kingfisher/crates/kingfisher-rules/data/rules/azurestorage.yml

rules:
  - name: Azure Storage Account Name
    id: kingfisher.azurestorage.1
    pattern: |
      (?xi)
      (?:
        # A) Connection string: AccountName=<name>
        (?i:AccountName)\s*=\s*([a-z0-9]{3,24})(?:\b|[^a-z0-9])
      |
        # B) Blob endpoint URL: <name>.blob.core.windows.net
        ([a-z0-9]{3,24})\.blob\.core\.windows\.net\b
      |
        # C) Explicit KV labels near 'azure storage/account name' with tight separators
        \bazure(?:[_\s-]*)(?:storage|account)(?:[_\s-]*)(?:name)\b
        [\s:=\"']{0,6}
        ([a-z0-9]{3,24})(?:\b|[^a-z0-9])
      |
        # D) Explicit KV labels near 'azure storage/account name' with tight separators
        (?i:Account[_.-]?Name|Storage[_.-]?(?:Name))(?:.|\s){0,32}?\b([A-Z0-9]{3,32})\b|([A-Z0-9]{3,32})(?i:\.blob\.core\.windows\.net)
      )
    min_entropy: 2.0
    visible: false
    confidence: medium
    examples:
      - AccountName=mystorageaccount
      - mystorageaccount.blob.core.windows.net
      - azure_storage_name="prodblob2024"
    references:
      - https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview
      - https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key
  - name: Azure Storage Account Key
    id: kingfisher.azurestorage.2
    pattern: |
      (?x)
      \b
      (?:
        (?i:azure)(?:[_\s-]*(?i:storage))?
        (?:[_\s-]*(?:account[_\s-]*key|storage[_\s-]*key|shared[_\s-]*key|access[_\s-]*key|accountkey))
        |
        (?i:account)[_.\s-]*(?i:key)
        |
        (?i:storage)[_.\s-]*(?i:key)
      )
      \b
      (?:.|[\n\r]){0,24}?
      (?:
        [=:]
        |
        ["']\s*:\s*["']
      )
      \s*
      ["']?
      (
        [A-Za-z0-9+/]{86}==
      )
      ['"]?
    pattern_requirements:
      min_digits: 2
      min_uppercase: 2
      min_lowercase: 2
      min_special_chars: 1
    min_entropy: 4.0
    confidence: medium
    examples:
      - Azure AccountKey=oqb4TdY9T0hphvktd5fJnMiHuQqzVy1jd5sSuOpAbGkaoqTlrHl0BOJN2okcasinVLOJzfDbZo1L+ASt68RAhA==
      - Azure AccountKey=B/1EVX2Ui47X09tqU3GI/j+Nko9r5COPm0Hea9tfzitF9MQX9lZZiNO3tYQckWnt+rtlGIWS+sCx+AStkq8ZLg==
      - Azure AccountKey=u45diQdTiXeuSKl5r4EjgbPP72EYpuTNEzfMTi0mk+d2sTisA4gWzt4H1Ag3kqFaCykWZv2S6KQo+AStHF56RQ==
      - Azure AccountKey=b8a/Z4wFAbhOPQTMa4PUTKr2XQhwoyWtP/3PnEto3mK86CFQnVYyTV/HSrij88h5jVYyzwUk0oTw+AStIKN/4w==
      - Azure AccountKey=JJD1GDiHCmtTpCOKpBYkXgZKrZvi7P4mRDe3jNVGc/JL/bp51uWcWL0rkOByk5VsX2MM62A/ABkE+AStU9qMkA==
      - Azure AccountKey=u45diQdTiXeuSKl5r4EjgbPP72EYpuTNEzfMTi0mk+d2sTisA4gWzt4H1Ag3kqFaCykWZv2S6KQo+AStHF56RQ==
    validation:
      type: AzureStorage
    references:
      - https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key
      - https://learn.microsoft.com/en-us/rest/api/storageservices/
    depends_on_rule:
      - rule_id: kingfisher.azurestorage.1
        variable: AZURENAME
preparing for v1.12 2025-06-24 17:17:16 -07:00			`rules:`
			`- name: Azure Storage Account Name`
improved azure storage rule. Added rule to detect TravisCI encrypted values 2025-07-12 22:44:34 -07:00			`id: kingfisher.azurestorage.1`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`pattern: \|`
Updated formatting of several rules 2025-06-26 11:31:41 -07:00			`(?xi)`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`(?:`
updated smoke_branch tests 2025-10-26 11:53:29 -07:00			`# A) Connection string: AccountName=<name>`
			`(?i:AccountName)\s=\s([a-z0-9]{3,24})(?:\b\|[^a-z0-9])`
			`\|`
			`# B) Blob endpoint URL: <name>.blob.core.windows.net`
			`([a-z0-9]{3,24})\.blob\.core\.windows\.net\b`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`\|`
updated smoke_branch tests 2025-10-26 11:53:29 -07:00			`# C) Explicit KV labels near 'azure storage/account name' with tight separators`
			`\bazure(?:[_\s-])(?:storage\|account)(?:[_\s-])(?:name)\b`
			`[\s:=\"']{0,6}`
			`([a-z0-9]{3,24})(?:\b\|[^a-z0-9])`
improving findings viewer 2026-01-15 10:41:55 -08:00			`\|`
			`# D) Explicit KV labels near 'azure storage/account name' with tight separators`
Skipped per-repository report writes when an output file is specified and emit a single aggregated report after multi-repository scans to preserve full output content in files. 2026-01-16 12:39:44 -08:00			`(?i:Account[_.-]?Name\|Storage[_.-]?(?:Name))(?:.\|\s){0,32}?\b([A-Z0-9]{3,32})\b\|([A-Z0-9]{3,32})(?i:\.blob\.core\.windows\.net)`
