Slack’s API is a stateful, event-driven system that fundamentally misunderstands your intention when sending alerts.
Let’s get Aqua Security alerts into Slack. Aqua has a robust alerting mechanism, and Slack is where teams often live. The bridge between them is a webhook.
First, in Slack, we need an "app" to receive messages. Go to api.slack.com/apps, click "Create New App", choose "From scratch", name it (e.g., "Aqua Alerts"), and select your workspace.
Next, enable "Incoming Webhooks". Toggle it on. Click "Add New Webhook to Workspace" and choose the channel you want Aqua alerts to land in. Slack will grant your webhook a URL, something like https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX. Copy this URL. This is your secret handshake with Slack.
Now, on the Aqua Security platform, navigate to "Alerts" -> "Integrations". Click "Add Integration". Select "Slack". You’ll see a form.
The critical fields are:
- Slack Webhook URL: Paste the URL you copied from Slack here.
- Channel: This is optional if you specified a channel when creating the webhook in Slack. If you want to override it or if you didn’t specify one in Slack, enter the channel name here (e.g.,
#aqua-alerts). - Alert Severity: Choose which severities (Critical, High, Medium, Low, Informational) should trigger an alert. For a start, let’s send
CriticalandHigh. - Enabled: Toggle this to
On.
Click "Test" to send a sample alert. If it works, you’ll see a test message in your Slack channel. Click "Save".
Now, let’s configure what triggers an alert. Go to "Alerts" -> "Alert Rules". You can create new rules or modify existing ones. A common scenario is to alert on high-severity vulnerabilities.
Let’s create a rule for critical vulnerabilities:
- Click "Add Rule".
- Name:
Critical Vulnerability Alert - Description:
Alerts on any newly discovered critical vulnerability. - Trigger: Under "Vulnerabilities", select
Severity is Critical. - Actions: Select the "Slack" integration you just configured.
- Enabled:
On.
Save this rule.
The real power comes from combining these. You can set up rules for compliance violations, misconfigurations, or any other event Aqua monitors. For instance, a rule to alert on Kubernetes Audit Log Events that indicate a Critical security risk.
The message format in Slack is templated. You can customize this in the Slack integration settings. By default, it includes the alert name, severity, a link to the alert in Aqua, and relevant details. For example:
{
"attachments": [
{
"fallback": "Critical: High Severity Vulnerability Found in image ubuntu:latest",
"color": "#FF0000",
"title": "Critical: High Severity Vulnerability Found",
"title_link": "https://<your-aqua-console-url>/alerts/12345",
"text": "Image: ubuntu:latest\nVulnerability: CVE-2023-12345\nSeverity: Critical\nDescription: A critical vulnerability was discovered in the ubuntu:latest image.",
"fields": [
{
"title": "Image ID",
"value": "sha256:abcdef123456",
"short": true
},
{
"title": "Package",
"value": "openssl",
"short": true
}
],
"footer": "Aqua Security",
"ts": 1678886400
}
]
}
This JSON structure is what Aqua sends to the Slack webhook. The color field corresponds to severity (red for critical, orange for high, etc.). The text and fields are populated with data from the specific alert.
The most surprising part is that Aqua doesn’t push alerts to Slack; it sends an HTTP POST request to a specific URL that Slack provides. Slack then processes this request and displays it. This means your Aqua console needs network access to hooks.slack.com. If you’re running Aqua behind a strict firewall, ensure egress traffic to hooks.slack.com on port 443 is permitted.
The next hurdle is understanding how to filter alerts effectively to avoid notification fatigue.