From 77e3191532f8008f45c6e5b71607dbed74c152f5 Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 13:42:46 -0800 Subject: [PATCH 01/12] fix(airtable): improve regex Signed-off-by: Luke Young --- data/rules/airtable.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data/rules/airtable.yml b/data/rules/airtable.yml index c20c68c..3f77c16 100644 --- a/data/rules/airtable.yml +++ b/data/rules/airtable.yml @@ -2,13 +2,13 @@ rules: - name: Airtable Personal Access Token id: kingfisher.airtable.1 pattern: | - (?xi) + (?x) \b ( pat - [a-z0-9]{14} + [A-Za-z0-9]{14} \. - [a-z0-9]{64} + [a-f0-9]{64} ) \b pattern_requirements: From ac02fb2783c0fb589889a87104e682e645341d03 Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 14:32:08 -0800 Subject: [PATCH 02/12] feat(asana): add v2 tokens, split v1/v0 patterns Signed-off-by: Luke Young --- data/rules/asana.yml | 114 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 99 insertions(+), 15 deletions(-) diff --git a/data/rules/asana.yml b/data/rules/asana.yml index 2d43c31..45d926d 100644 --- a/data/rules/asana.yml +++ b/data/rules/asana.yml @@ -43,30 +43,24 @@ rules: - "asana :'20c2F0d03201af478ca1aBE9515A1A4FEfb'" - ASANA_PAT = 1234567890abcdef1234567890abcdef12 - - name: Asana OAuth / Personal Access Token + - name: Asana OAuth / Personal Access Token (Legacy) id: kingfisher.asana.3 pattern: | - (?xi) - \b + (?xi) + \b asana (?:.|[\n\r]){0,64}? - \b - ( - [01]{1,} - \/ - [0-9a-f]{16,32} - (?: - : - [a-z0-9]{32,64} - )? - ) + \b + ( + 0/ + [a-f0-9]{32} + ) \b pattern_requirements: min_digits: 4 min_entropy: 3.5 confidence: medium examples: - - asana_pat = 1/1248440223456784:d3d7e52e5c4a5d4c9bc424d2d882324d - asana token = 0/d6f1e29e5b4b4d8c9bb419b2d882154d categories: - api @@ -89,4 +83,94 @@ rules: - 'data:' - email - name - url: https://app.asana.com/api/1.0/users/me \ No newline at end of file + url: https://app.asana.com/api/1.0/users/me + + - name: Asana OAuth / Personal Access Token (V1) + id: kingfisher.asana.4 + pattern: | + (?xi) + \b + asana + (?:.|[\n\r]){0,64}? + \b + ( + 1/ + [0-9]{14,16} + : + [a-f0-9]{32} + ) + \b + pattern_requirements: + min_digits: 4 + min_entropy: 3.5 + confidence: medium + examples: + - asana_pat = 1/1248440223456784:d3d7e52e5c4a5d4c9bc424d2d882324d + categories: + - api + - key + - asana + references: + - https://developers.asana.com/docs/personal-access-token#example + validation: + type: Http + content: + request: + headers: + Authorization: Bearer {{ TOKEN }} + method: GET + response_matcher: + - report_response: true + + - name: Asana OAuth / Personal Access Token (V2) + id: kingfisher.asana.5 + pattern: | + (?xi) + \b + asana + (?:.|[\n\r]){0,64}? + \b + ( + 2/ + [0-9]{16} + / + [0-9]{16} + : + [a-f0-9]{32} + ) + \b + pattern_requirements: + min_digits: 4 + min_entropy: 3.5 + confidence: medium + examples: + - ASANA_TOKEN = "2/1208779539612523/1208824174176866:99d6decca6ce6ef503bf0c5bca554e1a" + categories: + - api + - key + - asana + references: + - https://developers.asana.com/docs/personal-access-token#example + validation: + type: Http + content: + request: + headers: + Authorization: Bearer {{ TOKEN }} + method: GET + response_matcher: + - report_response: true + - match_all_words: true + type: WordMatch + words: + - 'data:' + - email + - name + url: https://app.asana.com/api/1.0/users/me + - match_all_words: true + type: WordMatch + words: + - 'data:' + - email + - name + url: https://app.asana.com/api/1.0/users/me From e73f2f598607b34f2628dc6f0bbbc74471843782 Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 14:52:37 -0800 