Mondoo
Docs
SaaS

Assess Slack Security with cnspec

Secure and enforce policy for your Slack workspaces

Rely on cnspec to ensure your Slack workspaces follow security best practices, such as enforcing two-factor authentication for all users, verifying that channels have a defined purpose, and auditing user roles and permissions across your workspace.

Prerequisites

To test your Slack workspace with cnspec, you must have:

Give cnspec access to your Slack workspace

Access to the Slack API requires an access token. We recommend using a user token.

  1. As a workspace administrator, create an app: Select Create an App and then select From Scratch.

  2. Specify an app name (we recommend Mondoo) and select the appropriate workspace.

  3. Select Create App.

  4. In the left-side navigation, select OAuth & Permissions.

  5. Scroll to Scopes. Under User Token Scopes, add these scopes:

    • admin: (Required to view access logs. For details, read scopes: admin.)
    • channels:read
    • groups:read
    • im:read
    • mpim:read
    • team:read
    • usergroups:read
    • users:read

  6. Scroll to OAuth Tokens for Your Workspace and select Install to Workspace. Copy the token Slack provides.

To test access, open a cnspec shell and verify the connection:

cnspec shell slack --token YOUR_TOKEN
cnspec> slack.team
slack.team: {
  domain: "your-workspace"
  id: "T030KKBABCDE"
}

You can also set the SLACK_TOKEN environment variable to omit the --token flag:

export SLACK_TOKEN=YOUR_TOKEN
cnspec shell slack

Scan your Slack workspace

To scan your Slack workspace:

cnspec scan slack --token YOUR_TOKEN

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:

✓ Pass:  Ensure all users have two-factor authentication enabled
✕ Fail:  Ensure all channels have a set purpose
✓ Pass:  Ensure no deactivated users remain in the workspace

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

Scan with the Mondoo Slack Team Security policy

Mondoo maintains an out of the box Slack Team Security policy that checks two-factor authentication, channel configuration, user roles, and more.

Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "Slack", and add the policy. All future scans of your Slack workspaces automatically evaluate against it. To learn more, read Manage Policies.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan slack --token YOUR_TOKEN \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-slack-team-security.mql.yaml

You can also create your own policies to meet your specific requirements.

Explore your Slack workspace

Run cnspec shell slack --token YOUR_TOKEN to open the cnspec interactive shell.

View all details for a user

cnspec> slack.users[1]{ * }
slack.users[1]: {
  profile: {
    displayName: ""
    email: "suki@lunalectric.io"
    firstName: "Suki"
    lastName: "Mbeze"
    realName: "Suki Mbeze"
    team: "T030KKBUGHG"
  }
  isBot: false
  deleted: false
  name: "suki"
  isAdmin: true
  has2FA: false
  locale: "en-US"
  realName: "Suki Mbeze"
  isOwner: true
  isPrimaryOwner: true
  ...
}

Find users with 2FA enabled

cnspec> slack.users.where{ has2FA == true }

List channel purposes

cnspec> slack.conversations.where( isChannel == true ) { name purpose }

Example security checks

Ensure all users have 2FA enabled

cnspec> slack.users { has2FA == true }

To include the user's name in the output when 2FA is not enabled:

cnspec> slack.users {
  if ( has2FA != true ) {
    has2FA == true
    realName
  }
}

Ensure all channels have a set purpose

cnspec> slack.conversations.where( isChannel == true ) {
  name
  purpose['value'] != ""
}

List all workspace admins and owners

cnspec> slack.users.admins { name realName isOwner }

Ensure no deactivated users remain in the workspace

cnspec> slack.users.members.where( deleted == true ) { name realName }

Check for externally shared channels

cnspec> slack.conversations.list.where( isExtShared == true ) { name isOrgShared }

Continuously scan your fleet

To move beyond one-off scans, set up a Slack integration in Mondoo Platform. You get continuous monitoring across your Slack workspaces, a dashboard to track security posture over time, and integration with ticketing systems to manage remediation.

Learn more

Okta

Secure and enforce policy for Okta

Snowflake

Secure and enforce policy for your Snowflake accounts

On this page

PrerequisitesGive cnspec access to your Slack workspaceScan your Slack workspaceUnderstand scan outputScan with the Mondoo Slack Team Security policyExplore your Slack workspaceView all details for a userFind users with 2FA enabledList channel purposesExample security checksEnsure all users have 2FA enabledEnsure all channels have a set purposeList all workspace admins and ownersEnsure no deactivated users remain in the workspaceCheck for externally shared channelsContinuously scan your fleetLearn more