scan slack
Beta feature
This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.
Note
You must have version 0.17.0 or higher of the Vault Radar CLI installed.
To check the current version of your CLI, use the version command.
The scan slack
command is used for scanning Slack channel(s) and identifying
messages that contain sensitive secrets.
Authentication
The scan slack
needs some authentication credentials in order to be able to
make requests to Slack. Follow the steps below to generate a User OAuth token
and specify the environment variable SLACK_USER_TOKEN to scan Slack channels.
- Create a Slack app
- Request scopes Within OAuth
& Permissions section, scroll down to Scopes section. Under User Token
Scopes, add scopes:
channels:read
,channels:history
,groups:read
andgroups:history
. Note: use User Token Scopes and not Bot Token Scopes. - Install and Authorize app
- Within OAuth & Permissions section, scroll down to OAuth Tokens for Your Workspace section, copy the value for User OAuth Token
Usage
Usage: vault-radar scan slack [options]
Command options
--outfile, -o
: Specifies the file to store information about found secrets (required)--format, -f
: Specifies the output format, csv and json are supported. Defaults to csv--baseline, -b
: Specifies the file with previous scan results. Only new secrets will be reported.--limit, -l
: Specifies the maximum number of secrets to be reported. The scan will stop when the limit is reached--url, -u
: Specifies the slack base API path to scan (required)--dm, -d
: Specifies the Slack dm to scan--channel, -c
: Specifies the Slack channel to scan--app, -a
: Specifies the Slack app to scan--index-file
: Specifies the index file path to use in order to determine which risks are Vaulted--offline
: Specifies that the scan should be run in offline mode, without connecting to HCP--disable-ui
: Specifies that the scan summary should not be logged to stdout--skip-activeness
: If specified, skips activeness checks
Examples
The following examples all assume you have already set the appropriate environment variable or that you intend to include them as part of the command you run.
Scanning messages in all accessible channels
Scan all public and private channels accessible by the Slack app (associated with SLACK_USER_TOKEN) and write the results to a file in CSV format, this is the default format for output. Default behaviour is to scan messages added in the last day.
$ vault-radar scan slack -o <PATH TO OUTPUT>.csv --offline
Scanning messages added in the recent past
Scan messages added in the last <TIME PERIOD>
days to all accessible public
and private channels.
$ vault-radar scan slack -t <TIME PERIOD> -o <PATH TO OUTPUT>.csv \ --offline
Scanning messages in a specific channel
Scan all messages in a Slack channel and write the results to a file in CSV format.
$ vault-radar scan slack -c <CHANNEL ID> -o <PATH TO OUTPUT>.csv \ --offline
Scanning all accessible channels and output in JSON
Scan all accessible public and private channels and write the results to a file in JSON Lines format.
$ vault-radar scan slack -o <PATH TO OUTPUT>.jsonl -f json --offline
HCP connection scanning behavior
The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.
To allow for scanning to continue working without the need for HCP cloud
connection you can use the new --offline
flag as such.
$ vault-radar scan slack --offline -o <PATH TO OUTPUT>.csv
Scanning using a Vault index file
Perform a scan using a generated vault index and write the results to an outfile. In this mode, if a risk was previously found in Vault, the scan results will report the location in Vault as well.
$ vault-radar scan slack -o <PATH TO OUTPUT>.csv \ --index-file <PATH TO VAULT INDEX>.jsonl \ --offline
Scan and restrict the number of secrets found
Scan all accessible public and private channels and write the results to an outfile and stop scanning when the defined number of secrets are found.
$ vault-radar scan slack -o <PATH TO OUTPUT>.csv \ -l <NUM OF SECRETS> \ --offline