From 2265d2b1f06ae4b3ffe95ac3acb9303ed7eb189b Mon Sep 17 00:00:00 2001
From: Mick Grove <mgrove@gmail.com>
Date: Sat, 28 Mar 2026 22:39:31 -0700
Subject: [PATCH] added rules

---
 NOTICE                                        |   6 +
 .../data/rules/azure-notification-hub.yml     | 159 ++++++++++++++++++
 .../kingfisher-rules/data/rules/firebase.yml  |  58 +++++++
 .../kingfisher-rules/data/rules/helpscout.yml |  82 +++++++++
 .../data/rules/kubernetes.yml                 | 118 +++++++++++++
 crates/kingfisher-rules/data/rules/zapier.yml |  30 ++++
 .../kingfisher-rules/data/rules/zendesk.yml   | 102 +++++++++++
 7 files changed, 555 insertions(+)
 create mode 100644 crates/kingfisher-rules/data/rules/azure-notification-hub.yml
 create mode 100644 crates/kingfisher-rules/data/rules/firebase.yml
 create mode 100644 crates/kingfisher-rules/data/rules/helpscout.yml
 create mode 100644 crates/kingfisher-rules/data/rules/kubernetes.yml
 create mode 100644 crates/kingfisher-rules/data/rules/zapier.yml
 create mode 100644 crates/kingfisher-rules/data/rules/zendesk.yml

diff --git a/NOTICE b/NOTICE
index b95e1b1..6116057 100644
--- a/NOTICE
+++ b/NOTICE
@@ -47,10 +47,16 @@ Certain detection rules:
  * crates/kingfisher-rules/data/rules/instagram.yml
  * crates/kingfisher-rules/data/rules/iterable.yml
  * crates/kingfisher-rules/data/rules/lokalise.yml
+ * crates/kingfisher-rules/data/rules/azure-notification-hub.yml
+ * crates/kingfisher-rules/data/rules/firebase.yml
+ * crates/kingfisher-rules/data/rules/helpscout.yml
+ * crates/kingfisher-rules/data/rules/kubernetes.yml
  * crates/kingfisher-rules/data/rules/pendo.yml
  * crates/kingfisher-rules/data/rules/razorpay.yml
  * crates/kingfisher-rules/data/rules/spotify.yml
  * crates/kingfisher-rules/data/rules/wakatime.yml
+ * crates/kingfisher-rules/data/rules/zapier.yml
+ * crates/kingfisher-rules/data/rules/zendesk.yml
 
 are derived in part from Titus (https://github.com/praetorian-inc/titus),
 which is licensed under the Apache License, Version 2.0.
diff --git a/crates/kingfisher-rules/data/rules/azure-notification-hub.yml b/crates/kingfisher-rules/data/rules/azure-notification-hub.yml
new file mode 100644
index 0000000..5bd443e
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azure-notification-hub.yml
@@ -0,0 +1,159 @@
+rules:
+  - name: Azure Notification Hub Namespace Host
+    id: kingfisher.azure.notificationhub.1
+    pattern: |
+      (?xi)
+      \b
+      (?:
+        endpoint
+        \s*=\s*
+        sb://
+      |
+        notification
+        (?:.|[\n\r]){0,48}?
+        https://
+      )
+      (
+        [a-z0-9]
+        [a-z0-9-]{1,62}
+        \.servicebus\.windows\.net
+      )
+      (?:/|;|\b)
+    min_entropy: 2.0
+    confidence: medium
+    visible: false
+    examples:
+      - Endpoint=sb://acme-push.servicebus.windows.net/;SharedAccessKeyName=DefaultListenSharedAccessSignature;SharedAccessKey=VGhpcytpcythK3Rlc3Qra2V5K3ZhbHVlLzEyMzQ1Njc4OTA=
+      - 'notificationHubEndpoint: "https://mobile-prod.servicebus.windows.net"'
+    references:
+      - https://learn.microsoft.com/en-us/rest/api/notificationhubs/use-rest-api-backend
+
+  - name: Azure Notification Hub Name
+    id: kingfisher.azure.notificationhub.2
+    pattern: |
+      (?xi)
+      \b
+      (?:
+        notification
+        (?:hub)?
