an Input Transformer** to convert to CloudEvents format  
+2. **Configure an Input Transformer** to convert to CloudEvents format
 3. **Create an API Destination** pointing to your webhook endpoint
 4. **Set up IAM permissions** for EventBridge to invoke the API destination
 

From 941914889cb19c08a32806682d4051e72ff92bbd Mon Sep 17 00:00:00 2001
From: Tanjim Hossain <tangimhossain1@gmail.com>
Date: Thu, 4 Dec 2025 20:51:53 +0600
Subject: [PATCH 11/17] Update config/examples/cloudevents/terraform/outputs.tf

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Tanjim Hossain <tangimhossain1@gmail.com>
---
 config/examples/cloudevents/terraform/outputs.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/examples/cloudevents/terraform/outputs.tf b/config/examples/cloudevents/terraform/outputs.tf
index 61ecb44f..badf65a1 100644
--- a/config/examples/cloudevents/terraform/outputs.tf
+++ b/config/examples/cloudevents/terraform/outputs.tf
@@ -16,4 +16,5 @@ output "eventbridge_role_arn" {
 output "webhook_endpoint" {
   description = "Configured webhook endpoint URL"
   value       = var.webhook_url
+  sensitive   = true
 }

From f9b6bc0d87ff7d6fd44f70ef86d20f4601df3095 Mon Sep 17 00:00:00 2001
From: Tanjim Hossain <tangimhossain1@gmail.com>
Date: Thu, 4 Dec 2025 20:54:36 +0600
Subject: [PATCH 12/17] Update config/examples/cloudevents/test-webhook.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Tanjim Hossain <tangimhossain1@gmail.com>
---
 config/examples/cloudevents/test-webhook.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/config/examples/cloudevents/test-webhook.sh b/config/examples/cloudevents/test-webhook.sh
index fac5b3b5..64043c82 100755
--- a/config/examples/cloudevents/test-webhook.sh
+++ b/config/examples/cloudevents/test-webhook.sh
@@ -1,6 +1,9 @@
 #!/bin/bash
 # Test script for CloudEvents webhook
-# Usage: ./test-webhook.sh <webhook-url> <secret>
+# Usage: 
+#   1. Make the script executable: chmod +x test-webhook.sh
+#      Then run: ./test-webhook.sh <webhook-url> <secret>
+#   2. Or run directly: bash test-webhook.sh <webhook-url> <secret>
 
 set -e
 

From fa25a7cab705fd5dee786e130f51afa5e2a7c7c2 Mon Sep 17 00:00:00 2001
From: Tanjim Hossain <tangimhossain1@gmail.com>
Date: Thu, 4 Dec 2025 20:54:59 +0600
Subject: [PATCH 13/17] Update docs/configuration/webhook.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Tanjim Hossain <tangimhossain1@gmail.com>
---
 docs/configuration/webhook.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/configuration/webhook.md b/docs/configuration/webhook.md
index c232a1de..0f79c317 100644
--- a/docs/configuration/webhook.md
+++ b/docs/configuration/webhook.md
@@ -162,7 +162,6 @@ Connection authentication).
 For complete setup instructions and examples, see:
 - `config/examples/cloudevents/terraform/` - Terraform configuration
 
-
 ## Secrets
 
 To help secure the webhook server you can apply a secret that is used to 

From e842d259d3818e2ec4448f5c6e511646d209bf34 Mon Sep 17 00:00:00 2001
From: "Tanjim H." <contact@audacioustux.com>
Date: Thu, 4 Dec 2025 21:40:56 +0600
Subject: [PATCH 14/17] Add HTTPS validation for CloudEvents webhook URL

Enforce HTTPS-only URLs for webhook_url variable to prevent
X-Webhook-Secret header transmission over unencrypted HTTP.

Signed-off-by: Tanjim H. <contact@audacioustux.com>
---
 config/examples/cloudevents/terraform/variables.tf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/examples/cloudevents/terraform/variables.tf b/config/examples/cloudevents/terraform/variables.tf
index 862fac0a..a4f59407 100644
--- a/config/examples/cloudevents/terraform/variables.tf
+++ b/config/examples/cloudevents/terraform/variables.tf
@@ -5,9 +5,14 @@ variable "aws_region" {
 }
 
 variable "webhook_url" {
-  description = "ArgoCD Image Updater webhook endpoint URL"
+  description = "ArgoCD Image Updater webhook endpoint URL (must use HTTPS)"
   type        = string
   # Example: "https://image-updater-webhook.example.com/webhook?type=cloudevents"
+
+  validation {
+    condition     = can(regex("^https://", var.webhook_url))
+    error_message = "webhook_url must use HTTPS protocol for secure credential transmission."
+  }
 }
 
 variable "webhook_secret" {

From 0849d9106f1d89211867938268dcb96d1fbdbe01 Mon Sep 17 00:00:00 2001
From: "Tanjim H." <contact@audacioustux.com>
Date: Sat, 6 Dec 2025 13:11:22 +0600
Subject: [PATCH 15/17] refactor: extract CloudEvents payload struct and fix
 validation

