Secrets — Webhooks & Signed URLs

Slack/Teams/Discord webhook URLs and signed URLs with embedded secrets.

All rules in this category are kind secrets. They run under vulnetix secrets and the secrets stage of vulnetix scan.

Rule ID	Name	Severity	Detection
VNX-SEC-099	Zapier webhook URL	High	keyword + regex
VNX-SEC-180	Cloudflare Workers / Pages deploy webhook URL	Medium	keyword + regex
VNX-SEC-417	Discord webhook URL	High	keyword + regex
VNX-SEC-457	Microsoft Teams incoming webhook URL (Power Automate)	High	keyword + regex

Remediation

Rotate any exposed credential immediately, remove it from source, and load it from a secrets manager or environment variable instead. Purge it from git history with git filter-repo. See CWE-798 and the OWASP Secrets Management Cheat Sheet.