Secure Slack with cnspec
Scan Slack workspaces against security and compliance best practices with cnspec.
Scan your Slack workspaces to find security risks before they become incidents. cnspec evaluates two-factor authentication, channel configuration, user roles, externally shared channels, and dozens of other Slack controls.
If you're new to cnspec, start with the Quickstart. For an overview of every SaaS service cnspec can scan, see the SaaS scanning overview.
Prerequisites
To test your Slack workspace with cnspec, you must have:
- cnspec installed on your workstation
- Administrator access to a Slack workspace
Give cnspec access to your Slack workspace
Access to the Slack API requires an access token. We recommend using a user token.
-
As a workspace administrator, create an app: Select Create an App and then select From Scratch.
-
Specify an app name (we recommend Mondoo) and select the appropriate workspace.
-
Select Create App.
-
In the left-side navigation, select OAuth & Permissions.
-
Scroll to Scopes. Under User Token Scopes, add these scopes:
- admin: (Required to view access logs. For details, read scopes: admin.)
- channels:read
- groups:read
- im:read
- mpim:read
- team:read
- usergroups:read
- users:read
-
Scroll to OAuth Tokens for Your Workspace and select Install to Workspace. Copy the token Slack provides.
To test access, open a cnspec shell and verify the connection:
cnspec shell slack --token YOUR_TOKENcnspec> slack.team
slack.team: {
domain: "your-workspace"
id: "T030KKBABCDE"
}You can also set the SLACK_TOKEN environment variable to omit the --token flag:
export SLACK_TOKEN=YOUR_TOKEN
cnspec shell slackConnection options
| Option | Description |
|---|---|
--token | Slack API token |
--team-id | Team ID, required if the token is an org token |
Scan your Slack workspace
To scan your Slack workspace:
cnspec scan slack --token YOUR_TOKENUnderstand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:
✓ Pass: Ensure all users have two-factor authentication enabled
✕ Fail: Ensure all channels have a set purpose
✓ Pass: Ensure no deactivated users remain in the workspaceAt the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues. To learn more about reading scan results, read Understand cnspec Results.
Scan with the Mondoo Slack Team Security policy
Mondoo maintains an out of the box Slack Team Security policy that checks two-factor authentication, channel configuration, user roles, and more.
Mondoo Platform users: Enable the policy in your space. In the Mondoo App, go to Findings > Policies, search for "Slack", and add the policy. All future scans of your Slack workspaces automatically evaluate against it. To learn more, read Manage policies in Mondoo Platform.
Open source users: Pass the policy bundle URL directly to cnspec:
cnspec scan slack --token YOUR_TOKEN \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-slack-team-security.mql.yamlYou can also create your own policies to meet your specific requirements.
Explore your Slack workspace
Run cnspec shell slack --token YOUR_TOKEN to open the cnspec interactive shell.
View all details for a user
cnspec> slack.users[1]{ * }
slack.users[1]: {
profile: {
displayName: ""
email: "suki@lunalectric.io"
firstName: "Suki"
lastName: "Mbeze"
realName: "Suki Mbeze"
team: "T030KKBUGHG"
}
isBot: false
deleted: false
name: "suki"
isAdmin: true
has2FA: false
locale: "en-US"
realName: "Suki Mbeze"
isOwner: true
isPrimaryOwner: true
...
}Find users with 2FA enabled
cnspec> slack.users.where(has2FA == true)List channel purposes
cnspec> slack.conversations.where( isChannel == true ) { name purpose }Example security checks
Ensure all users have 2FA enabled
cnspec> slack.users.all(has2FA == true)
[ok] value: trueTo find the names of users without 2FA when the check fails:
cnspec> slack.users.where(has2FA == false) { name realName }Ensure all channels have a set purpose
cnspec> slack.conversations.where( isChannel == true ) {
name
purpose['value'] != ""
}List all workspace admins and owners
cnspec> slack.users.admins { name realName isOwner }Ensure no deactivated users remain in the workspace
cnspec> slack.users.members.where( deleted == true ) { name realName }Check for externally shared channels
cnspec> slack.conversations.list.where( isExtShared == true ) { name isOrgShared }Continuously scan your fleet
To move beyond one-off scans, set up a Slack integration in Mondoo Platform. You get continuous monitoring across your Slack workspaces, a dashboard to track security posture over time, and integration with ticketing systems to manage remediation.
Learn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
Explore the complete Mondoo Slack Resource Pack Reference.