Skip to content

fix(ci): use slack incoming webhook for trufflehog alerts#16

Open
alexandre-parfin wants to merge 1 commit into
mainfrom
fix/trufflehog-slack-webhook
Open

fix(ci): use slack incoming webhook for trufflehog alerts#16
alexandre-parfin wants to merge 1 commit into
mainfrom
fix/trufflehog-slack-webhook

Conversation

@alexandre-parfin

Copy link
Copy Markdown

Summary

  • PR fix(ci): switch trufflehog alert from github issue to slack #15 wired SLACK_BOT_TOKEN into the scan workflow, but on the first post-merge run the Slack step failed with Missing input! A token must be provided to use the method decided. — the token is an org-level secret with selected visibility and rayls-explorer-frontend is not on its allowlist.
  • All 8 repos currently on that allowlist are private. This repo is public, so adding it would make it the first public consumer of a workspace-wide Slack bot token. A leaked bot token can post anywhere the bot is invited, read message metadata, etc. — wider blast radius than this use case needs.
  • Switch to a Slack Incoming Webhook: the URL is bound to a single channel and can only post (no read, no DMs, no other methods). A leaked webhook lets an attacker spam one alert channel, nothing else. Stored as a repo-level secret (SLACK_WEBHOOK_URL), so no org allowlist change either.
  • The channel field is removed from the JSON payload (Incoming Webhooks ignore it; the destination is encoded in the URL itself).

Required setup before merging

  1. Create the Incoming Webhook in Slack — Slack app config → Incoming Webhooks → Add New Webhook to Workspace → pick the alerts channel → copy the https://hooks.slack.com/services/T.../B.../... URL.
  2. Set the repo secret:
    gh secret set SLACK_WEBHOOK_URL --repo raylsnetwork/rayls-explorer-frontend
    
    (paste the URL when prompted)

If the secret is missing at run time, the step still has continue-on-error: true and just skips silently — the workflow won't crash. So merge order isn't critical, but Slack only fires once the secret is in place.

Test plan

  • After webhook + secret are configured, run Security History Scan via workflow_dispatch
  • Slack alerts channel receives the message with findings count, scan mode, scope, and link to the run
  • Fail on findings still flips the run red
  • Job summary still shows the findings table

The previous PR (#15) wired SLACK_BOT_TOKEN into the workflow, but
that token is an org-level secret with a `selected` allowlist that
currently only covers 8 private repos. Adding `rayls-explorer-frontend`
(public) to the allowlist would make it the first public repo with
access to a workspace-wide bot token — wider blast radius than needed
for this use case.

Switch to a Slack Incoming Webhook instead:
- a webhook URL is scoped to a single channel and can only post (no
  read, no DMs, no other API methods), so a leak is contained
- store it as a repo-level secret (SLACK_WEBHOOK_URL) — no org-wide
  allowlist change needed

Required follow-up before this works:
1. create an Incoming Webhook in Slack pointing at the alerts channel
2. set it as a repo secret with `gh secret set SLACK_WEBHOOK_URL`
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant