eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
kingfisher/tests/int_validation_cache.rs

314 lines
11 KiB
Rust
Raw Permalink Normal View History

preparing for v1.12
2025-06-24 17:17:16 -07:00
// tests/int_validation_cache.rs
use std::{
fs,
sync::{
Arc, Mutex,
performance improvements and rule improvements
2026-04-17 16:53:21 -07:00
atomic::{AtomicUsize, Ordering},
preparing for v1.12
2025-06-24 17:17:16 -07:00
},
};
use anyhow::Result;
use kingfisher::{
cli::{
performance improvements and rule improvements
2026-04-17 16:53:21 -07:00
GlobalArgs,
preparing for v1.12
2025-06-24 17:17:16 -07:00
commands::{
Added first-class Azure Repos support, including CLI commands, enumeration, and documentation updates
2025-10-04 23:12:28 -07:00
azure::AzureRepoType,
Added support for BitBucket
2025-09-22 18:21:03 -07:00
bitbucket::{BitbucketAuthArgs, BitbucketRepoType},
Added support for Gitea
2025-09-23 13:07:45 -07:00
gitea::GiteaRepoType,
preparing for v1.12
2025-06-24 17:17:16 -07:00
github::{GitCloneMode, GitHistoryMode, GitHubRepoType},
gitlab::GitLabRepoType,
inputs::{ContentFilteringArgs, InputSpecifierArgs},
output::{OutputArgs, ReportOutputFormat},
rules::RuleSpecifierArgs,
scan::{ConfidenceLevel, ScanArgs},
},
preparing for v1.78.0
2026-02-02 23:22:08 -08:00
global::{Mode, TlsMode},
preparing for v1.12
2025-06-24 17:17:16 -07:00
},
findings_store::FindingsStore,
rule_loader::RuleLoader,
rules_database::RulesDatabase,
scanner::run_async_scan,
updated tests
2025-11-24 11:08:31 -08:00
update::UpdateStatus,
preparing for v1.12
2025-06-24 17:17:16 -07:00
};
use tempfile::TempDir;
use url::Url;
use wiremock::{
Mock, MockServer, Request, ResponseTemplate,
performance improvements and rule improvements
2026-04-17 16:53:21 -07:00
matchers::{method, path},
preparing for v1.12
2025-06-24 17:17:16 -07:00
};
#[tokio::test]
async fn test_validation_cache_and_depvars() -> Result<()> {
/* --------------------------------------------------------- *
* 1. Spin-up Wiremock and count incoming validation calls *
* --------------------------------------------------------- */
let server = MockServer::start().await;
let hit_counter = Arc::new(AtomicUsize::new(0));
let counter_clone = Arc::clone(&hit_counter);
Mock::given(method("GET"))
.and(path("/validate"))
.respond_with(move |_req: &Request| {
counter_clone.fetch_add(1, Ordering::SeqCst);
ResponseTemplate::new(200).set_body_string("ok")
})
.mount(&server)
.await;
/* --------------------------------------------------------- *
* 2. Synthetic rules exercising depends_on_rule + HTTP val *
* --------------------------------------------------------- */
let rules_yaml = format!(
r#"
rules:
- name: Demo API Key
id: demo.key.1
pattern: '(demokey_[a-z0-9]{{8}})'
confidence: low
min_entropy: 0.0
- name: Demo API Key Validation
id: demo.key.validation.1
depends_on_rule:
- rule_id: demo.key.1
variable: TOKEN
pattern: '(demokey_[a-z0-9]{{8}})'
confidence: low
validation:
type: Http
content:
request:
method: GET
url: '{base}/validate?token={{ {{ TOKEN }} }}'
Fixed malformed rules. Now validating that response_matcher is present in validation section of all rules
2025-06-25 23:29:46 -07:00
response_matcher:
- report_response: true
- type: WordMatch
words:
- '"error_code":"403003"'
negative: true
preparing for v1.12
2025-06-24 17:17:16 -07:00
"#,
base = server.uri()
);
/* --------------------------------------------------------- *
* 3. Temp workspace: rules file + input with 2 duplicates *
* --------------------------------------------------------- */
let work_dir = TempDir::new()?;
let rules_file = work_dir.path().join("demo.yml");
fs::write(&rules_file, rules_yaml)?;
let secret_file = work_dir.path().join("secrets.txt");
fs::write(&secret_file, "demokey_abcdefgh\ndemokey_abcdefgh")?;
/* --------------------------------------------------------- *
* 4. Build Scan / Global args (no_dedup=true to keep dups) *
* --------------------------------------------------------- */
let scan_args = ScanArgs {
num_jobs: 2,
rules: RuleSpecifierArgs {
rules_path: vec![work_dir.path().to_path_buf()],
rule: vec!["all".into()],
load_builtins: false,
},
input_specifier_args: InputSpecifierArgs {
path_inputs: vec![secret_file.clone()],
git_url: Vec::new(),
v1.73.0
2026-01-01 22:24:57 -08:00
git_clone_dir: None,
keep_clones: false,
repo_clone_limit: None,
include_contributors: false,
preparing for v1.12
2025-06-24 17:17:16 -07:00
