The Slack2scan application scans the GitHub repository for hardcoded secrets using Gitleaks. It will make security testing easier and help increase security adoption. Not limited to hardcoded secrets, it can be extended to perform SAST & DAST scans.
Abstracts away the complexity and provides a simple command to run security scans using Slack. The results get published to the same slack channel. Developers can perform the scan independently, eliminating the dependency on DevOps and AppSec teams.
The application is written in Python Flask. And it is easier to add a library for any new security tools.
- Docker
- Docker-compose
-
Create an app in your Slack account
https://api.slack.com/apps
-
Select Create App -> From Scratch
-
Enter App Name & select a workspace to deploy the app
-
Copy the Signing Secret
-
Set OAuth & Permissions and the following scopes
channels:read chat:write chat:write.public commands
-
Install the app in the workspace
-
Slash Commands -> Create New Command -> Save
Command: /scan Request URL: https://<FQDN>/s2s/scan Short Description: Scan repository Usage Hints: /scan <URL> <Branch - Optional>
-
Turn on Interactivity & Shortcuts -> Save Changes
https://<FQDN>/s2s/interactive
-
Clone the repository
cd /Data git clone https://github.com/govindasamyarun/slack2scan.git -
Edit docker-compose.yml file to include signing secret and application host name values
pwd: /Data/slack2scan
vi docker-compose.yml environment:
SLACK_SIGNING_SECRET: <Paste the signing secret>
S2S_HOST_NAME: <Enter the application hostname>- Start the container
pwd: /Data/slack2scan
docker-compose up --detachS2S.demo.mov
Use the issues tab to report any problems or issues.
Distributed under the MIT License. See LICENSE for more information.