smithy-security · northdpole · Aug 18, 2025 · Aug 18, 2025 · Aug 18, 2025
diff --git a/components/reporters/slack/README.md b/components/reporters/slack/README.md
@@ -1,7 +1,7 @@
 # slack
 
 This component implements a [reporter](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
-that sends a summary of results to slack.
+that sends a summary of results to slack and optionally creates detailed vulnerability threads.
 
 ## Environment variables
 
@@ -13,4 +13,55 @@ as well as the following:
 
 | Environment Variable       | Type   | Required | Default | Description                                                             |
 |----------------------------|--------|----------|---------|-------------------------------------------------------------------------|
-| SLACK\_WEBHOOK     | string | yes      | -       | The slack webhook to POST results to|
+| SLACK\_TOKEN       | string | no       | -       | The slack bot token (required for thread creation mode)|
+| SLACK\_CHANNEL     | string | no       | -       | The slack channel ID (required for thread creation mode)|
+| SLACK\_DEBUG       | bool   | no       | false   | Whether to enable debug logging for the slack client|
+
+## Operation
+
+* Uses `SLACK_TOKEN` and `SLACK_CHANNEL` for Web API access
+* Creates threads with detailed vulnerability information
+* Requires bot setup with appropriate permissions -- read on for details
+* Sends both summary and detailed findings
+
+## Bot Setup for Thread Creation
+
+To use thread creation mode, you need to:
+
+1. Create a Slack app in your workspace
+2. Add the following bot token scopes:
+   * `chat:write` - Send messages to channels
+   * `channels:read` - Read channel information
+3. Install the app to your workspace
+4. Invite the bot to the target channel
+5. Use the bot token as `SLACK_TOKEN`
+6. Use the channel ID as `SLACK_CHANNEL`
+
+## Example Configuration
+
+```yaml
+parameters:
+  - name: "slack_token"
+    type: "string"
+    value: "xoxb-your-bot-token"
+  - name: "slack_channel"
+    type: "string"
+    value: "C1234567890"
+  - name: "create_threads"
+    type: "bool"
+    value: "true"
+```
+
+## FAQ
+
+* Why do I need a bot token?
+  * The bot token is required for thread creation and sending messages to channels. It allows the app to interact with Slack's Web API.
+* Why do I need a channel ID?
+  * The channel ID is required to specify which channel the bot will send messages to. It ensures that the messages are delivered to the correct location.
+  * You can find the channel ID by right-clicking on the channel name in Slack and selecting "Copy Link". The ID is the part after `/archives/` in the URL.
+  * If you are using the Slack APP, the channel ID is located at the very bottom in the channel details pane.
+* Help, I created a token but it doesn't work!
+  * Make sure you have invited the bot to the channel you want to post in. The bot needs to be a member of the channel to send messages.
+  * Ensure that the bot has the necessary permissions (scopes) to send messages and create threads.
+  * Check that you are using the correct token and channel ID in your configuration.
+  * If you didn't add the correct permissions when creating the bot then you need to recreate the bot token and re-invite the bot to the channel. Slack docs do not mention this at the time of writing.
diff --git a/components/reporters/slack/cmd/main.go b/components/reporters/slack/cmd/main.go
@@ -3,13 +3,16 @@ package main
 import (
 	"context"
 	"log"
-	"net/http"
 	"time"
 
 	"github.com/go-errors/errors"
+	"github.com/smithy-security/pkg/retry"
 	"github.com/smithy-security/smithy/sdk/component"
 
+	componentlogger "github.com/smithy-security/smithy/sdk/logger"
+
 	"github.com/smithy-security/smithy/components/reporters/slack/internal/reporter"
+	"github.com/smithy-security/smithy/components/reporters/slack/internal/reporter/slack"
 )
 
 func main() {
@@ -25,16 +28,30 @@ func Main(ctx context.Context, opts ...component.RunnerOption) error {
 	opts = append(opts, component.RunnerWithComponentName("slack"))
 	config, err := reporter.NewConf(nil)
 	if err != nil {
-		return err
+		return errors.Errorf("failed to get config: %w", err)
+	}
+
+	config.SlackClientConfig.BaseClient, err = retry.NewClient(
+		retry.Config{
+			Logger: componentlogger.LoggerFromContext(ctx),
+		},
+	)
+	if err != nil {
+		return errors.Errorf("failed to create retry client: %w", err)
 	}
-	c := http.Client{}
-	slackLogger, err := reporter.NewSlackLogger(config, &c)
+
+	sl, err := slack.NewClient(ctx, config.SlackClientConfig)
+	if err != nil {
+		return errors.Errorf("failed to create slack client: %w", err)
+	}
+	slackReporter, err := reporter.NewSlackReporter(config, sl)
 	if err != nil {
-		return err
+		return errors.Errorf("failed to create slack reporter: %w", err)
 	}
+
 	if err := component.RunReporter(
 		ctx,
-		slackLogger,
+		slackReporter,
 		opts...,
 	); err != nil {
 		return errors.Errorf("could not run reporter: %w", err)

