kingfisher/data/rules/docker.yml

rules:
  - name: Docker Registry Credentials (auths JSON)
    id: kingfisher.docker.1
    pattern: |
      (?xis)
      "auths"\s*:\s*\{
        [^}]*?
        " (?P<REG> (?:https?:\/\/)? [a-z0-9.\-:+/]+ ) "\s*:\s*\{
          [^}]*?
          "auth"\s*:\s*"(?P<B64> [A-Za-z0-9+/=]{16,} )"
          [^}]*?
        \}
        [^}]*?
      \}
    pattern_requirements:
      min_digits: 2
    min_entropy: 2.0
    confidence: medium
    examples:
      - |
        {
          "auths": {
            "quay.io": {
              "auth": "cmhkaCtyaHRhcDowM1BERl1RQTJQTDlaQUE5T1gzSU9IQjFYTUlXOVNGNU1XRzNSRVRHNThKVXpKMzEwV0ZZRVMOQTdGMExMNOYx"
            }
          }
        }
      - |
        {"auths":{"index.docker.io/v1/":{"auth":"dXNlcjp0b2tlbg=="}}}
    references:
      - https://distribution.github.io/distribution/spec/api/
    validation:
      type: Http
      content:
        request:
          method: GET
          url: >
            {%- assign r = REG -%}
            {%- if r contains "://" -%}
              {{ r | replace: "/$", "" }}/v2/auth
            {%- else -%}
              https://{{ r }}/v2/auth
            {%- endif -%}
          headers:
            Authorization: "Basic {{ B64 }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
Decode Base64 blobs and scan their contents for secrets while skipping short strings for performance 2025-08-30 16:44:55 -07:00			`rules:`
			`- name: Docker Registry Credentials (auths JSON)`
fix ci build error 2025-08-31 10:27:16 -07:00			`id: kingfisher.docker.1`
Decode Base64 blobs and scan their contents for secrets while skipping short strings for performance 2025-08-30 16:44:55 -07:00			`pattern: \|`
			`(?xis)`
			`"auths"\s:\s\{`
			`[^}]*?`
			`" (?P<REG> (?:https?:\/\/)? [a-z0-9.\-:+/]+ ) "\s:\s\{`
			`[^}]*?`
			`"auth"\s:\s"(?P<B64> [A-Za-z0-9+/=]{16,} )"`
			`[^}]*?`
			`\}`
			`[^}]*?`
			`\}`
pattern_requirements for rules — Post-regex character-class gating to cut false positives without lookarounds. Authors can now require minimum counts of digits, uppercase, lowercase, and special characters, with an optional custom special-char set. Why: Hyperscan doesn’t support lookaheads/behinds, so many “must contain X and Y” checks had to be baked into the regex (hurting readability) or were impossible. pattern_requirements applies lightweight, in-memory checks after a match is found, keeping patterns fast and clean. 2025-11-04 13:55:31 -05:00			`pattern_requirements:`
			`min_digits: 2`
Decode Base64 blobs and scan their contents for secrets while skipping short strings for performance 2025-08-30 16:44:55 -07:00			`min_entropy: 2.0`
			`confidence: medium`
			`examples:`
			`- \|`
			`{`
			`"auths": {`
			`"quay.io": {`
fix ci build error 2025-08-31 10:27:16 -07:00			`"auth": "cmhkaCtyaHRhcDowM1BERl1RQTJQTDlaQUE5T1gzSU9IQjFYTUlXOVNGNU1XRzNSRVRHNThKVXpKMzEwV0ZZRVMOQTdGMExMNOYx"`
Decode Base64 blobs and scan their contents for secrets while skipping short strings for performance 2025-08-30 16:44:55 -07:00			`}`
			`}`
			`}`
			`- \|`
			`{"auths":{"index.docker.io/v1/":{"auth":"dXNlcjp0b2tlbg=="}}}`
			`references:`
			`- https://distribution.github.io/distribution/spec/api/`
			`validation:`
			`type: Http`
			`content:`
			`request:`
			`method: GET`
			`url: >`
			`{%- assign r = REG -%}`
			`{%- if r contains "://" -%}`
			`{{ r \| replace: "/$", "" }}/v2/auth`
			`{%- else -%}`
			`https://{{ r }}/v2/auth`
			`{%- endif -%}`
			`headers:`
			`Authorization: "Basic {{ B64 }}"`
			`Accept: application/json`
			`response_matcher:`
			`- report_response: true`
			`- type: StatusMatch`
			`status: [200]`