We see various Slack integrations with hardcoded slack keys in private repositories.
If an employee leaves and the key is not rotated, he can still influence Slack with it. Lets create a challenge where we inject slack API keys as env variabele in our release and obfuscate it so that Slack does not detect it. Every time a challenge is completed, the app should post to Slack that someone completed a challenge.

So the challenge is about:

1. create a script with which you can obtain a slack webhook for the OWASP Slack
2. have a build-arg with which we can put the slack webhook in into https://github.com/OWASP/wrongsecrets/blob/master/.github/scripts/docker-create.sh
   3 have a challenge where you need to extract the slack webhook from the build env
3. for every time a user completes a challenge the current active slack webhook should be called to inform slck