+        (?:name|path)
+      |
+        hub
+        (?:name|path)
+      )
+      \s*[:=]\s*
+      ["']?
+      (
+        [A-Za-z0-9]
+        [A-Za-z0-9._-]{1,127}
+      )
+      ["']?
+      \b
+    min_entropy: 2.0
+    confidence: medium
+    visible: false
+    examples:
+      - NotificationHubPath=my-mobile-hub
+      - 'notificationHubName: "android-prod"'
+    references:
+      - https://learn.microsoft.com/en-us/azure/notification-hubs/create-notification-hub-portal
+
+  - name: Azure Notification Hub SAS Key Name
+    id: kingfisher.azure.notificationhub.3
+    pattern: |
+      (?xi)
+      \b
+      SharedAccessKeyName
+      \s*[:=]\s*
+      ["']?
+      (
+        [A-Za-z]
+        [A-Za-z0-9_-]{2,63}
+      )
+      ["']?
+      \b
+    min_entropy: 2.0
+    confidence: medium
+    visible: false
+    examples:
+      - SharedAccessKeyName=DefaultListenSharedAccessSignature
+      - '"SharedAccessKeyName": "DefaultFullSharedAccessSignature"'
+    references:
+      - https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-security
+
+  - name: Azure Notification Hub Access Key
+    id: kingfisher.azure.notificationhub.4
+    pattern: |
+      (?xi)
+      (?:
+        (?:notification\s*hub|Endpoint\s*=\s*sb://[a-z0-9-]{2,63}\.servicebus\.windows\.net/?)
+        (?:.|[\n\r]){0,160}?
+        SharedAccessKey
+        \s*[:=]\s*
+        ["']?
+        (
+          [A-Za-z0-9+/]{32,88}={0,2}
+        )
+      |
+        \b
+        (?:hubAccessKey|notificationHub(?:Access)?Key)
+        \b
+        \s*[:=]\s*
+        ["']?
+        (
+          [A-Za-z0-9+/]{32,88}={0,2}
+        )
+      )
+      ["']?
+      (?:[^A-Za-z0-9+/=]|$)
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 1
+      min_lowercase: 1
+      ignore_if_contains:
+        - example
+        - sample
+        - document
+        - placeholder
+    min_entropy: 3.7
+    confidence: medium
+    examples:
+      - Endpoint=sb://acme-push.servicebus.windows.net/;SharedAccessKeyName=DefaultListenSharedAccessSignature;SharedAccessKey=Q29udG9zb1Rlc3RLZXkrMTIzNDU2Nzg5MC9BQkNERUZHSEk=
+      - |
+        const config = {
+          notificationHubName: "android-prod",
+          hubAccessKey: "U2FmZUtleVZhbHVlKzEyMzQ1Njc4OTBBQkNERUYrLz09"
+        };
+    references:
+      - https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-security
+      - https://learn.microsoft.com/en-us/rest/api/notificationhubs/use-rest-api-backend
+    depends_on_rule:
+      - rule_id: kingfisher.azure.notificationhub.1
+        variable: NH_HOST
+      - rule_id: kingfisher.azure.notificationhub.2
+        variable: NH_HUB
+      - rule_id: kingfisher.azure.notificationhub.3
+        variable: NH_KEY_NAME
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: 'https://{{ NH_HOST }}/{{ NH_HUB }}/registrations/?api-version=2015-01'
+          headers:
+            Accept: application/atom+xml
+            Authorization: |
+              {%- assign uri = "https://" | append: NH_HOST | append: "/" | append: NH_HUB | append: "/registrations/?api-version=2015-01" -%}
+              {%- assign se = "" | unix_timestamp | plus: 300 -%}
+              {%- capture to_sign -%}{{ uri | url_encode }}