github_user: Vec::new(),
github_organization: Vec::new(),
Added --github-exclude and --gitlab-exclude options to skip specific repositories when scanning or listing GitHub and GitLab sources, including support for gitignore-style glob patterns
2025-09-15 21:26:51 -07:00
github_exclude: Vec::new(),
preparing for v1.12
2025-06-24 17:17:16 -07:00
all_github_organizations: false,
github_api_url: Url::parse("https://api.github.com/").unwrap(),
github_repo_type: GitHubRepoType::Source,
// new GitLab defaults
gitlab_user: Vec::new(),
gitlab_group: Vec::new(),
Added --github-exclude and --gitlab-exclude options to skip specific repositories when scanning or listing GitHub and GitLab sources, including support for gitignore-style glob patterns
2025-09-15 21:26:51 -07:00
gitlab_exclude: Vec::new(),
preparing for v1.12
2025-06-24 17:17:16 -07:00
all_gitlab_groups: false,
gitlab_api_url: Url::parse("https://gitlab.com/").unwrap(),
gitlab_repo_type: GitLabRepoType::Owner,
- Added support for scanning gitlab subgroups, with 'kingfisher scan --gitlab-group my-group --gitlab-include-subgroups'
2025-08-14 09:25:18 -07:00
gitlab_include_subgroups: false,
Added support for Gitea
2025-09-23 13:07:45 -07:00
- Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans. - Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs. - Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication. - Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so its clear that validation was intentionally skipped and why.
2025-10-15 22:47:40 -07:00
huggingface_user: Vec::new(),
huggingface_organization: Vec::new(),
huggingface_model: Vec::new(),
huggingface_dataset: Vec::new(),
huggingface_space: Vec::new(),
huggingface_exclude: Vec::new(),
Added support for Gitea
2025-09-23 13:07:45 -07:00
gitea_user: Vec::new(),
gitea_organization: Vec::new(),
gitea_exclude: Vec::new(),
all_gitea_organizations: false,
gitea_api_url: Url::parse("https://gitea.com/api/v1/").unwrap(),
gitea_repo_type: GiteaRepoType::Source,
Added support for BitBucket
2025-09-22 18:21:03 -07:00
bitbucket_user: Vec::new(),
bitbucket_workspace: Vec::new(),
bitbucket_project: Vec::new(),
bitbucket_exclude: Vec::new(),
all_bitbucket_workspaces: false,
bitbucket_api_url: Url::parse("https://api.bitbucket.org/2.0/").unwrap(),
bitbucket_repo_type: BitbucketRepoType::Source,
bitbucket_auth: BitbucketAuthArgs::default(),
preparing for v1.12
2025-06-24 17:17:16 -07:00
Added first-class Azure Repos support, including CLI commands, enumeration, and documentation updates
2025-10-04 23:12:28 -07:00
azure_organization: Vec::new(),
azure_project: Vec::new(),
azure_exclude: Vec::new(),
all_azure_projects: false,
azure_base_url: Url::parse("https://dev.azure.com/").unwrap(),
azure_repo_type: AzureRepoType::Source,
Added support for scanning issues returned from a JQL search using --jira-url and --jql
2025-07-25 17:21:28 -07:00
jira_url: None,
jql: None,
Add Jira comment and changelog scanning
2026-02-28 11:13:00 -07:00
jira_include_comments: false,
jira_include_changelog: false,
Added support for scanning Confluence pages
2025-08-10 21:51:31 -07:00
confluence_url: None,
cql: None,
WIP: Adding support for scanning Docker images
2025-07-27 12:20:20 -07:00
max_results: 100,
Added support for Slack
2025-07-29 19:00:49 -07:00
slack_query: None,
slack_api_url: Url::parse("https://slack.com/api/").unwrap(),
added Teams support
2026-03-13 17:39:34 -07:00
teams_query: None,
teams_api_url: Url::parse("https://graph.microsoft.com/").unwrap(),
Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports.
2026-04-29 08:12:08 -07:00
postman_workspaces: Vec::new(),
postman_collections: Vec::new(),
postman_environments: Vec::new(),
postman_all: false,
postman_include_mocks_monitors: false,
postman_api_url: Url::parse("https://api.getpostman.com/").unwrap(),
-Added support for scanning AWS S3 buckets via --s3-bucket and optional --s3-prefix - Added --role-arn and --aws-local-profile flags for S3 authentication alongside KF_AWS_KEY/KF_AWS_SECRET
2025-08-02 20:40:16 -07:00
// s3
s3_bucket: None,
s3_prefix: None,
role_arn: None,
aws_local_profile: None,
- Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans. - Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs. - Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication. - Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so its clear that validation was intentionally skipped and why.
