A Cloudflare Worker that monitors Security events/ Rulesets and sends alerts to Slack when events are detected.
- Monitors Security events using Cloudflare's GraphQL API at account level
- Sends alerts to Slack when events are detected
- State management using KV to prevent duplicate alerts
- Configurable through environment variables and secrets
- Cloudflare account with API access
- Cloudflare Workers subscription
- Slack workspace with webhook URL
- Cloudflare API Token with appropriate permissions
- Click the "Deploy to Cloudflare" button above
- Create Workers KV and add bindings to worker as
ALERTS_KV - Update Variables and secrets in the Cloudflare dashboard
If you prefer to deploy manually:
-
Clone this repository:
git clone https://github.com/iamask/slack-alert-cloudflare-ruleset-engine.git cd slack-alert-cloudflare-ruleset-engine -
Install Wrangler CLI:
npm i -D wrangler@latest
-
Create KV Namespace (Required for state management):
Option A: Using Cloudflare Dashboard
- Go to Workers & Pages > KV
- Click "Create a namespace"
- Name it "ALERTS_KV"
- Copy the namespace ID
Option B: Using Wrangler CLI
wrangler kv:namespace create "ALERTS_KV"This will output something like:
Add the following to your wrangler.jsonc: { "kv_namespaces": [ { "binding": "ALERTS_KV", "id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" } ] } -
Configure your environment variables and secrets:
Required Variables:
API_TOKEN: Your Cloudflare API TokenACCOUNT_ID: Your Cloudflare Account Tag (Account ID)RULESET_ID: Ruleset ID for monitoringSLACK_WEBHOOK_URL: Your Slack Webhook URL
Configure these in either:
- Cloudflare Dashboard > Workers > Your Worker > Variables
- Or using Wrangler secrets:
wrangler secret bulk .env.vars or wrangler secret put API_TOKEN wrangler secret put SLACK_WEBHOOK_URL # ... repeat for other sensitive variables
-
Update
wrangler.jsoncwith your configuration: -
Deploy the worker:
wrangler deploy
- The worker runs every 30 minutes (configurable via cron trigger) // configurables
- It queries the last 24 hours of firewall events using Cloudflare's GraphQL API at account level
- The query filters for events matching:
- Override rule name containing "pages%"
- OR specific rule ID (configurable via RULESET_ID)
- When new events are detected:
- Sends an alert to Slack with event details
- Uses KV to maintain state and prevent duplicate alerts
- The worker requires appropriate API token permissions
- All sensitive operations are logged for audit purposes
- Events are filtered to focus on specific security patterns
MIT License - feel free to use this code for your own projects.


{ "name": "worker-name", "main": "src/index.js", "compatibility_date": "2025-06-10", "kv_namespaces": [ { "binding": "ALERTS_KV", "id": "your-kv-namespace-id" // Use the ID from step 3 } ], "triggers": { "crons": [ "*/30 * * * *" // Runs every 30 minutes ] } }