Subject: [PATCH 03/12] fix(circleci): improve regex Updated the regex pattern for CircleCI API token to allow a more flexible format. Signed-off-by: Luke Young --- data/rules/circleci.yml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/data/rules/circleci.yml b/data/rules/circleci.yml index da20a80..4eb3083 100644 --- a/data/rules/circleci.yml +++ b/data/rules/circleci.yml @@ -2,21 +2,11 @@ rules: - name: CircleCI API Personal Access Token id: kingfisher.circleci.1 pattern: | - (?xi) + (?x) \b ( CCIPAT_ - [a-z0-9]{4} - [a-z]{5} - [a-z0-9]{3} - [0-9]{3} - [a-z]{2} - [A-Z]{2} - [0-9]{1} - [a-z]{1} - [a-z0-9]{1} - [0-9]{1} - [a-z]{1} + [a-zA-Z0-9]{22} _ [a-z0-9]{40} ) @@ -27,6 +17,7 @@ rules: confidence: medium examples: - CircleCI_PAT = "CCIPAT_lZyPAuThWn2G908ssDT0g33e_t7qh0r5hrvsqzmuraqzduq6qco5onxgrtcn7y2z4" + - CCIPAT_FERZRjTN451xnDCy1y9gWn_79fb6ca4d0e5f833612eee17de397a9dca0a9e9f - | export CIRCLECI_TOKEN=CCIPAT_lZyPAuThWn2G908ssDT0g33e_t7qh0r5hrvsqzmuraqzduq6qco5onxgrtcn7y2z4 references: @@ -85,4 +76,4 @@ rules: - type: WordMatch words: - '"vcs_url"' - url: https://circleci.com/api/v1.1/projects \ No newline at end of file + url: https://circleci.com/api/v1.1/projects From 97210dcaa519765ca66ed0cd5684f84825b4e53d Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 15:08:24 -0800 Subject: [PATCH 04/12] fix(deepseek): improve kingfisher.deepseek.1 regex Refactor regex pattern for DeepSeek API Key rule. Signed-off-by: Luke Young --- data/rules/deepseek.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/rules/deepseek.yml b/data/rules/deepseek.yml index 233ae52..fac865e 100644 --- a/data/rules/deepseek.yml +++ b/data/rules/deepseek.yml @@ -2,7 +2,7 @@ rules: - name: DeepSeek API Key id: kingfisher.deepseek.1 pattern: | - (?xi) + (?x) \b ( sk-[a-f0-9]{32} From 87a92f94d988aa4117fee0811bf8ec13f3b53ceb Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 15:15:31 -0800 Subject: [PATCH 05/12] fix(discord): improve kingfisher.discord.1 regex Signed-off-by: Luke Young --- data/rules/discord.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/data/rules/discord.yml b/data/rules/discord.yml index f350c29..59df775 100644 --- a/data/rules/discord.yml +++ b/data/rules/discord.yml @@ -4,11 +4,11 @@ rules: pattern: | (?xi) ( - https://discord\.com/api/webhooks/ - \d{18} + https://discord(app)?\.com/api/webhooks/ + [0-9]{17,20} )/ ( - [0-9a-z_\-]{68} + [0-9a-z_\-]{60,68} ) \b pattern_requirements: @@ -73,4 +73,4 @@ rules: confidence: medium examples: - discord = 12345678901234567 - - 'bot_id: "123456789012345678"' \ No newline at end of file + - 'bot_id: "123456789012345678"' From 5b2b81ed7e436da1b037d70bdf62fe7eb7953621 Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 16:11:44 -0800 Subject: [PATCH 06/12] feat(dockerhub): add Organization Access Token pattern Signed-off-by: Luke Young --- data/rules/dockerhub.yml | 39 +++++++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/data/rules/dockerhub.yml b/data/rules/dockerhub.yml index 45c740b..5e0be16 100644 --- a/data/rules/dockerhub.yml +++ b/data/rules/dockerhub.yml @@ -2,12 +2,12 @@ rules: - name: Docker Hub Personal Access Token id: kingfisher.dockerhub.1 pattern: | - (?xi) + (?x) \b ( - dckr_pat_[A-Z0-9_-]{27} + dckr_pat_[A-Za-z0-9_-]{27} ) - (?: $ | [^A-Z0-9_-] ) + (?: $ | [^A-Za-z0-9_-] ) pattern_requirements: min_digits: 2 min_entropy: 3.3 @@ -31,4 +31,35 @@ rules: - status: - 200 type: StatusMatch - url: https://hub.docker.com/v2/access-tokens?page_size=1 \ No newline at end of file + url: https://hub.docker.com/v2/access-tokens?page_size=1 + - name: Docker Hub