kingfisher/crates/kingfisher-rules/data/rules/dockerhub.yml

rules:
  - name: Docker Hub Personal Access Token
    id: kingfisher.dockerhub.1
    pattern: |
      (?xi)
      \b
      (
        dckr_pat_[A-Z0-9_-]{27}
      )
      (?: $ | [^A-Z0-9_-] )
    pattern_requirements:
      min_digits: 2
    min_entropy: 3.3
    confidence: medium
    examples:
      - docker login -u gemesa -p dckr_pat_hc8VxYclixyTr2rDFsa2rqzkP3Y
      - docker login -u gemesa -p dckr_pat_tkzBYxjNNC3R_Yg6jd_O-G8FbrJ
      - docker login -u gemesa -p dckr_pat_1q8yKET1VDJTpfCwseUDzT8vFh-
    references:
      - https://docs.docker.com/reference/api/hub/latest/#tag/authentication-api/operation/AuthCreateAccessToken
    depends_on_rule:
      - rule_id: kingfisher.dockerhub.2
        variable: DOCKER_USERNAME
    validation:
      type: Http
      content:
        request:
          method: POST
          url: https://hub.docker.com/v2/auth/token
          headers:
            Content-Type: application/json
            Accept: application/json
          body: '{"identifier":"{{ DOCKER_USERNAME | json_escape }}","secret":"{{ TOKEN | json_escape }}"}'
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: WordMatch
              words:
                - '"access_token"'

  - name: Docker Hub Username
    id: kingfisher.dockerhub.2
    pattern: |
      (?xi)
      \b
      docker
      (?:.|[\n\r]){0,32}?
      (?:
        -u\s+
        | --username[=\s]+
        | user(?:name)?[=:\s]+["']?
      )
      (
        [a-z0-9][a-z0-9_-]{2,29}
      )
      \b
    min_entropy: 1.0
    confidence: medium
    visible: false
    examples:
      - docker login -u gemesa -p dckr_pat_xxx
      - docker login --username=myuser
      - DOCKER_USERNAME=myuser
      - 'docker_user: "myuser"'

  - name: Docker Hub Organization Access Token
    id: kingfisher.dockerhub.3
    pattern: |
      (?xi)
      \b
      (
        dckr_oat_[A-Z0-9_-]{32}
      )
      (?: $ | [^A-Z0-9_-] )
    pattern_requirements:
      min_digits: 2
    min_entropy: 3.3
    confidence: medium
    examples:
      - docker login -u docker-test -p dckr_oat_7bA9zRt5-JqX3vP0l_MnY8sK2wE-dF6h
    references:
      - https://docs.docker.com/enterprise/security/access-tokens/
    depends_on_rule:
      - rule_id: kingfisher.dockerhub.2
        variable: DOCKER_USERNAME
    validation:
      type: Http
      content:
        request:
          method: POST
          url: https://hub.docker.com/v2/auth/token
          headers:
            Content-Type: application/json
            Accept: application/json
          body: '{"identifier":"{{ DOCKER_USERNAME | json_escape }}","secret":"{{ TOKEN | json_escape }}"}'
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: WordMatch
              words:
                - '"access_token"'
preparing for v1.12 2025-06-24 17:17:16 -07:00			`rules:`
			`- name: Docker Hub Personal Access Token`
			`id: kingfisher.dockerhub.1`
			`pattern: \|`
Updated formatting of several rules 2025-06-26 11:31:41 -07:00			`(?xi)`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`\b`
			`(`
Updated formatting of several rules 2025-06-26 11:31:41 -07:00			`dckr_pat_[A-Z0-9_-]{27}`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`)`
Updated formatting of several rules 2025-06-26 11:31:41 -07:00			`(?: $ \| [^A-Z0-9_-] )`
pattern_requirements for rules — Post-regex character-class gating to cut false positives without lookarounds. Authors can now require minimum counts of digits, uppercase, lowercase, and special characters, with an optional custom special-char set. Why: Hyperscan doesn’t support lookaheads/behinds, so many “must contain X and Y” checks had to be baked into the regex (hurting readability) or were impossible. pattern_requirements applies lightweight, in-memory checks after a match is found, keeping patterns fast and clean. 2025-11-04 13:55:31 -05:00			`pattern_requirements:`
			`min_digits: 2`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`min_entropy: 3.3`
			`confidence: medium`
			`examples:`
			`- docker login -u gemesa -p dckr_pat_hc8VxYclixyTr2rDFsa2rqzkP3Y`
			`- docker login -u gemesa -p dckr_pat_tkzBYxjNNC3R_Yg6jd_O-G8FbrJ`
			`- docker login -u gemesa -p dckr_pat_1q8yKET1VDJTpfCwseUDzT8vFh-`
			`references:`
dockerhub rule update and docs update 2026-01-31 21:54:08 -08:00			`- https://docs.docker.com/reference/api/hub/latest/#tag/authentication-api/operation/AuthCreateAccessToken`
			`depends_on_rule:`
			`- rule_id: kingfisher.dockerhub.2`
			`variable: DOCKER_USERNAME`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`validation:`
			`type: Http`
			`content:`
			`request:`
dockerhub rule update and docs update 2026-01-31 21:54:08 -08:00			`method: POST`
			`url: https://hub.docker.com/v2/auth/token`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`headers:`
dockerhub rule update and docs update 2026-01-31 21:54:08 -08:00			`Content-Type: application/json`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`Accept: application/json`
dockerhub rule update and docs update 2026-01-31 21:54:08 -08:00			`body: '{"identifier":"{{ DOCKER_USERNAME \| json_escape }}","secret":"{{ TOKEN \| json_escape }}"}'`
preparing for v1.12 2025-06-24 17:17:16 -07:00			`response_matcher:`
			`- report_response: true`
dockerhub rule update and docs update 2026-01-31 21:54:08 -08:00			`- type: StatusMatch`
			`status: [200]`
			`- type: WordMatch`
			`words:`
			`- '"access_token"'`