- Extract payload struct to reduce duplication between Parse() and parseEvent()
- Fix content-type validation to reject empty headers like Harbor does

Signed-off-by: Tanjim H. <contact@audacioustux.com>
---
 pkg/webhook/cloudevents.go | 36 +++++++++++++++---------------------
 1 file changed, 15 insertions(+), 21 deletions(-)

diff --git a/pkg/webhook/cloudevents.go b/pkg/webhook/cloudevents.go
index ad3fed90..5a4889d7 100644
--- a/pkg/webhook/cloudevents.go
+++ b/pkg/webhook/cloudevents.go
@@ -29,6 +29,18 @@ func NewCloudEventsWebhook(secret string) *CloudEventsWebhook {
 	}
 }
 
+// cloudEventsPayload represents the structure of a CloudEvents v1.0 payload
+type cloudEventsPayload struct {
+	SpecVersion     string                 `json:"specversion"`
+	Type            string                 `json:"type"`
+	Source          string                 `json:"source"`
+	Subject         string                 `json:"subject"`
+	ID              string                 `json:"id"`
+	Time            string                 `json:"time"`
+	DataContentType string                 `json:"datacontenttype"`
+	Data            map[string]interface{} `json:"data"`
+}
+
 // GetRegistryType returns the registry type this handler supports
 func (c *CloudEventsWebhook) GetRegistryType() string {
 	return "cloudevents"
@@ -51,7 +63,7 @@ func (c *CloudEventsWebhook) Validate(r *http.Request) error {
 	// CloudEvents can use either structured or binary content mode
 	// For structured mode, check Content-Type
 	contentType := r.Header.Get("Content-Type")
-	if contentType != "" && !strings.Contains(contentType, "application/json") &&
+	if !strings.Contains(contentType, "application/json") &&
 		!strings.Contains(contentType, "application/cloudevents+json") {
 		return fmt.Errorf("invalid content type: %s", contentType)
 	}
@@ -93,16 +105,7 @@ func (c *CloudEventsWebhook) Parse(r *http.Request) (*argocd.WebhookEvent, error
 	}
 
 	// CloudEvents specification: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md
-	var payload struct {
-		SpecVersion     string                 `json:"specversion"`
-		Type            string                 `json:"type"`
-		Source          string                 `json:"source"`
-		Subject         string                 `json:"subject"`
-		ID              string                 `json:"id"`
-		Time            string                 `json:"time"`
-		DataContentType string                 `json:"datacontenttype"`
-		Data            map[string]interface{} `json:"data"`
-	}
+	var payload cloudEventsPayload
 
 	if err := json.Unmarshal(body, &payload); err != nil {
 		return nil, fmt.Errorf("failed to parse webhook payload: %w", err)
@@ -125,16 +128,7 @@ func (c *CloudEventsWebhook) Parse(r *http.Request) (*argocd.WebhookEvent, error
 }
 
 // parseEvent extracts webhook event data from CloudEvents payload
-func (c *CloudEventsWebhook) parseEvent(payload *struct {
-	SpecVersion     string                 `json:"specversion"`
-	Type            string                 `json:"type"`
-	Source          string                 `json:"source"`
-	Subject         string                 `json:"subject"`
-	ID              string                 `json:"id"`
-	Time            string                 `json:"time"`
-	DataContentType string                 `json:"datacontenttype"`
-	Data            map[string]interface{} `json:"data"`
-}, ctx context.Context) (*argocd.WebhookEvent, error) {
+func (c *CloudEventsWebhook) parseEvent(payload *cloudEventsPayload, ctx context.Context) (*argocd.WebhookEvent, error) {
 	logCtx := log.LoggerFromContext(ctx)
 
 	var repository, tag, digest, registryURL string

From ea6d8abcfd01f2ae83041244eaef012642b5ab01 Mon Sep 17 00:00:00 2001
From: "Tanjim H." <contact@audacioustux.com>
Date: Sat, 6 Dec 2025 13:11:28 +0600
Subject: [PATCH 16/17] test: add ARN format test for ECR registry URL

Add test coverage for arn:aws:ecr: format alongside existing
urn:aws:ecr: format.

