I am working on a CI config to push to multiple projects in remote server.
So I temporary push them on github public project, which have a config.cfg file contains these line below.
SLACK_BOT_TOKEN="xoxb-265693953920-1151243933765-cz72nwcOIUkd7cU8SjDYf5k7"
SLACK_DEFAULT_CHANNEL=ci
But weird stuff happen, Slackbot keep throw a message "removed an integration from this channel: {app name}" everytime I push the config file. So I have to keep update new token and reinstall it to Workspace again.
By that I mean, my custom SlackBot keep getting removed everytime its Slack_Bot_Token get pushed to github repo. Even when I wait a few hours or 10 minutes later. Same results, It got removed as soon as I push. (Also happening with new fresh APP)
This is extreme weird behaviour, and I dont really think github and slack are linked together somehow that magically remove APP as soon as its Token got exposed.
This is extreme weird behaviour, and I dont really think github and slack are linked together somehow that magically remove APP as soon as its Token got exposed.
They are, though: https://docs.github.com/en/code-security/secret-security/about-secret-scanning
Secret scanning is a mechanism to do just that, detect accidentally leaked secrets in GitHub and report them to the affected service. There are 40+ partners already participating in this, including Slack.
GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.
Secret scanning is automatically enabled on public repositories. When you push to a public repository, GitHub scans the content of the commits for secrets. If you switch a private repository to public, GitHub scans the entire repository for secrets.
Probably intentionally publishing a live token to a public GitHub repo is a not the right approach, I'd recommend using a private repo instead.