fix(notifications): enforce network policy and owner scoping on webhook delivery (#755)

[Ayushi-hi]

Related Issues

Closes #755

Type of Change

• Bug fix (non-breaking change which fixes an issue)

Summary

Notification webhooks bypassed the NetworkPolicyEngine entirely, allowing
webhook traffic to reach any destination regardless of denylist/allowlist
configuration. Additionally, notification rules were fetched without an
owner filter, meaning any user's webhook rule would fire on any other
user's findings (cross-tenant data leakage).

Changes Made

Fix 1 — Network policy check in send_webhook

Before sending any webhook HTTP request, the destination hostname is now
resolved and checked against NetworkPolicyEngine.check_access(). Webhooks
to blocked destinations are denied and logged to the network audit trail,
exactly like scanner plugin egress.

Fix 2 — Owner scoping in process_finding_notifications

Notification rules are now filtered by owner_id matching the finding's
owner. If a finding has no owner_id, notifications are skipped entirely
rather than firing all rules.

Files Changed

• backend/secuscan/notification_service.py

Checklist

• I have performed a self-review of my own code
• No plugin functionality was modified
• Webhook egress now appears in network audit log
• Cross-tenant notification rule firing is prevented

[utksh1]

Thanks for tackling the right issue. This needs changes before it can merge.

Blocking issues:

1. backend-unit is failing on this branch, so the required backend aggregate is skipped.

2. The network-policy check is not bound to the actual webhook connection. send_webhook resolves the hostname with socket.gethostbyname, checks that single IPv4 address, then passes the original URL to httpx, which performs its own DNS resolution when opening the connection. That leaves a DNS rebinding / multi-answer gap where the checked address can differ from the address actually contacted. Please route the request through a policy-enforced transport/resolver path or otherwise ensure the checked IP is the one used for the outbound connection.

3. The policy check only uses gethostbyname, so IPv6 destinations and multi-address DNS responses are not evaluated. Webhook egress policy needs to reject if any possible resolved destination is disallowed, or use an existing network-policy helper that already handles this consistently.

There is also a small cleanup item: the final version has a duplicated except httpx.HTTPError block in send_webhook.