Slack Token

Bridgecrew Policy ID: BC_GIT_14
Severity: LOW

Slack Token

Description

Slack API tokens can be created for both members and bot users. For added security, it is recommended to rotate these tokens periodically. Slack will automatically revoke old tokens if they remain unused for long periods of time.

Fix - Buildtime

Slack

Step 1: Revoke the exposed secret.
Go to auth.revoke to revoke your token.
Method URL: https://slack.com/api/auth.revoke
Preferred HTTP method: GET
Accepted content types: application/x-www-form-urlencoded

Step 2: Clean the git history.
Go under the settings section of your GitHub project and chose the change visibility button at the bottom.

Step 3: Inspect Slack's Events API log to ensure the key was not utilized during the compromised period.