Organization Access Token + id: kingfisher.dockerhub.2 + pattern: | + (?x) + \b + ( + dckr_oat_[A-Za-z0-9_-]{32} + ) + (?: $ | [^A-Za-z0-9_-] ) + pattern_requirements: + min_digits: 2 + min_entropy: 3.3 + confidence: medium + examples: + - docker login -u docker-test -p dckr_oat_7bA9zRt5-JqX3vP0l_MnY8sK2wE-dF6h + references: + - https://docs.docker.com/enterprise/security/access-tokens/ + validation: + type: Http + content: + request: + headers: + Authorization: Bearer {{ TOKEN }} + Accept: application/json + method: GET + response_matcher: + - report_response: true + - status: + - 200 + type: StatusMatch + url: https://hub.docker.com/v2/access-tokens?page_size=1 From 2d3279b4d3e307259a104391c98840ac71ce99f3 Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 17:45:56 -0800 Subject: [PATCH 07/12] feat(mercury): add Mercury API token rules Signed-off-by: Luke Young --- data/rules/mercury.yml | 67 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 data/rules/mercury.yml diff --git a/data/rules/mercury.yml b/data/rules/mercury.yml new file mode 100644 index 0000000..51eaacf --- /dev/null +++ b/data/rules/mercury.yml @@ -0,0 +1,67 @@ +rules: + - name: Mercury Production API Token + id: kingfisher.mercury.1 + pattern: | + (?x) + \b + ( + mercury_production_ + [a-z]{3,6} + _ + [a-zA-Z0-9]{40,50} + _yrucrem + ) + \b + min_entropy: 3.5 + confidence: medium + examples: + - Bearer secret-token:mercury_production_wma_24SCp4G81X3yHL4Wq8FgzuaP9ye3VKf2mgTDctXyRg5HY_yrucrem + references: + - https://docs.mercury.com/docs/api-token-security-policies + validation: + type: Http + content: + request: + headers: + Authorization: Bearer {{ TOKEN }} + Accept: application/json + method: GET + response_matcher: + - report_response: true + - status: + - 200 + type: StatusMatch + url: https://api.mercury.com/api/v1/accounts + - name: Mercury Non-Production API Token + id: kingfisher.mercury.2 + pattern: | + (?x) + \b + ( + mercury_sandbox_ + [a-z]{3,6} + _ + [a-zA-Z0-9]{40,50} + _yrucrem + ) + \b + min_entropy: 3.5 + confidence: medium + examples: + - Bearer secret-token:mercury_sandbox_rma_24pnbcT7NygLbpJPr4xBuSuBDpo6tK89S8u3ERYn3FXVz_yrucrem + references: + - https://docs.mercury.com/docs/api-token-security-policies + validation: + type: Http + content: + request: + headers: + Authorization: Bearer {{ TOKEN }} + Accept: application/json + method: GET + response_matcher: + - report_response: true + - status: + - 200 + type: StatusMatch + url: https://api-sandbox.mercury.com/api/v1/accounts From 678beef114aedf9f439d5ab1b7d1f51abf186f4f Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 18:05:59 -0800 Subject: [PATCH 08/12] feat(neon): add Neon API Key rule --- data/rules/neon.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 data/rules/neon.yml diff --git a/data/rules/neon.yml b/data/rules/neon.yml new file mode 100644 index 0000000..2c7ee79 --- /dev/null +++ b/data/rules/neon.yml @@ -0,0 +1,31 @@ +rules: + - name: Neon API Key + id: kingfisher.neon.1 + pattern: | + (?x) + \b + ( + napi_ + [a-zA-Z0-9]{64} + ) + \b + min_entropy: 3.5 + confidence: high + examples: + - napi_f6n4wv0d0nzglfk64c1bnzrc5ug82tmrmekh8h4hsxeq8zd0p5ii234bdkah71kw + references: + - https://neon.com/docs/manage/api-keys + validation: + type: Http + content: + request: + headers: + Authorization: Bearer {{ TOKEN }} + Accept: application/json + method: GET + response_matcher: + - report_response: true + - status: + - 200 + type: StatusMatch + url: https://console.neon.tech/api/v2/auth From 55e331f6a4815fd3c692ec35c95cc6793ec99437 Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 