This guide walks you through creating a Slack app, assigning the right permissions, installing it, and testing connectivity with ghostlight.
- Create a Slack App
- Go to
https://api.slack.com/appsβ Create New App β From scratch. - Name your app (e.g., Ghostlight) and select your workspace.
- Add Bot User and Scopes
- In your app, go to: Features β App Home β Scroll to "App Display Name" to ensure a Bot User is enabled.
- Go to: Features β OAuth & Permissions β Scopes β Bot Token Scopes.
- Add the following read-only scopes (minimum for reading messages across channel types):
- channels:read
- channels:history
- groups:read
- groups:history
- im:read
- im:history
- mpim:read
- mpim:history
- users:read
Notes:
- If you want to restrict to only public channels, you can omit the private/DM scopes, but ghostlight will only read what the token is allowed to read.
- You do NOT need chat:write for scanning.
- Install the App to Workspace
- Go to: OAuth & Permissions β Install App (or Reinstall if you changed scopes).
- Copy the Bot User OAuth Token (starts with
xoxb-). Treat this as a secret.
- Invite the App to Channels
For each channel you want to scan:
- In Slack, open the channel and run
/invite @YourAppName.
- Get the Channel ID
Recommended to pass a channel ID to limit scope:
- In Slack channel: Channel details β About β Copy Channel ID (e.g.,
C0123456789). - Or from the channel URL:
https://yourworkspace.slack.com/archives/C0123456789.
- Test Connectivity
Ghostlight provides a preflight test.
Token only (auth check):
export SLACK_BOT_TOKEN='xoxb-...'
ghostlight test --scanner slack --target "$SLACK_BOT_TOKEN"Token + channel (auth + channel access check):
ghostlight test --scanner slack --target "$SLACK_BOT_TOKEN:C0123456789"Expected output includes lines like:
Slack token valid (team=..., bot_user=...)Slack channel access OK (channel=...)
- Run a Scan
Scan a specific channel:
ghostlight scan --scanner slack --target "$SLACK_BOT_TOKEN:C0123456789" --format json --output slack.jsonScan the first ~50 channels visible to the bot (broader):
ghostlight scan --scanner slack --target "$SLACK_BOT_TOKEN"- Generate a Known Test Finding (Optional)
To verify detections, post a test secret in the target channel, then rerun the scan:
- Troubleshooting
invalid_auth: Token is wrong or from another workspace. Use the Bot token (xoxb-...).channel_not_found: Wrong channel ID, or the bot is not invited to that channel.not_in_channel: Invite the app (/invite @YourAppName).missing_scope: Add the scopes listed above and reinstall the app.- User name shows as
unknown:- Ensure
users:readscope is added and the app reinstalled. - Some bot/webhook messages donβt include a real user; ghostlight falls back to
bot_profile.namewhere possible.
- Ensure
- Deprecation warnings from cryptography: harmless; to suppress on CLI:
PYTHONWARNINGS="ignore::CryptographyDeprecationWarning" ghostlight scan --scanner slack --target "$SLACK_BOT_TOKEN:C0123456789"
- Security Best Practices
- Treat
xoxb-...tokens as secrets. Do not commit to version control. - Use a dedicated Slack app with read-only scopes.
- Limit the app to only the channels you need (invite on demand).
- Rotate/revoke tokens when no longer needed.
- Slack App Management:
https://api.slack.com/apps - Conversations API:
https://api.slack.com/methods/conversations.history - Scopes reference:
https://api.slack.com/scopes