Merge pull request #18 from mongodb/development

v1.17.1
2025-06-29 23:24:12 -07:00 · 2025-06-29 23:24:12 -07:00 · 173b13cb64
commit 173b13cb64
parent 1e40cf458c cefa69e426
5 changed files with 34 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,10 @@

 All notable changes to this project will be documented in this file.

+## [1.17.1]
+- Fixed broken sourcegraph rule
+- Added test to prevent this and similar issues
+
 ## [1.17.0]
 - Updated README to give proper attribution to Nosey Parker!
 - Added rules for sonarcloud, sonarqube, sourcegraph, shopify, truenas, square, sendgrid, nasa, teamcity, truenas, shopify
--- a/Cargo.toml
+++ b/Cargo.toml
@ -10,7 +10,7 @@ publish = false

 [package]
 name = "kingfisher"
-version = "1.17.0"
+version = "1.17.1"
 edition.workspace = true
 rust-version.workspace = true
 license.workspace = true
--- a/README.md
+++ b/README.md
@ -9,7 +9,7 @@ Kingfisher is a blazingly fast secret‑scanning and validation tool built in Ru

 </p>

-Kingfisher originated as a fork of **[Nosey Parker](https://github.com/praetorian-inc/noseyparker)** by Praetorian Security, Inc, and is built atop their incredible work and the work contributed by the Nosey Parker community.
+Kingfisher originated as a fork of [Nosey Parker](https://github.com/praetorian-inc/noseyparker) by Praetorian Security, Inc, and is built atop their incredible work and the work contributed by the Nosey Parker community.


 **MongoDB Blog**: [Introducing Kingfisher: Real-Time Secret Detection and Validation](https://www.mongodb.com/blog/post/product-release-announcements/introducing-kingfisher-real-time-secret-detection-validation)
@ -139,7 +139,7 @@ kingfisher scan /path/to/repo --rule-stats

 ### Scan while ignoring likely test files
 ```bash
-# Scan source but skip unit / integration tests
+# Scan source but skip likely unit / integration tests
 kingfisher scan ./my-project --ignore-tests
 ```

--- a/data/rules/sourcegraph.yml
+++ b/data/rules/sourcegraph.yml
@ -33,12 +33,18 @@ rules:
    pattern: |
      (?xi)
      \b
-      (?:sgp_(?:[a-f0-9]{16}_local_)?[a-f0-9]{40}|[a-f0-9]{40})
+      sourcegraph
+      (?:.|[\n\r]){0,32}?
+      (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
+      (?:.|[\n\r]){0,32}?
+      (
+        (?:sgp_(?:[a-f0-9]{16}_local_)?[a-f0-9]{40}|[a-f0-9]{40})
+      )
      \b
    min_entropy: 3.5
    confidence: medium
    examples:
-      - sgp_abcdef1234567890_local_abcdef12345678901234567890abcdef12345678
+      - sourcegraph SECRET sgp_abcdef1234567890_local_0123456789abcdef0123456789abcdef01234567
    validation:
      type: Http
      content:
--- a/tests/smoke_github_homebrew.rs
+++ b/tests/smoke_github_homebrew.rs
@ -0,0 +1,19 @@
+use assert_cmd::Command;
+use predicates::str::contains;
+
+#[test]
+fn scan_homebrew_github_no_findings() -> anyhow::Result<()> {
+    Command::cargo_bin("kingfisher")?
+        .args([
+            "scan",
+            "--git-url",
+            "https://github.com/homebrew/.github",
+            "--no-update-check",
+        ])
+        .assert()
+        .success()
+        .stdout(contains("|Findings....................: 0"))
+        .stdout(contains("|__Successful Validations....: 0"))
+        .stdout(contains("|__Failed Validations........: 0"));
+    Ok(())
+}