eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/services/kingfisher.md
Erich Blume f9206bf10b
All checks were successful
Build Container / detect (push) Successful in 2s
Details
Build Container / build-nix (kingfisher) (push) Successful in 12s
Details
Build custom Kingfisher container from sporked deploy branch (#318) 
## Summary

- Add Dockerfile for Kingfisher built from source (sporked deploy branch)
- Multi-stage: Rust build with Boost/vectorscan, debian-slim runtime
- Switch CronJob from upstream `ghcr.io/mongodb/kingfisher` to `registry.ops.eblu.me/blumeops/kingfisher`
- Add kingfisher to service-versions.yaml (version tracks upstream main SHA)
- Document spork workflow in CLAUDE.md

## Test plan

- [ ] Build container: `mise run container-build-and-release kingfisher 1d37d29`
- [ ] Verify image on registry: `mise run container-list`
- [ ] Update kustomization newTag
- [ ] Sync ArgoCD kingfisher app from branch
- [ ] Trigger manual CronJob and verify scan completes
- [ ] Verify reports on sifaka

Reviewed-on: #318
2026-03-30 06:34:49 -07:00

2.4 KiB
Raw Blame History

title modified last-reviewed tags
Kingfisher 2026-03-28 2026-03-28
service
security

Kingfisher

Secret detection and live validation scanner for Forgejo repositories, using MongoDB's open-source Kingfisher tool.

Quick Reference

Property Value
Namespace kingfisher
Image registry.ops.eblu.me/blumeops/kingfisher (see argocd/manifests/kingfisher/kustomization.yaml for current tag)
Schedule Sunday 4am (after Prowler k8s scan at 3am)
Reports sifaka:/volume1/reports/kingfisher/ (NFS)
Manifests argocd/manifests/kingfisher/
Upstream forge.eblu.me/mirrors/kingfisher (GitHub mirror)

What it does

Runs as a weekly CronJob that scans all Forgejo repos (eblume + all orgs) for leaked secrets, API keys, and credentials. Produces timestamped HTML reports on the sifaka NFS share. Uses --clone-url-base to route git clones via the internal tailnet instead of the public Fly.io proxy.

Uses the Forgejo/Gitea API to enumerate repos, then clones and scans each one. Validation is enabled (secrets are tested against their respective APIs to confirm they're live). Reports are HTML only.

Pre-commit hook

Kingfisher also runs as a prek hook alongside TruffleHog for comparative secret detection coverage. The hook uses --staged mode (only checks staged files) with validation disabled for fast, offline-safe commits.

Known false positives

  • Postgres URL with op:// template — 1Password External Secrets template references match the postgres connection string pattern. Not a real credential.
  • GitHub legacy secret key in .git/ — git commit SHAs are 40-char hex strings matching the old GitHub PAT format. Only appears in full-repo scans, not --staged mode.

Ad-hoc scan

kubectl create job --from=cronjob/kingfisher kingfisher-manual -n kingfisher --context=minikube-indri
kubectl logs -f job/kingfisher-manual -n kingfisher --context=minikube-indri

Limitations

  • Built from a spork-strategy fork with a local --clone-url-base patch. See build-spork-container for the build process.
  • Only one output format per invocation. Currently producing HTML only.

See also