			`- name: Docker Hub Username`
			`id: kingfisher.dockerhub.2`
			`pattern: \|`
			`(?xi)`
			`\b`
			`docker`
			`(?:.\|[\n\r]){0,32}?`
			`(?:`
			`-u\s+`
			`\| --username[=\s]+`
			`\| user(?:name)?[=:\s]+["']?`
			`)`
			`(`
			`[a-z0-9][a-z0-9_-]{2,29}`
			`)`
			`\b`
			`min_entropy: 1.0`
			`confidence: medium`
			`visible: false`
			`examples:`
			`- docker login -u gemesa -p dckr_pat_xxx`
			`- docker login --username=myuser`
			`- DOCKER_USERNAME=myuser`
			`- 'docker_user: "myuser"'`
Merge main into development - Added mercury.yml and neon.yml rules from main - Merged Docker Hub Organization Access Token rule from main into updated dockerhub.yml - Resolved file location conflicts due to rules directory restructuring 2026-01-31 21:57:57 -08:00
			`- name: Docker Hub Organization Access Token`
			`id: kingfisher.dockerhub.3`
			`pattern: \|`
			`(?xi)`
feat(dockerhub): add Organization Access Token pattern Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-01-30 16:11:44 -08:00			`\b`
			`(`
Merge main into development - Added mercury.yml and neon.yml rules from main - Merged Docker Hub Organization Access Token rule from main into updated dockerhub.yml - Resolved file location conflicts due to rules directory restructuring 2026-01-31 21:57:57 -08:00			`dckr_oat_[A-Z0-9_-]{32}`
feat(dockerhub): add Organization Access Token pattern Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-01-30 16:11:44 -08:00			`)`
Merge main into development - Added mercury.yml and neon.yml rules from main - Merged Docker Hub Organization Access Token rule from main into updated dockerhub.yml - Resolved file location conflicts due to rules directory restructuring 2026-01-31 21:57:57 -08:00			`(?: $ \| [^A-Z0-9_-] )`
feat(dockerhub): add Organization Access Token pattern Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-01-30 16:11:44 -08:00			`pattern_requirements:`
			`min_digits: 2`
			`min_entropy: 3.3`
			`confidence: medium`
			`examples:`
			`- docker login -u docker-test -p dckr_oat_7bA9zRt5-JqX3vP0l_MnY8sK2wE-dF6h`
			`references:`
			`- https://docs.docker.com/enterprise/security/access-tokens/`
fix(dockerhub): use username for OAT validation Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-02-02 16:22:18 -08:00			`depends_on_rule:`
			`- rule_id: kingfisher.dockerhub.2`
			`variable: DOCKER_USERNAME`
feat(dockerhub): add Organization Access Token pattern Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-01-30 16:11:44 -08:00			`validation:`
			`type: Http`
			`content:`
			`request:`
fix(dockerhub): use username for OAT validation Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-02-02 16:22:18 -08:00			`method: POST`
			`url: https://hub.docker.com/v2/auth/token`
feat(dockerhub): add Organization Access Token pattern Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-01-30 16:11:44 -08:00			`headers:`
fix(dockerhub): use username for OAT validation Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-02-02 16:22:18 -08:00			`Content-Type: application/json`
feat(dockerhub): add Organization Access Token pattern Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-01-30 16:11:44 -08:00			`Accept: application/json`
fix(dockerhub): use username for OAT validation Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-02-02 16:22:18 -08:00			`body: '{"identifier":"{{ DOCKER_USERNAME \| json_escape }}","secret":"{{ TOKEN \| json_escape }}"}'`
feat(dockerhub): add Organization Access Token pattern Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-01-30 16:11:44 -08:00			`response_matcher:`
			`- report_response: true`
fix(dockerhub): use username for OAT validation Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com> 2026-02-02 16:22:18 -08:00			`- type: StatusMatch`
			`status: [200]`
			`- type: WordMatch`
			`words:`
			`- '"access_token"'`