From 4ee98a6cb04240007053595144adae52adec9413 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Sun, 29 Jun 2025 21:45:43 -0700 Subject: [PATCH 1/4] fixed sourcegraph rule --- README.md | 4 ++-- data/rules/sourcegraph.yml | 8 +++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 96e91f3..f41545c 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Kingfisher is a blazingly fast secret‑scanning and validation tool built in Ru

-Kingfisher originated as a fork of **[Nosey Parker](https://github.com/praetorian-inc/noseyparker)** by Praetorian Security, Inc, and is built atop their incredible work and the work contributed by the Nosey Parker community. +Kingfisher originated as a fork of [Nosey Parker](https://github.com/praetorian-inc/noseyparker) by Praetorian Security, Inc, and is built atop their incredible work and the work contributed by the Nosey Parker community. **MongoDB Blog**: [Introducing Kingfisher: Real-Time Secret Detection and Validation](https://www.mongodb.com/blog/post/product-release-announcements/introducing-kingfisher-real-time-secret-detection-validation) @@ -139,7 +139,7 @@ kingfisher scan /path/to/repo --rule-stats ### Scan while ignoring likely test files ```bash -# Scan source but skip unit / integration tests +# Scan source but skip likely unit / integration tests kingfisher scan ./my-project --ignore-tests ``` diff --git a/data/rules/sourcegraph.yml b/data/rules/sourcegraph.yml index 965d99a..72fd8b1 100644 --- a/data/rules/sourcegraph.yml +++ b/data/rules/sourcegraph.yml @@ -33,7 +33,13 @@ rules: pattern: | (?xi) \b - (?:sgp_(?:[a-f0-9]{16}_local_)?[a-f0-9]{40}|[a-f0-9]{40}) + sourcegraph + (?:.|[\n\r]){0,32}? + (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) + (?:.|[\n\r]){0,32}? + ( + (?:sgp_(?:[a-f0-9]{16}_local_)?[a-f0-9]{40} | [a-f0-9]{40}) + ) \b min_entropy: 3.5 confidence: medium From 366f6fab5b439f836fde7507cdf347eb81881feb Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Sun, 29 Jun 2025 22:01:25 -0700 Subject: [PATCH 2/4] Added test to prevent this and similar issues --- CHANGELOG.md | 4 ++++ Cargo.toml | 2 +- tests/smoke_github_homebrew.rs | 20 ++++++++++++++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 tests/smoke_github_homebrew.rs diff --git a/CHANGELOG.md b/CHANGELOG.md index c583719..304a49f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ All notable changes to this project will be documented in this file. +## [1.17.1] +- Fixed broken sourcegraph rule +- Added test to prevent this and similar issues + ## [1.17.0] - Updated README to give proper attribution to Nosey Parker! - Added rules for sonarcloud, sonarqube, sourcegraph, shopify, truenas, square, sendgrid, nasa, teamcity, truenas, shopify diff --git a/Cargo.toml b/Cargo.toml index 713a2de..f428453 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -10,7 +10,7 @@ publish = false [package] name = "kingfisher" -version = "1.17.0" +version = "1.17.1" edition.workspace = true rust-version.workspace = true license.workspace = true diff --git a/tests/smoke_github_homebrew.rs b/tests/smoke_github_homebrew.rs new file mode 100644 index 0000000..710795a --- /dev/null +++ b/tests/smoke_github_homebrew.rs @@ -0,0 +1,20 @@ +use assert_cmd::prelude::*; +use assert_cmd::Command; +use predicates::str::contains; + +#[test] +fn scan_homebrew_github_no_findings() -> anyhow::Result<()> { + Command::cargo_bin("kingfisher")? + .args([ + "scan", + "--git-url", + "https://github.com/homebrew/.github", + "--no-update-check", + ]) + .assert() + .success() + .stdout(contains("|Findings....................: 0")) + .stdout(contains("|__Successful Validations....: 0")) + .stdout(contains("|__Failed Validations........: 0")); + Ok(()) +} \ No newline at end of file From a3060ec1445a5fd80fbf03d1861a1e4e05806998 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Sun, 29 Jun 2025 22:50:16 -0700 Subject: [PATCH 3/4] Added test to prevent this and similar issues --- data/rules/sourcegraph.yml | 2 +- tests/smoke_github_homebrew.rs | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/data/rules/sourcegraph.yml b/data/rules/sourcegraph.yml index 72fd8b1..1523c75 100644 --- a/data/rules/sourcegraph.yml +++ b/data/rules/sourcegraph.yml @@ -44,7 +44,7 @@ rules: min_entropy: 3.5 confidence: medium examples: - - sgp_abcdef1234567890_local_abcdef12345678901234567890abcdef12345678 + - sourcegraph SECRET sgp_abcdef1234567890_local_0123456789abcdef0123456789abcdef01234567 validation: type: Http content: diff --git a/tests/smoke_github_homebrew.rs b/tests/smoke_github_homebrew.rs index 710795a..6e401af 100644 --- a/tests/smoke_github_homebrew.rs +++ b/tests/smoke_github_homebrew.rs @@ -1,4 +1,3 @@ -use assert_cmd::prelude::*; use assert_cmd::Command; use predicates::str::contains; From cefa69e42650a41d42d68fb26d12f6c9196bc9cb Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Sun, 29 Jun 2025 22:51:49 -0700 Subject: [PATCH 4/4] Added test to prevent this and similar issues --- data/rules/sourcegraph.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/rules/sourcegraph.yml b/data/rules/sourcegraph.yml index 1523c75..3aed539 100644 --- a/data/rules/sourcegraph.yml +++ b/data/rules/sourcegraph.yml @@ -38,7 +38,7 @@ rules: (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) (?:.|[\n\r]){0,32}? ( - (?:sgp_(?:[a-f0-9]{16}_local_)?[a-f0-9]{40} | [a-f0-9]{40}) + (?:sgp_(?:[a-f0-9]{16}_local_)?[a-f0-9]{40}|[a-f0-9]{40}) ) \b min_entropy: 3.5