diff --git a/components/reporters/slack/component.yaml b/components/reporters/slack/component.yaml
@@ -5,9 +5,21 @@ parameters:
   - name: "slack_webhook"
     type: "string"
     value: ""
+  - name: "slack_token"
+    type: "string"
+    value: ""
+  - name: "slack_channel"
+    type: "string"
+    value: ""
+  - name: "debug"
+    type: "string"
+    value: "false"
 steps:
   - name: "slack"
     image: "components/reporters/slack"
     executable: "/bin/app"
     env_vars:
       SLACK_WEBHOOK: "{{ .parameters.slack_webhook }}"
+      SLACK_TOKEN: "{{ .parameters.slack_token }}"
+      SLACK_CHANNEL: "{{ .parameters.slack_channel }}"
+      SLACK_DEBUG: "{{ .parameters.debug }}"
diff --git a/components/reporters/slack/go.mod b/components/reporters/slack/go.mod
@@ -4,9 +4,13 @@ go 1.23.4
 
 require (
 	github.com/go-errors/errors v1.5.1
+	github.com/slack-go/slack v0.17.3
 	github.com/smithy-security/pkg/env v0.0.3
+	github.com/smithy-security/pkg/retry v0.0.3
+	github.com/smithy-security/pkg/utils v0.0.2
 	github.com/smithy-security/smithy/sdk v0.0.19-alpha
 	github.com/stretchr/testify v1.10.0
+	go.uber.org/mock v0.5.0
 	google.golang.org/protobuf v1.36.5
 )
 
@@ -20,12 +24,14 @@ require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/bmatcuk/doublestar v1.3.4 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-openapi/inflect v0.21.2 // indirect
 	github.com/golang/mock v1.6.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/hashicorp/hcl/v2 v2.23.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
@@ -43,14 +49,12 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
-	github.com/smithy-security/pkg/utils v0.0.2 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
 	github.com/sqlc-dev/sqlc v1.28.0 // indirect
 	github.com/urfave/cli/v2 v2.27.6 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	github.com/zclconf/go-cty v1.16.2 // indirect
 	github.com/zclconf/go-cty-yaml v1.1.0 // indirect
-	go.uber.org/mock v0.5.0 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/net v0.37.0 // indirect

diff --git a/components/reporters/slack/go.sum b/components/reporters/slack/go.sum
@@ -28,6 +28,8 @@ github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oM
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8=
+github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8=
 github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
 github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
@@ -53,8 +55,8 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/inflect v0.21.2 h1:0gClGlGcxifcJR56zwvhaOulnNgnhc4qTAkob5ObnSM=
 github.com/go-openapi/inflect v0.21.2/go.mod h1:INezMuUu7SJQc2AyR3WO0DqqYUJSj8Kb4hBd7WtjlAw=
-github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
-github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
+github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
@@ -67,6 +69,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos=
 github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
@@ -127,8 +131,12 @@ github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/slack-go/slack v0.17.3 h1:zV5qO3Q+WJAQ/XwbGfNFrRMaJ5T/naqaonyPV/1TP4g=
+github.com/slack-go/slack v0.17.3/go.mod h1:X+UqOufi3LYQHDnMG1vxf0J8asC6+WllXrVrhl8/Prk=
 github.com/smithy-security/pkg/env v0.0.3 h1:eZYRzzFAzWkAJ2OMMhEQr0xSL2mk6cOGpEqcR28QWXM=
 github.com/smithy-security/pkg/env v0.0.3/go.mod h1:VIJfDqeAbQQcmohaXcZI6grjeJC9Y8CmqR4ITpdngZE=
+github.com/smithy-security/pkg/retry v0.0.3 h1:Zcea0m13C7tO+OehN3bU9Spz4wW6P0Ok6pqNi52qCg4=
+github.com/smithy-security/pkg/retry v0.0.3/go.mod h1:etMizy7PyMKk6EFDRAjjTEwqCEriuNmIrhV/aSs6Xho=
 github.com/smithy-security/pkg/utils v0.0.2 h1:r1Gz5eki8xUJXShw4i5ZaizkiKgZlYNYtKE2PDwpoHQ=
 github.com/smithy-security/pkg/utils v0.0.2/go.mod h1:bzCtRv/q9BdCrALRkcWWW3y8DzugbZrEQPwgZ/iepig=
 github.com/smithy-security/smithy/sdk v0.0.19-alpha h1:c+DKDLMNmv6dMu2QQyLUou/Rxx+4c73aO8jmEEK16Pw=