+              {{ se }}{%- endcapture -%}
+              {%- capture auth -%}SharedAccessSignature sr={{ uri | url_encode }}&sig={{ to_sign | hmac_sha256: TOKEN | url_encode }}&se={{ se }}&skn={{ NH_KEY_NAME | url_encode }}{%- endcapture -%}
+              {{ auth | strip_newlines }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: XmlValid
+            - type: WordMatch
+              words:
+                - "<feed"
diff --git a/crates/kingfisher-rules/data/rules/firebase.yml b/crates/kingfisher-rules/data/rules/firebase.yml
new file mode 100644
index 0000000..952b392
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/firebase.yml
@@ -0,0 +1,58 @@
+rules:
+  - name: Firebase Cloud Messaging Server Key
+    id: kingfisher.firebase.1
+    pattern: |
+      (?x)
+      \b
+      (
+        AAAA[A-Za-z0-9_-]{7}
+        :
+        APA91b[A-Za-z0-9_-]{120,180}
+      )
+      (?:[^A-Za-z0-9_-]|$)
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 1
+      min_lowercase: 1
+      ignore_if_contains:
+        - example
+        - sample
+        - placeholder
+        - your_key_here
+    min_entropy: 4.0
+    confidence: medium
+    examples:
+      - FCM_SERVER_KEY=AAAAA1b2CdE:APA91bAbCdEfGhIjKlMnOpQrStUvWxYz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-AaBbCcDdEeFfGgHhIiJj
+      - 'firebase_server_key: "AAAAQ1w2ErT:APA91bZaYxWvUtSrQpOnMlKjIhGfEdCbA9876543210ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-MmNnOoPpQqRrSsTtUuVv"'
+    references:
+      - https://firebase.google.com/docs/cloud-messaging/migrate-v1
+    # FCM legacy server keys no longer have a safe token-only validation path.
+    # HTTP v1 requires OAuth2 access tokens from service accounts rather than the legacy key itself.
+
+  - name: Firebase Cloud Messaging Device Token
+    id: kingfisher.firebase.2
+    pattern: |
+      (?x)
+      \b
+      (
+        [A-Za-z0-9_-]{22}
+        :
+        APA91b[A-Za-z0-9_-]{120,180}
+      )
+      (?:[^A-Za-z0-9_-]|$)
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 1
+      min_lowercase: 1
+      ignore_if_contains:
+        - example
+        - sample
+        - placeholder
+    min_entropy: 4.0
+    confidence: medium
+    examples:
+      - FCM_DEVICE_TOKEN=AbCdEfGhIjKlMnOpQrStUv:APA91bZaYxWvUtSrQpOnMlKjIhGfEdCbA9876543210ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-AaBbCcDdEeFfGgHhIiJj
+      - 'registrationToken: "ZyXwVuTsRqPoNmLkJiHgFe:APA91bAbCdEfGhIjKlMnOpQrStUvWxYz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-KkLlMmNnOoPpQqRrSs"'
+    references:
+      - https://firebase.google.com/docs/cloud-messaging/manage-tokens
+    # Registration tokens can’t be safely live-validated using only the token value.
diff --git a/crates/kingfisher-rules/data/rules/helpscout.yml b/crates/kingfisher-rules/data/rules/helpscout.yml
new file mode 100644
index 0000000..e08a38c
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/helpscout.yml
@@ -0,0 +1,82 @@
+rules:
+  - name: Help Scout Client ID
+    id: kingfisher.helpscout.1
+    pattern: |
+      (?xi)
+      \b
+      (?:help[\s_-]?scout|helpscout)
+      (?:.|[\n\r]){0,48}?
+      (?:client[\s_.-]*id|app[\s_.-]*id|application[\s_.-]*id)
+      (?:.|[\n\r]){0,16}?
