Webhook Exposure

Detects exposed webhook URLs with embedded tokens and secrets

5 rules in webhook_exposure.yml

CRITICAL: 1 | HIGH: 3 | MEDIUM: 1

Rule ID	Severity	Title	Description	Refs
`scim_endpoint_exposed_or_bearer_literal`	CRITICAL	SCIM Provisioning Endpoint Exposed Publicly Or Bearer-Token Literal	A task exposes a `/scim/v2/*` endpoint without an IP allowlist / mutual-TLS / WAF rule, or hard-codes the SCIM bearer token (`Authorization: Bearer ...` literal, `scim_token: eyJ...`). SCIM is the identity-sync firehose - a compromised SCIM endpoint lets an attacker provision admin accounts, disable MFA factors, and reset passwords for every user the IdP manages.	CWE-287 T1098.005 A07:2021 V6.2.1 AC-3 CIS-6.1
`discord_webhook_url`	HIGH	Discord Webhook URL with Token	discord(app).com/api/webhooks// is embedded in source. The token gives unrestricted post-as-the-bot access until rotated via the Discord server settings.	CWE-532 T1552.001 A07:2021 V13.2.3 AC-3 CIS-3.3
`slack_webhook_url`	HIGH	Slack Webhook URL with Token	hooks.slack.com/services///<24-char-secret> is embedded in source. Anyone with the URL can post messages as the bot, which is enough for phishing or social engineering.	CWE-532 T1552.001 A07:2021 V13.2.3 AC-3 CIS-3.3
`teams_webhook_url`	HIGH	Microsoft Teams Webhook URL	Microsoft Teams webhook URL contains embedded authentication	CWE-532 T1552.001 A07:2021 V13.2.3 AC-3 CIS-3.3
`generic_webhook_with_token`	MEDIUM	Generic Webhook URL with Token	An arbitrary `webhook` URL carries a `?token=` / `?secret=` / `?key=` query parameter with a 10+ char value. The credential is in clear text in any logs that record the URL.	CWE-532 T1552.001 A07:2021 V13.2.3 AC-3 CIS-3.3