2025-10-15 22:47:40 -07:00
gcs_bucket: None,
gcs_prefix: None,
gcs_service_account: None,
WIP: Adding support for scanning Docker images
2025-07-27 12:20:20 -07:00
// Docker image scanning
docker_image: Vec::new(),
add docker --archive support
2026-05-28 13:54:59 -07:00
docker_archive: Vec::new(),
preparing for v1.12
2025-06-24 17:17:16 -07:00
// git clone / history options
git_clone: GitCloneMode::Bare,
git_history: GitHistoryMode::Full,
commit_metadata: true,
- Added '--repo-artifacts' flag to scan repository issues, gists/snippets, and wikis when cloning via '--git-url'
2025-08-20 20:41:11 -07:00
repo_artifacts: false,
scan_nested_repos: true,
Added diff-only Git scanning via --since-commit and --branch, including remote-aware ref resolution so CI jobs can pair --git-url clones with pull request branches
2025-09-16 14:20:43 -07:00
since_commit: None,
branch: None,
- Fixed local filesystem scans to keep open_path_as_is enabled when opening Git repositories and only disable it for diff-based scans. - Created Linux and Windows specific installer script - Updated diff-focused scanning so --branch-root-commit can be provided alongside --branch, letting you diff from a chosen commit while targeting a specific branch tip (still defaulting back to the --branch ref when the commit is omitted).
2025-10-25 17:12:51 -07:00
branch_root: false,
branch_root_commit: None,
Updated precommit behavior and docs
2025-12-09 12:56:55 -08:00
staged: false,
preparing for v1.12
2025-06-24 17:17:16 -07:00
},
content_filtering_args: ContentFilteringArgs {
max_file_size_mb: 25.0,
extraction_depth: 2,
no_binary: true,
no_extract_archives: false,
Added baseline feature with --baseline-file and --manage-baseline flags. Introduced --exclude option for skipping paths
2025-07-14 13:18:24 -07:00
exclude: Vec::new(), // Exclude patterns
preparing for v1.12
2025-06-24 17:17:16 -07:00
},
confidence: ConfidenceLevel::Low,
no_validate: false,
- Reduced per-match memory usage by compacting stored source locations and interning repeated capture names. - Stored optional validation response bodies as boxed strings to avoid allocating empty payloads and to streamline validator caches. - Parallelized git cloning based on the configured job count and begin scanning repositories as soon as each clone finishes to reduce end-to-end scan times. - Combined per-repository results into a single aggregate summary after scans complete. - Added initial access-map support and report viewer html file. Currently beta features.
2025-12-04 22:02:30 -08:00
access_map: false,
preparing for v1.12
2025-06-24 17:17:16 -07:00
rule_stats: false,
only_valid: false,
min_entropy: Some(0.0),
redact: false,
git_repo_timeout: 1800, // 30 minutes
output_args: OutputArgs { output: None, format: ReportOutputFormat::Pretty },
no_dedup: true, // keep duplicates so the cache is stressed
v1.73.0
2026-01-01 22:24:57 -08:00
view_report: false,
Added baseline feature with --baseline-file and --manage-baseline flags. Introduced --exclude option for skipping paths
2025-07-14 13:18:24 -07:00
baseline_file: None,
manage_baseline: false,
Added '--skip-regex' and '--skip-word' flags to ignore secrets matching custom patterns or skipwords
2025-08-19 19:18:25 -07:00
skip_regex: Vec::new(),
skip_word: Vec::new(),
- Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans. - Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs. - Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication. - Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so its clear that validation was intentionally skipped and why.
2025-10-15 22:47:40 -07:00
skip_aws_account: Vec::new(),
skip_aws_account_file: None,
Decode Base64 blobs and scan their contents for secrets while skipping short strings for performance. This has a small performance impact and can be disabled with --no-base64
2025-08-30 19:40:11 -07:00
no_base64: false,
added --turbo mode
2026-02-24 12:25:12 -07:00
turbo: false,
- Added a --no-ignore CLI flag to disable inline directives when you need every potential secret reported - Added: repeatable --ignore-comment <TOKEN> flag to reuse inline directives from other scanners (for example NOSONAR, kics-scan ignore, gitleaks:allow, etc)
2025-10-10 16:23:41 -07:00
extra_ignore_comments: Vec::new(),
- Added kingfisher:ignore (or kingfisher:allow) to silence a finding inline within a file - Added: to reuse existing inline directives from other scanners, pass --compat-ignore-comments to also accept NOSONAR, kics-scan ignore, gitleaks:allow and trufflehog:ignore
2025-10-09 20:11:31 -07:00
no_inline_ignore: false,
Added an optional exclude_words list to PatternRequirements so matches containing case-insensitive placeholder words are filtered out, with accompanying tests to cover the new behavior.