+      (
+        [A-Za-z0-9]{10,40}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 1
+      min_uppercase: 1
+      min_lowercase: 1
+    min_entropy: 3.1
+    confidence: medium
+    visible: false
+    examples:
+      - HELPSCOUT_CLIENT_ID=Ab12Cd34Ef56Gh78Ij90
+      - 'helpscout_app_id: "a1B2c3D4e5F6g7H8i9J0K1L2"'
+    references:
+      - https://developer.helpscout.com/mailbox-api/
+
+  - name: Help Scout OAuth Client Secret
+    id: kingfisher.helpscout.2
+    pattern: |
+      (?xi)
+      \b
+      (?:help[\s_-]?scout|helpscout)
+      (?:.|[\n\r]){0,48}?
+      (?:
+        client[\s_.-]*secret
+      |
+        app[\s_.-]*secret
+      |
+        oauth[\s_.-]*secret
+      )
+      (?:.|[\n\r]){0,16}?
+      (
+        [A-Za-z0-9]{24,64}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 1
+      min_lowercase: 1
+      ignore_if_contains:
+        - example
+        - placeholder
+        - yoursecret
+    min_entropy: 3.7
+    confidence: medium
+    examples:
+      - HELPSCOUT_CLIENT_SECRET=a3B8f29E4d1C6a0578e23D9f41b6C8e2
+      - 'helpscout_secret: "E7d2A1f849c3B05d6e81F2a794c3D5b0"'
+    references:
+      - https://developer.helpscout.com/mailbox-api/
+    depends_on_rule:
+      - rule_id: kingfisher.helpscout.1
+        variable: CLIENT_ID
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://api.helpscout.net/v2/oauth2/token
+          headers:
+            Content-Type: application/x-www-form-urlencoded
+            Accept: application/json
+          body: 'grant_type=client_credentials&client_id={{ CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              words:
+                - '"access_token"'
diff --git a/crates/kingfisher-rules/data/rules/kubernetes.yml b/crates/kingfisher-rules/data/rules/kubernetes.yml
new file mode 100644
index 0000000..bc8e810
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/kubernetes.yml
@@ -0,0 +1,118 @@
+rules:
+  - name: Kubernetes API Server URL
+    id: kingfisher.kubernetes.1
+    pattern: |
+      (?xi)
+      \b
+      (?:
+        server
+      |
+        kube(?:rnetes)?(?:_api)?_server
+      |
+        api_server
+      )
+      \s*[:=]\s*
+      ["']?
+      (
+        https://
+        (?:
+          \[[0-9a-f:.]+\]
+        |
+          [a-z0-9]
+          [a-z0-9.-]{1,253}
+        )
+        (?::\d{2,5})?
+      )
+      ["']?
+    min_entropy: 2.0
+    confidence: medium
+    visible: false
+    examples:
+      - "server: https://10.96.0.1:443"
+      - KUBE_API_SERVER=https://api.cluster.example.com:6443
+    references:
+      - https://kubernetes.io/docs/reference/access-authn-authz/authentication/
+
+  - name: Kubernetes Bootstrap Token
+    id: kingfisher.kubernetes.2
+    pattern: |
+      (?xi)
+      \b
+      (?:
+        bootstrap(?:[-_ ]token)?
+      |
+        tls[-_ ]bootstrap[-_ ]token
+      )
+      (?:.|[\n\r]){0,12}?
+      (
+        [a-z0-9]{6}
+        \.
+        [a-z0-9]{16}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.2
+    confidence: medium
+    examples:
+      - BOOTSTRAP_TOKEN=be8dfd.da8a689a46edc282
+      - --tls-bootstrap-token abcdef.1234567890abcdef
+    references:
+      - https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/
+    depends_on_rule:
+      - rule_id: kingfisher.kubernetes.1
+        variable: KUBE_API_SERVER
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: '{{ KUBE_API_SERVER }}/api/v1/namespaces?limit=1'
+          headers:
+            Accept: application/json
+            Authorization: 'Bearer {{ TOKEN }}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200, 403]
+            - type: JsonValid
+
+  - name: Kubernetes Bootstrap Token Pair
+    id: kingfisher.kubernetes.3
+    pattern: |
+      (?xis)
+      \btoken-id\b
+      \s*:\s*
+      (?P<TOKEN_ID>[a-z0-9]{6})
+      (?:.|[\n\r]){0,24}?
