--- title: Slack slug: source-slack description: Learn how to configure TruffleHog, a powerful tool for scanning public and private channels on Slack. Discover the steps to add the app to Slack, enable necessary scopes, and integrate it with TruffleHog. Uncover TruffleHog's extensive capabilities, such icon: {"faIcon":"fa-brands fa-slack"} docTags: createdAt: 2024-04-17T14:47:54.202Z --- # Slack :::BlockQuote **Edition:** Enterprise only ::: The Slack integration scans messages, threads, and files across public and private channels in your Slack workspace for credentials and other sensitive data. To send TruffleHog detections to Slack as notifications, see the Slack notifier instead. The Slack source supports two scanning modes — **real-time scanning** of new messages as they're sent, and **historical scanning** of existing workspace content. They can be used together or independently. ## Real-time scanning Real-time scanning watches your workspace for new messages as they're sent and scans them in-flight. ### Configuration Real-time scanning is configured in TruffleHog under **Integrations**. Local configuration is not available for this mode. From the **Integrations** page in TruffleHog: 1. Click **Add Integration**. 2. Select **Slack** as the source. 3. Choose **Slack Real-time** and continue to TruffleHog's authorization handoff with Slack. 4. On Slack's authorization page, click **Allow** to grant TruffleHog access to your workspace. 5. Name your new integration. ### Capabilities | Feature | Supported | | -------------------------------------------------------- | --------- | | Real-time scanning | ✅ | | Scan public channels (including thread replies) | ✅ | | Scan edited messages | ✅ | | Scan private channels the TruffleHog bot is invited to | ✅ | | Scan private channels the authorizing user has access to | ✅ | | Scan direct messages the TruffleHog bot is included in | ✅ | | Scan direct messages the authorizing user is part of | ✅ | | Scan group DMs | ✅ | ## Historical scanning Historical scanning enumerates and scans existing content in your Slack workspace using a Slack app. ### Configuration Historical scanning can be configured in TruffleHog under **Integrations**, or via a local configuration file (below). **Web configuration is strongly recommended** — the UI install is faster to set up and runs at higher rate limits than a single-workspace app. Web configuration Configure this integration from the **Integrations** page in TruffleHog. The flow installs a Slack app on your behalf with the appropriate scopes and rate limits. Local configuration Local configuration requires creating a single-workspace Slack app and using its token. Multi-workspace scanning requires a separate app per workspace. **Step 1: Create the Slack app** 1. Go to the Slack app creation page and click to create a new app. 2. Give the app a name and select the workspace you want TruffleHog to scan. Each app is scoped to one workspace; create separate apps for additional workspaces. 3. In **User Token Scopes**, add the following scopes: - **users\:read** — read the user directory. - **users\:read.email** — read user email addresses. - **channels\:history** — read public channel message history. - **channels\:read** — list public channels. - **groups\:history** — read private channel message history. - **groups\:read** — list private channels. - **files\:read** — read file content for scanning. 4. Save the app and install it to your workspace. 5. If your account doesn't have permission to install apps, Slack routes the request to your workspace admin. Give them a heads-up before submitting. 6. Copy the generated token. You'll use it as the token value in the configuration below. **Step 2: Configure TruffleHog** :::BlockQuote sources: \- connection: "@type": type.googleapis.com/sources.Slack endpoint: https\://slack.ourbusiness.com token: XXXXXXXXXXXXXXXXXXXXXXXXXX channels: \- include-channel ignoreList: \- exclude-channel name: Slack scanPeriod: 12h type: SOURCE\_TYPE\_SLACK verify: true ::: Omit the channels field to scan all channels the token has access to. ### Configuration options | Field | Type | Required | Description | | ---------- | ------ | -------- | ------------------------------------------------------------------------ | | endpoint | string | No | The Slack API endpoint. Defaults to Slack Cloud. | | token | string | Yes | The Slack app token with the scopes listed above. | | channels | list | No | Explicit list of channels to scan. Omit to scan all accessible channels. | | ignoreList | list | No | Channels to skip during scanning. | ### Capabilities | Feature | Supported | | --------------------------------------------------------- | --------- | | Scan public channels | ✅ | | Scan private channels (authorizing user must have access) | Partial | | Scan attachments | ✅ | | Scan archive files | ✅ | | Scan base64-encoded data | ✅ | | Scan binaries | ✅ | | Scan Microsoft Office files | ✅ | | Include / exclude filters | ✅ | | Auto-resume | ✅ | ## Notes - Direct messages are not scanned by historical scanning. Use real-time scanning to cover DMs. - Private channel scanning in historical mode is limited to channels the authorizing user is a member of.