Sentinel Slack Guard
Battle-tested hook for send, slack, notifications, claude. Includes structured workflows, validation checks, and reusable patterns for automation.
Sentinel Slack Guard
Validates Slack webhook integrity and message formatting before sending notifications, preventing malformed payloads and delivery failures.
When to Use This Hook
Attach this hook when you need to:
- Ensure all outgoing Slack notifications pass schema validation before delivery to prevent silent failures from malformed Block Kit payloads
- Guard against accidentally sending notifications with sensitive data by scanning message content before it reaches the Slack API
- Maintain a compliance audit trail of all Slack notification attempts with validation status for security review
Consider alternatives when:
- Your Slack integration is simple and uses only plain text messages that do not require Block Kit validation
- You already have a centralized notification service with its own validation layer that handles message formatting
Quick Start
Configuration
name: sentinel-slack-guard type: hook trigger: PreToolUse category: automation
Example Trigger
# Any Bash command that sends a Slack notification: curl -X POST "$SLACK_WEBHOOK_URL" -d '{"text":"deploy complete"}' # Guard intercepts and validates before execution
Example Output
Sentinel Slack Guard: Validation Report
Webhook URL: Valid format (hooks.slack.com)
Payload Schema: Valid Block Kit structure
Content Scan: No sensitive patterns detected
Rate Limit Status: 18/30 requests remaining
Message Size: 1.2KB (within 4KB limit)
Decision: ALLOW - message will be delivered
Core Concepts
Slack Guard Overview
| Aspect | Details |
|---|---|
| Trigger Point | PreToolUse on Bash commands containing Slack webhook URLs |
| Validation Checks | URL format, payload schema, content scanning, rate limits |
| Sensitive Patterns | Scans for API keys, tokens, passwords, and PII in message content |
| Payload Limit | Slack messages must be under 4KB; guard warns at 3KB |
| Block Kit Validation | Checks required fields in header, section, and field blocks |
| Decision Outcomes | ALLOW (proceed), WARN (proceed with alert), BLOCK (exit code 2) |
Guard Validation Workflow
PreToolUse (Bash with Slack URL detected)
|
v
[Extract Slack payload from command]
|
v
[Validate webhook URL format]
|
v
[Check payload against Block Kit schema]
|
v
[Scan content for sensitive patterns]
|
v
[Check message size against limits]
|
v
[Evaluate rate limit headroom]
|
+--- All pass --> ALLOW
|
+--- Non-critical issue --> WARN + proceed
|
+--- Critical issue --> BLOCK (exit 2)
Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
SLACK_WEBHOOK_URL | string | (required) | Slack webhook URL used for validation reference |
sensitive_patterns | string | (api_key|token|password|secret) | Regex patterns to scan for sensitive data in message payloads |
max_payload_size | integer | 4096 | Maximum payload size in bytes before blocking the notification |
warn_payload_size | integer | 3072 | Payload size threshold in bytes that triggers a size warning |
validate_schema | boolean | true | Whether to validate Block Kit JSON structure against the Slack schema |
Best Practices
-
Update sensitive patterns for your organization - The default regex covers common secret patterns but may miss organization-specific credentials like internal service tokens or custom API key formats. Add patterns matching your team's naming conventions for secrets.
-
Log blocked messages for debugging - When the guard blocks a notification, save the sanitized payload to a local log file for debugging. This helps identify which part of the message triggered the block without requiring the developer to reproduce the exact scenario.
-
Whitelist known-safe payload templates - If your hooks consistently send the same message structures, create a whitelist of approved payload templates. The guard can skip detailed validation for matching templates, reducing overhead on known-safe notifications.
-
Test with malformed payloads intentionally - Periodically test the guard by sending intentionally malformed Block Kit payloads to verify the validation catches structural issues. This ensures the guard remains effective as Slack updates its Block Kit specification.
-
Coordinate rate limit awareness across hooks - If multiple hooks send Slack notifications, the guard should track cumulative rate limit usage across all hooks. A single hook may be within limits while the aggregate exceeds them, causing intermittent delivery failures.
Common Issues
-
Guard blocks legitimate notifications with false positive sensitive pattern matches - Common words in code context like "token" or "key" may appear in legitimate notification content. Refine the
sensitive_patternsregex to require surrounding context like assignment operators or value formats rather than matching isolated keywords. -
Block Kit validation rejects valid Slack messages - Slack occasionally updates its Block Kit specification to support new block types. If the guard's schema is outdated, it may reject messages using new features. Update the validation schema when Slack announces Block Kit changes.
-
Guard cannot parse payload from complex Bash commands - When Slack payloads are constructed using nested variable expansions or multi-line heredocs, the guard may fail to extract the JSON for validation. Simplify notification commands to use a clear JSON payload or pipe the payload from a file.
Reviews
No reviews yet. Be the first to review this template!
Similar Templates
Pre-Commit Security Scanner
Pre-commit hook that scans staged files for hardcoded secrets, API keys, passwords, and sensitive data patterns before allowing commits.
Agents Md Watcher
Streamline your workflow with this automatically, loads, agents, configuration. Includes structured workflows, validation checks, and reusable patterns for automation.
Automated Build Inspector
Boost productivity using this automatically, trigger, build, processes. Includes structured workflows, validation checks, and reusable patterns for automation.