updated smoke_branch tests 2025-10-26 11:53:29 -07:00			`)`
			`min_entropy: 2.0`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`visible: false`
			`confidence: medium`
			`examples:`
updated smoke_branch tests 2025-10-26 11:53:29 -07:00			`- AccountName=mystorageaccount`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`- mystorageaccount.blob.core.windows.net`
updated smoke_branch tests 2025-10-26 11:53:29 -07:00			`- azure_storage_name="prodblob2024"`
v1.81.0 2026-02-10 19:24:19 -08:00			`references:`
			`- https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview`
			`- https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`- name: Azure Storage Account Key`
improved azure storage rule. Added rule to detect TravisCI encrypted values 2025-07-12 22:44:34 -07:00			`id: kingfisher.azurestorage.2`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`pattern: \|`
rule improvements to reduce FP's 2026-03-09 09:37:49 -07:00			`(?x)`
rule improvements to reduce FP's 2026-03-08 13:44:19 -07:00			`\b`
			`(?:`
rule improvements to reduce FP's 2026-03-09 09:37:49 -07:00			`(?i:azure)(?:[_\s-]*(?i:storage))?`
rule improvements to reduce FP's 2026-03-08 13:44:19 -07:00			`(?:[_\s-](?:account[_\s-]key\|storage[_\s-]key\|shared[_\s-]key\|access[_\s-]*key\|accountkey))`
			`\|`
rule improvements to reduce FP's 2026-03-09 09:37:49 -07:00			`(?i:account)[_.\s-]*(?i:key)`
rule improvements to reduce FP's 2026-03-08 13:44:19 -07:00			`\|`
rule improvements to reduce FP's 2026-03-09 09:37:49 -07:00			`(?i:storage)[_.\s-]*(?i:key)`
rule improvements to reduce FP's 2026-03-08 13:44:19 -07:00			`)`
			`\b`
			`(?:.\|[\n\r]){0,24}?`
rule improvements to reduce FP's 2026-03-09 09:37:49 -07:00			`(?:`
			`[=:]`
			`\|`
			`["']\s:\s["']`
			`)`
			`\s*`
			`["']?`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`(`
rule improvements to reduce FP's 2026-03-09 09:37:49 -07:00			`[A-Za-z0-9+/]{86}==`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`)`
rule improvements to reduce FP's 2026-03-08 13:44:19 -07:00			`['"]?`
pattern_requirements for rules — Post-regex character-class gating to cut false positives without lookarounds. Authors can now require minimum counts of digits, uppercase, lowercase, and special characters, with an optional custom special-char set. Why: Hyperscan doesn’t support lookaheads/behinds, so many “must contain X and Y” checks had to be baked into the regex (hurting readability) or were impossible. pattern_requirements applies lightweight, in-memory checks after a match is found, keeping patterns fast and clean. 2025-11-04 13:55:31 -05:00			`pattern_requirements:`
			`min_digits: 2`
			`min_uppercase: 2`
			`min_lowercase: 2`
rule improvements to reduce FP's 2026-03-09 09:37:49 -07:00			`min_special_chars: 1`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`min_entropy: 4.0`
			`confidence: medium`
			`examples:`
rule improvements to reduce FP's 2026-03-09 09:37:49 -07:00			`- Azure AccountKey=oqb4TdY9T0hphvktd5fJnMiHuQqzVy1jd5sSuOpAbGkaoqTlrHl0BOJN2okcasinVLOJzfDbZo1L+ASt68RAhA==`
			`- Azure AccountKey=B/1EVX2Ui47X09tqU3GI/j+Nko9r5COPm0Hea9tfzitF9MQX9lZZiNO3tYQckWnt+rtlGIWS+sCx+AStkq8ZLg==`
			`- Azure AccountKey=u45diQdTiXeuSKl5r4EjgbPP72EYpuTNEzfMTi0mk+d2sTisA4gWzt4H1Ag3kqFaCykWZv2S6KQo+AStHF56RQ==`
			`- Azure AccountKey=b8a/Z4wFAbhOPQTMa4PUTKr2XQhwoyWtP/3PnEto3mK86CFQnVYyTV/HSrij88h5jVYyzwUk0oTw+AStIKN/4w==`
			`- Azure AccountKey=JJD1GDiHCmtTpCOKpBYkXgZKrZvi7P4mRDe3jNVGc/JL/bp51uWcWL0rkOByk5VsX2MM62A/ABkE+AStU9qMkA==`
			`- Azure AccountKey=u45diQdTiXeuSKl5r4EjgbPP72EYpuTNEzfMTi0mk+d2sTisA4gWzt4H1Ag3kqFaCykWZv2S6KQo+AStHF56RQ==`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`validation:`
			`type: AzureStorage`
v1.81.0 2026-02-10 19:24:19 -08:00			`references:`
			`- https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key`
			`- https://learn.microsoft.com/en-us/rest/api/storageservices/`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`depends_on_rule:`
improved azure storage rule. Added rule to detect TravisCI encrypted values 2025-07-12 22:44:34 -07:00			`- rule_id: kingfisher.azurestorage.1`
updated for v1.61.0 2025-10-30 22:50:41 -07:00			`variable: AZURENAME`