{"id":37163961,"url":"https://github.com/sixt/hardcoded-slack-webhook-alerter","last_synced_at":"2026-01-14T19:29:24.388Z","repository":{"id":179147825,"uuid":"661676194","full_name":"Sixt/hardcoded-slack-webhook-alerter","owner":"Sixt","description":"This tool can be used to scan for hardcoded Slack webhooks and send an alert to each one about the dangers of hardcoded credentials.","archived":false,"fork":false,"pushed_at":"2025-09-16T15:46:16.000Z","size":23,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-09-16T18:10:51.960Z","etag":null,"topics":["credentials","devsecops","pentesting","secrets","security","security-tools"],"latest_commit_sha":null,"homepage":"https://www.sixt.tech","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Sixt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-03T11:58:07.000Z","updated_at":"2025-09-16T15:46:13.000Z","dependencies_parsed_at":null,"dependency_job_id":"9856d81a-979d-4a7d-994b-b40e134515f5","html_url":"https://github.com/Sixt/hardcoded-slack-webhook-alerter","commit_stats":null,"previous_names":["sixt/hardcoded-slack-webhook-alerter"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Sixt/hardcoded-slack-webhook-alerter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sixt%2Fhardcoded-slack-webhook-alerter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sixt%2Fhardcoded-slack-webhook-alerter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sixt%2Fhardcoded-slack-webhook-alerter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sixt%2Fhardcoded-slack-webhook-alerter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Sixt","download_url":"https://codeload.github.com/Sixt/hardcoded-slack-webhook-alerter/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sixt%2Fhardcoded-slack-webhook-alerter/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28432615,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["credentials","devsecops","pentesting","secrets","security","security-tools"],"created_at":"2026-01-14T19:29:23.820Z","updated_at":"2026-01-14T19:29:24.372Z","avatar_url":"https://github.com/Sixt.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hardcoded Slack Webhook Alerter\nThis tool can be used to scan for hardcoded Slack webhooks and send an alert to each one about the dangers of hardcoded credentials. This tool was built using [Credential-Detector](https://github.com/ynori7/credential-detector).\n\n### How it works\n1. It combs all repos locally cloned in the specified directories and collects the Slack webhooks.\n2. Then for each file where it found a webhook, it checks if it finds any slack channels hardcoded as well and links them to the webhook/repo combination.\n3. Then it iterates all the webhook/repo combos it found\n    - If there's no channel associated with it, then it just sends a payload to the webhook and lets it go to whatever default channel is configured.\n    - If it does have channels associated with the webhook/repo, it sends the payload to each of them.\n\n### Usage\n\n```\ngo run main.go\n```\n\nThe following configuration should be set in config/config.yaml: \n\n|Config Option|Description|Values|\n|-------------|-----------|------|\n|channel_pattern|The pattern used to detect Slack channels. The default pattern is looking for things shaped like this: #something_somethingelse (with an underscore)|A regular expression string|\n|directories|A list of directories to scan for hard-coded Slack webhooks|A list of strings|\n|github_org|The name of your Github organization (used for building links)|A string|\n|dry_run|When true, it'll output all the logs without actually sending anything to Slack|Boolean|\n\nExclusions for channels and webhooks can be added to `fullTextValueExcludePatterns` in `scanner/root_config.yaml`.\n\nThis tool is assuming that you the scan paths you provide contain GitHub repositories at the top level, each named after the repository. For example if you provide the directory \"/Users/me/go\", it expects each subdirectory to be a Git repo (this is how it decides the repository name and how it builds the GitHub links). If you don't structure things this way, the scanner will still find results, but the links won't be valid. Also note that when building the links, it's using `master`, which may not always be correct.\n\n### Scripts\nSince this tool requires you to have a lot of repositories cloned and updated, there are a few helpful scripts included in this repository. In `scripts/fetch-services.sh`, you can add a list of GitHub repos and your organization name, and it'll clone all of them into the current directory. You can update the list of directories in `scripts/update-all-git-repos.sh` to do a git pull of master/main in every repo you have cloned.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsixt%2Fhardcoded-slack-webhook-alerter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsixt%2Fhardcoded-slack-webhook-alerter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsixt%2Fhardcoded-slack-webhook-alerter/lists"}