DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Secrets

Secrets

Made by DeepSource
Use Analyzer

Hardcoded Slack access token in source code SCT-1006

Secrets
Critical

Leaking a Slack access token in source code can cause severe security issues as it can give unauthorized access to Slack resources, which can result in a data breach and loss of sensitive information. If an access token has been leaked, you can rotate your access tokens to mitigate the vulnerability.

It is recommended to use environment variables to store the access token. This ensures that the token is not hardcoded in the source code and is kept separate from the codebase. Using environment variables also makes it easier to manage the token as it can be updated without modifying the source code. Additionally, it is recommended that access to the token is restricted to only those who need it, by using Slack App-level Tokens. App-level tokens are used for accessing Slack's APIs and are generated for a specific Slack app. These tokens are restricted to specific scopes, and their access can be managed and revoked from the Slack app settings.

Bad practice

import slack

SLACK_TOKEN = "xoxp-XXXXXXXXXXXX-XXXXXXXXXXXX-XXXXXXXXXXXX-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

client = slack.WebClient(token=SLACK_TOKEN)

Recommended

import slack
import os

SLACK_TOKEN = os.getenv('SLACK_APP_TOKEN')

client = slack.WebClient(token=SLACK_TOKEN)