Signed-off-by: Tanjim H. <contact@audacioustux.com>
---
 pkg/webhook/cloudevents_test.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/webhook/cloudevents_test.go b/pkg/webhook/cloudevents_test.go
index 72300af1..b91f48dc 100644
--- a/pkg/webhook/cloudevents_test.go
+++ b/pkg/webhook/cloudevents_test.go
@@ -440,6 +440,12 @@ func TestCloudEventsWebhook_ExtractECRRegistryURL(t *testing.T) {
 			},
 			want: "987654321098.dkr.ecr.eu-west-1.amazonaws.com",
 		},
+		{
+			name:   "valid ARN format (arn:aws:ecr)",
+			source: "arn:aws:ecr:us-west-2:987654321098:repository/my-app",
+			data:   map[string]interface{}{},
+			want:   "987654321098.dkr.ecr.us-west-2.amazonaws.com",
+		},
 		{
 			name:   "invalid source format",
 			source: "invalid-source",

From d60ca9bee925920a0abd5b79fe3f9d3ed896cc4c Mon Sep 17 00:00:00 2001
From: "Tanjim H." <contact@audacioustux.com>
Date: Sat, 6 Dec 2025 13:11:34 +0600
Subject: [PATCH 17/17] docs: alphabetize flags and fix broken link

Move --cloudevents-webhook-secret to alphabetical position in
run.md and webhook.md. Remove non-existent kubernetes examples
directory reference.

Signed-off-by: Tanjim H. <contact@audacioustux.com>
---
 docs/configuration/webhook.md |  3 +--
 docs/install/cmd/run.md       | 12 ++++++------
 docs/install/cmd/webhook.md   | 12 ++++++------
 3 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/docs/configuration/webhook.md b/docs/configuration/webhook.md
index 0f79c317..92fa1d89 100644
--- a/docs/configuration/webhook.md
+++ b/docs/configuration/webhook.md
@@ -159,8 +159,7 @@ https://your-webhook.example.com/webhook?type=cloudevents&secret=<YOUR_SECRET>
 Or use the `X-Webhook-Secret` header for authentication (recommended with EventBridge
 Connection authentication).
 
-For complete setup instructions and examples, see:
-- `config/examples/cloudevents/terraform/` - Terraform configuration
+For complete setup instructions and examples, see `config/examples/cloudevents/terraform/` for Terraform configuration.
 
 ## Secrets
 
diff --git a/docs/install/cmd/run.md b/docs/install/cmd/run.md
index 230ddfe4..9a65f262 100644
--- a/docs/install/cmd/run.md
+++ b/docs/install/cmd/run.md
@@ -17,6 +17,12 @@ Defaults to the namespace the controller is running in.
 
 Can also be set with the `ARGOCD_NAMESPACE` environment variable.
 
+**--cloudevents-webhook-secret *secret***
+
+Secret for validating CloudEvents webhooks from AWS EventBridge and other CloudEvents sources.
+
+Can also be set with the `CLOUDEVENTS_WEBHOOK_SECRET` environment variable.
+
 **--disable-kube-events**
 
 Disable kubernetes events
@@ -34,12 +40,6 @@ Secret for validating Docker Hub webhooks.
 
 Can also be set with the `DOCKER_WEBHOOK_SECRET` environment variable.
 
-**--cloudevents-webhook-secret *secret***
-
-Secret for validating CloudEvents webhooks from AWS EventBridge and other CloudEvents sources.
-
-Can also be set with the `CLOUDEVENTS_WEBHOOK_SECRET` environment variable.
-
 **--enable-http2 *disabled***
 
 If set, HTTP/2 will be enabled for the metrics and webhook servers.
diff --git a/docs/install/cmd/webhook.md b/docs/install/cmd/webhook.md
index b35991e1..9a677c6f 100644
--- a/docs/install/cmd/webhook.md
+++ b/docs/install/cmd/webhook.md
@@ -22,6 +22,12 @@ Supported Registries:
 
 namespace where ArgoCD runs in (current namespace by default)
 
+**--cloudevents-webhook-secret *secret***
+
+Secret for validating CloudEvents webhooks from AWS EventBridge and other CloudEvents sources.
+
+Can also be set with the `CLOUDEVENTS_WEBHOOK_SECRET` environment variable.
+
 **--disable-kube-events**
 
 Disable kubernetes events
@@ -34,12 +40,6 @@ Secret for validating Docker Hub webhooks.
 
 Can also be set with the `DOCKER_WEBHOOK_SECRET` environment variable.
 
-**--cloudevents-webhook-secret *secret***
-
-Secret for validating CloudEvents webhooks from AWS EventBridge and other CloudEvents sources.
-
-Can also be set with the `CLOUDEVENTS_WEBHOOK_SECRET` environment variable.
-
 **--ghcr-webhook-secret *secret***
 
 Secret for validating GitHub container registry secrets.