Slack integration

Noxen posts a Slack message to your channel of choice after every scheduled scan that produces findings above your configured severity threshold. Messages use Slack's Block Kit format with a severity-flagged header, the count breakdown, and a top-5 list of the most severe findings.

What gets sent

Noxen detects Slack by URL (hooks.slack.com) and posts a Block Kit message with a header block plus an mrkdwn section. The text field is set as the notification fallback so phone push notifications still render a useful preview. A representative payload looks roughly like:

{
  "text": "🔥 Noxen scan — db-01.prod.example",
  "blocks": [
    {
      "type": "header",
      "text": {
        "type": "plain_text",
        "text": "🔥 Noxen scan — db-01.prod.example"
      }
    },
    {
      "type": "section",
      "text": {
        "type": "mrkdwn",
        "text": "*1 critical* · 2 high · 3 medium · 1 low\n:warning: 7 new CVE(s) since last scan\n\n```\n• [CRITICAL] CVE-2024-6387 — openssh-server\n• [HIGH] CVE-2024-3094 — xz-utils\n• [HIGH] Grafana (exposed admin surface)\n```"
      }
    }
  ]
}

The header emoji reflects the highest severity in the scan (critical / high / medium / low), so on-call can triage from the channel sidebar without opening the message.

Setup

1. Create an Incoming Webhook in Slack: api.slack.com/apps → Create New App → From scratch → enable Incoming Webhooks → Add New Webhook to Workspace. Pick the channel. Copy the URL — it looks like https://hooks.slack.com/services/T.../B.../....
2. In Noxen: Settings → Webhooks → Add. Paste the URL. Noxen auto-detects Slack from the host and switches to Block Kit formatting.
3. Choose a severity threshold (see below). Hit Send test payload to confirm delivery. Save.

Severity thresholds

Each webhook has its own threshold so you can wire critical-only alerts into #incidents and a noisier all-findings stream into #noxen-firehose. Options are Critical only, Critical + High, Critical + High + Medium, or All findings. The webhook fires only when the scan produces at least one finding at or above the threshold — clean scans stay silent.

When alerts fire

Alerts fire on scan completion, not in real time. Noxen runs scheduled scans (nightly by default) plus any manual or batch scans you trigger. If the scan produces findings above the threshold, the webhook delivers within a few seconds of the scan finishing. Noxen retries on 5xx and 429 responses with exponential backoff — Slack outages won't drop your alerts.

What it doesn't do

• No two-way commands. Noxen is one-way alerting — you can't reply /ack in the thread to mark a finding handled.
• No interactive bot. There's no slash command, no message actions, no Slack App listing. It's purely an Incoming Webhook poster.
• No real-time CVE alerts. Noxen alerts on scan completion, so coverage of a freshly-disclosed CVE is bounded by your scan schedule.

Slack webhooks unlock at the Live Feed tier ($19/month). See the integrations hub for the other supported destinations, or features for the full check catalogue.

See pricing →