diff --git a/CHANGELOG.md b/CHANGELOG.md index c583719..304a49f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ All notable changes to this project will be documented in this file. +## [1.17.1] +- Fixed broken sourcegraph rule +- Added test to prevent this and similar issues + ## [1.17.0] - Updated README to give proper attribution to Nosey Parker! - Added rules for sonarcloud, sonarqube, sourcegraph, shopify, truenas, square, sendgrid, nasa, teamcity, truenas, shopify diff --git a/Cargo.toml b/Cargo.toml index 713a2de..f428453 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -10,7 +10,7 @@ publish = false [package] name = "kingfisher" -version = "1.17.0" +version = "1.17.1" edition.workspace = true rust-version.workspace = true license.workspace = true diff --git a/README.md b/README.md index 96e91f3..f41545c 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Kingfisher is a blazingly fast secret‑scanning and validation tool built in Ru

-Kingfisher originated as a fork of **[Nosey Parker](https://github.com/praetorian-inc/noseyparker)** by Praetorian Security, Inc, and is built atop their incredible work and the work contributed by the Nosey Parker community. +Kingfisher originated as a fork of [Nosey Parker](https://github.com/praetorian-inc/noseyparker) by Praetorian Security, Inc, and is built atop their incredible work and the work contributed by the Nosey Parker community. **MongoDB Blog**: [Introducing Kingfisher: Real-Time Secret Detection and Validation](https://www.mongodb.com/blog/post/product-release-announcements/introducing-kingfisher-real-time-secret-detection-validation) @@ -139,7 +139,7 @@ kingfisher scan /path/to/repo --rule-stats ### Scan while ignoring likely test files ```bash -# Scan source but skip unit / integration tests +# Scan source but skip likely unit / integration tests kingfisher scan ./my-project --ignore-tests ``` diff --git a/data/rules/sourcegraph.yml b/data/rules/sourcegraph.yml index 965d99a..3aed539 100644 --- a/data/rules/sourcegraph.yml +++ b/data/rules/sourcegraph.yml @@ -33,12 +33,18 @@ rules: pattern: | (?xi) \b - (?:sgp_(?:[a-f0-9]{16}_local_)?[a-f0-9]{40}|[a-f0-9]{40}) + sourcegraph + (?:.|[\n\r]){0,32}? + (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) + (?:.|[\n\r]){0,32}? + ( + (?:sgp_(?:[a-f0-9]{16}_local_)?[a-f0-9]{40}|[a-f0-9]{40}) + ) \b min_entropy: 3.5 confidence: medium examples: - - sgp_abcdef1234567890_local_abcdef12345678901234567890abcdef12345678 + - sourcegraph SECRET sgp_abcdef1234567890_local_0123456789abcdef0123456789abcdef01234567 validation: type: Http content: diff --git a/tests/smoke_github_homebrew.rs b/tests/smoke_github_homebrew.rs new file mode 100644 index 0000000..6e401af --- /dev/null +++ b/tests/smoke_github_homebrew.rs @@ -0,0 +1,19 @@ +use assert_cmd::Command; +use predicates::str::contains; + +#[test] +fn scan_homebrew_github_no_findings() -> anyhow::Result<()> { + Command::cargo_bin("kingfisher")? + .args([ + "scan", + "--git-url", + "https://github.com/homebrew/.github", + "--no-update-check", + ]) + .assert() + .success() + .stdout(contains("|Findings....................: 0")) + .stdout(contains("|__Successful Validations....: 0")) + .stdout(contains("|__Failed Validations........: 0")); + Ok(()) +} \ No newline at end of file