No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

image.png

Security question/ask.

We recently started using the webhook feature (love it).
We use the slack integration - can you please not display the slack URL after its configured? (i.e. make it write-once only)

Since the slack URL is https encoded with a secret, any user of the Pulumi organization can read it now and spoof messages.

(low risk since this is just pulumi updates, but just a best practice)

In the image below you can see the full URL:

this is good feedback Sam, I’ll share it with the team

FWIW Slack doesn’t do a great job at explaining maybe if some part of the URL can be revealed for matching purposes and any other part should be redacted but :shrug:

<https://medium.com/perimeterx/propagating-phishing-via-slack-webhooks-fc8a9a115abe>

ChatGPT says its the last part that is the secret :-))))