Slack

slack edition enterprise only the slack integration scans messages, threads, and files across public and private channels in your slack workspace for credentials and other sensitive data to send trufflehog detections to slack as notifications, see the slack notifier instead the slack source supports two scanning modes — real time scanning of new messages as they're sent, and historical scanning of existing workspace content they can be used together or independently real time scanning real time scanning watches your workspace for new messages as they're sent and scans them in flight configuration real time scanning is configured in trufflehog under integrations local configuration is not available for this mode from the integrations page in trufflehog click add integration select slack as the source choose slack real time and continue to trufflehog's authorization handoff with slack on slack's authorization page, click allow to grant trufflehog access to your workspace name your new integration capabilities feature supported real time scanning ✅ scan public channels (including thread replies) ✅ scan edited messages ✅ scan private channels the trufflehog bot is invited to ✅ scan private channels the authorizing user has access to ✅ scan direct messages the trufflehog bot is included in ✅ scan direct messages the authorizing user is part of ✅ scan group dms ✅ historical scanning historical scanning enumerates and scans existing content in your slack workspace using a slack app configuration historical scanning can be configured in trufflehog under integrations , or via a local configuration file (below) web configuration is strongly recommended — the ui install is faster to set up and runs at higher rate limits than a single workspace app web configuration configure this integration from the integrations page in trufflehog the flow installs a slack app on your behalf with the appropriate scopes and rate limits local configuration local configuration requires creating a single workspace slack app and using its token multi workspace scanning requires a separate app per workspace step 1 create the slack app go to the slack app creation page and click to create a new app give the app a name and select the workspace you want trufflehog to scan each app is scoped to one workspace; create separate apps for additional workspaces in user token scopes , add the following scopes users\ read — read the user directory users\ read email — read user email addresses channels\ history — read public channel message history channels\ read — list public channels groups\ history — read private channel message history groups\ read — list private channels files\ read — read file content for scanning save the app and install it to your workspace if your account doesn't have permission to install apps, slack routes the request to your workspace admin give them a heads up before submitting copy the generated token you'll use it as the token value in the configuration below step 2 configure trufflehog sources \ connection "@type" type googleapis com/sources slack endpoint https //slack ourbusiness com token xxxxxxxxxxxxxxxxxxxxxxxxxx channels \ include channel ignorelist \ exclude channel name slack scanperiod 12h type source type slack verify true omit the channels field to scan all channels the token has access to configuration options field type required description endpoint string no the slack api endpoint defaults to slack cloud token string yes the slack app token with the scopes listed above channels list no explicit list of channels to scan omit to scan all accessible channels ignorelist list no channels to skip during scanning capabilities feature supported scan public channels ✅ scan private channels (authorizing user must have access) partial scan attachments ✅ scan archive files ✅ scan base64 encoded data ✅ scan binaries ✅ scan microsoft office files ✅ include / exclude filters ✅ auto resume ✅ notes direct messages are not scanned by historical scanning use real time scanning to cover dms private channel scanning in historical mode is limited to channels the authorizing user is a member of