2025-11-05 17:19:11 -08:00
no_ignore_if_contains: false,
Updated kingfisher scan to accept Git repository URLs as positional targets (for example kingfisher scan github.com/org/repo or kingfisher scan https://gitlab.com/group/project.git) without requiring --git-url.
2026-02-26 23:14:18 -07:00
view_report_port: 7890,
view_report_address: "127.0.0.1".to_string(),
v1.73.0
2026-01-01 22:24:57 -08:00
validation_retries: 1,
Added optional validation rate limiting via --validation-rps (global) and repeatable --validation-rps-rule <RULE_SELECTOR=RPS> (per-rule override) for both scan and validate. Throttling now applies across built-in validator types (HTTP/gRPC plus AWS, GCP, Coinbase, MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). Rule selectors support the short form (for example, github=2 matches kingfisher.github.*) with longest-prefix precedence when multiple selectors apply.
2026-02-12 12:33:59 -08:00
validation_rps: None,
validation_rps_rule: Vec::new(),
v1.73.0
2026-01-01 22:24:57 -08:00
validation_timeout: 10,
v1.80.0
2026-02-09 12:11:35 -08:00
full_validation_response: false,
added --max-validation-response-length <BYTES>
2026-03-16 22:25:32 -07:00
max_validation_response_length: 2048,
preparing for v1.99.0
2026-05-04 13:26:11 -07:00
alert_webhook: Vec::new(),
alert_format: None,
alert_on: kingfisher::alerts::AlertOn::Findings,
alert_min_confidence: ConfidenceLevel::Medium,
alert_include_secret: false,
alert_report_url: None,
alert_detail: kingfisher::alerts::AlertDetail::Auto,
config_webhook_overrides: Vec::new(),
preparing for v1.12
2025-06-24 17:17:16 -07:00
};
/* --------------------------------------------------------- *
* 5. Load rules, run scan *
* --------------------------------------------------------- */
// ---------------------------------------------------------
// 5. Load rules, record them, run scan
// ---------------------------------------------------------
let loaded = RuleLoader::from_rule_specifiers(&scan_args.rules).load(&scan_args)?;
let resolved = loaded.resolve_enabled_rules()?;
let rules_db = Arc::new(RulesDatabase::from_rules(resolved.into_iter().cloned().collect())?);
let datastore = Arc::new(Mutex::new(FindingsStore::new(work_dir.path().to_path_buf())));
// NEW: make the datastore aware of every rule
{
let mut ds = datastore.lock().unwrap();
ds.record_rules(rules_db.rules()); // <-- **add this line**
}
let global_args = GlobalArgs {
verbose: 0,
quiet: true,
color: Mode::Auto,
progress: Mode::Never,
no_update_check: false,
self_update: false,
ignore_certs: false,
Removed the unused --rlimit-nofile flag
2025-09-18 17:02:56 -07:00
user_agent_suffix: None,
preparing for v1.78.0
2026-02-02 23:22:08 -08:00
tls_mode: TlsMode::Strict,
updated in response to ossf scorecard
2026-03-27 17:22:21 -07:00
allow_internal_ips: true,
added blog posts
2026-04-28 19:21:44 -07:00
endpoint: Vec::new(),
endpoint_config: None,
preparing for v1.99.0
2026-05-04 13:26:11 -07:00
config: None,
preparing for v1.12
2025-06-24 17:17:16 -07:00
};
updated tests
2025-11-24 11:08:31 -08:00
let update_status = UpdateStatus::default();
preparing for v1.12
2025-06-24 17:17:16 -07:00
copilot fixes
2026-04-29 22:50:31 -07:00
run_async_scan(
&global_args,
&scan_args,
Arc::clone(&datastore),
&rules_db,
&update_status,
false,
)
.await?;
preparing for v1.12
2025-06-24 17:17:16 -07:00
/* --------------------------------------------------------- *
* 6. Assertions *
* --------------------------------------------------------- */
// There are two matches for demo.key.validation.1, but the validator
// should have been called only once thanks to SkipMap caching.
assert_eq!(
hit_counter.load(Ordering::SeqCst),
1,
"validator endpoint should be hit exactly once"
);
let ds = datastore.lock().unwrap();
let total_matches = ds.get_matches().len();
assert_eq!(total_matches, 4, "expected 2 matches per rule (dup secrets)"); // 2 for each rule
Ok(())
}
Copy permalink