Bridgecrew Policy ID: BC_GIT_14
Slack API tokens can be created for both members and bot users. For added security, it is recommended to rotate these tokens periodically. Slack will automatically revoke old tokens if they remain unused for long periods of time.
Fix - Buildtime
Step 1: Revoke the exposed secret.
Go to auth.revoke to revoke your token.
Method URL: https://slack.com/api/auth.revoke
Preferred HTTP method: GET
Accepted content types: application/x-www-form-urlencoded
Step 2: Clean the git history.
Go under the settings section of your GitHub project and chose the change visibility button at the bottom.
Step 3: Inspect Slack's Events API log to ensure the key was not utilized during the compromised period.
Updated 5 months ago