RSTR-SEC-004 — Slack bot token (xoxb-…)

Summary

A Slack bot token (xoxb- + numeric IDs + secret material) is embedded in the repository. The token authenticates as the bot identity and can post to channels, read DMs the bot is in, and call any Slack Web API endpoint that the bot's OAuth scopes permit.

Severity

High.

Languages

Any scannable text file.

What rastray flags

SLACK_BOT_TOKEN = "xoxb-EXAMPLE-EXAMPLE-EXAMPLEEXAMPLEEXAMPLEEXAMPLE"

What rastray deliberately does not flag

• Slack user tokens (xoxp-…) — separate rule eventually; current set covers bot tokens because those are the common-in-source case.
• Documentation placeholders.

How to fix it

1. Revoke at https://api.slack.com/apps → your app → OAuth & Permissions → "Revoke token".

2. Generate a new install / token.

3. Store in environment or secret manager:

   import os
   slack = WebClient(token=os.environ['SLACK_BOT_TOKEN'])
   

4. Rewrite git history if the token was ever committed; Slack's bot-token leak detection often catches this within minutes and auto-revokes, but don't rely on that.

References

• Slack: securing your tokens
• CWE-798