18:17:09 -0800 Subject: [PATCH 09/12] fix(planetscale): improve kingfisher.planetscale.1 regex Signed-off-by: Luke Young --- data/rules/planetscale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/rules/planetscale.yml b/data/rules/planetscale.yml index 859531b..d37aa89 100644 --- a/data/rules/planetscale.yml +++ b/data/rules/planetscale.yml @@ -5,7 +5,7 @@ rules: (?xi) \b ( - pscale_tkn_[a-z0-9-_]{43} + pscale_tkn_[a-z0-9-_]{32,64} ) \b pattern_requirements: From 3fa9bfe160077881dac51bb8e302938fb758f910 Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 18:40:22 -0800 Subject: [PATCH 10/12] Update CircleCI token examples in configuration --- data/rules/circleci.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/data/rules/circleci.yml b/data/rules/circleci.yml index 4eb3083..78ef95e 100644 --- a/data/rules/circleci.yml +++ b/data/rules/circleci.yml @@ -16,10 +16,8 @@ rules: min_entropy: 3.5 confidence: medium examples: - - CircleCI_PAT = "CCIPAT_lZyPAuThWn2G908ssDT0g33e_t7qh0r5hrvsqzmuraqzduq6qco5onxgrtcn7y2z4" - - CCIPAT_FERZRjTN451xnDCy1y9gWn_79fb6ca4d0e5f833612eee17de397a9dca0a9e9f - | - export CIRCLECI_TOKEN=CCIPAT_lZyPAuThWn2G908ssDT0g33e_t7qh0r5hrvsqzmuraqzduq6qco5onxgrtcn7y2z4 + export CIRCLECI_TOKEN=CCIPAT_FERZRjTN451xnDCy1y9gWn_79fb6ca4d0e5f833612eee17de397a9dca0a9e9f references: - https://circleci.com/docs/api-developers-guide/#using-the-api-securely-wtih-curl validation: From 44f732595ac761b6a5d1508f47d48f344cc2ebea Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 18:43:26 -0800 Subject: [PATCH 11/12] Add match_all_words matcher to Asana API rules --- data/rules/asana.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/data/rules/asana.yml b/data/rules/asana.yml index 45d926d..64a7fd3 100644 --- a/data/rules/asana.yml +++ b/data/rules/asana.yml @@ -121,6 +121,13 @@ rules: method: GET response_matcher: - report_response: true + - match_all_words: true + type: WordMatch + words: + - 'data:' + - email + - name + url: https://app.asana.com/api/1.0/users/me - name: Asana OAuth / Personal Access Token (V2) id: kingfisher.asana.5 @@ -167,10 +174,3 @@ rules: - email - name url: https://app.asana.com/api/1.0/users/me - - match_all_words: true - type: WordMatch - words: - - 'data:' - - email - - name - url: https://app.asana.com/api/1.0/users/me From b81194bcd364b672939ec22459e852cd992dd1c9 Mon Sep 17 00:00:00 2001 From: Luke Young Date: Fri, 30 Jan 2026 20:57:55 -0800 Subject: [PATCH 12/12] fix(age): reduce allowed characters to bech32 alphabet Signed-off-by: Luke Young --- data/rules/age.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/data/rules/age.yml b/data/rules/age.yml index e024a63..8267e0f 100644 --- a/data/rules/age.yml +++ b/data/rules/age.yml @@ -2,14 +2,13 @@ rules: - name: Age Recipient (X25519 public key) id: kingfisher.age.1 pattern: | - (?xi) + (?x) ( - age1[0-9a-z]{58} + age1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{58} ) \b pattern_requirements: min_digits: 2 - min_uppercase: 1 min_lowercase: 1 min_entropy: 3.3 confidence: medium @@ -23,9 +22,9 @@ rules: - name: Age Identity (X22519 secret key) id: kingfisher.age.2 pattern: | - (?xi) + (?x) ( - AGE-SECRET-KEY-1[0-9A-Z]{58} + AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58} ) min_entropy: 3.3 confidence: medium @@ -40,4 +39,4 @@ rules: - https://htmlpreview.github.io/?https://github.com/FiloSottile/age/blob/main/doc/age.1.html - https://github.com/C2SP/C2SP/blob/8b6a842e0360d35111c46be2a8019b2276295914/age.md#the-x25519-recipient-type categories: - - secret \ No newline at end of file + - secret