+      \btoken-secret\b
+      \s*:\s*
+      (?P<TOKEN_SECRET>[a-z0-9]{16})
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 2.8
+    confidence: medium
+    examples:
+      - |
+        token-id: 07402b
+        token-secret: f395accd245ae53d
+    references:
+      - https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/
+    depends_on_rule:
+      - rule_id: kingfisher.kubernetes.1
+        variable: KUBE_API_SERVER
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: '{{ KUBE_API_SERVER }}/api/v1/namespaces?limit=1'
+          headers:
+            Accept: application/json
+            Authorization: 'Bearer {{ TOKEN_ID }}.{{ TOKEN_SECRET }}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200, 403]
+            - type: JsonValid
diff --git a/crates/kingfisher-rules/data/rules/zapier.yml b/crates/kingfisher-rules/data/rules/zapier.yml
new file mode 100644
index 0000000..fc84326
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/zapier.yml
@@ -0,0 +1,30 @@
+rules:
+  - name: Zapier Webhook URL
+    id: kingfisher.zapier.1
+    pattern: |
+      (?x)
+      \b
+      (
+        https://hooks\.zapier\.com/hooks/catch/
+        [0-9]{5,10}
+        /
+        [a-z0-9]{5,12}
+        /?
+      )
+    min_entropy: 3.4
+    confidence: medium
+    examples:
+      - ZAPIER_WEBHOOK=https://hooks.zapier.com/hooks/catch/11595998/3ouwv7m/
+      - webhook_url="https://hooks.zapier.com/hooks/catch/2929690/ztd17n/"
+    references:
+      - https://help.zapier.com/hc/en-us/articles/8496288690317-Trigger-Zaps-from-webhooks
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: '{{ TOKEN }}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
diff --git a/crates/kingfisher-rules/data/rules/zendesk.yml b/crates/kingfisher-rules/data/rules/zendesk.yml
new file mode 100644
index 0000000..473576d
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/zendesk.yml
@@ -0,0 +1,102 @@
+rules:
+  - name: Zendesk Subdomain
+    id: kingfisher.zendesk.1
+    pattern: |
+      (?xi)
+      \b
+      (
+        [a-z0-9]
+        [a-z0-9-]{1,62}
+        \.zendesk\.com
+      )
+      \b
+    min_entropy: 2.0
+    confidence: medium
+    visible: false
+    examples:
+      - acme-support.zendesk.com
+      - helpdesk-prod.zendesk.com
+    references:
+      - https://developer.zendesk.com/api-reference/introduction/doc-conventions/
+
+  - name: Zendesk Account Email
+    id: kingfisher.zendesk.2
+    pattern: |
+      (?xi)
+      \b
+      (?:zendesk|zd)
+      (?:.|[\n\r]){0,32}?
+      (?:email|user(?:name)?)
+      (?:.|[\n\r]){0,12}?
+      (
+        [A-Za-z0-9._%+\-]+
+        @
+        [A-Za-z0-9.\-]+\.[A-Za-z]{2,}
+      )
+      \b
+    min_entropy: 2.0
+    confidence: medium
+    visible: false
+    examples:
+      - ZENDESK_EMAIL=agent@example.com
+      - 'zendesk_user: "support.bot@example.org"'
+    references:
+      - https://developer.zendesk.com/api-reference/introduction/security-and-auth/
+
+  - name: Zendesk API Token
+    id: kingfisher.zendesk.3
+    pattern: |
+      (?xi)
+      \b
+      (?:zendesk|zd)
+      (?:.|[\n\r]){0,48}?
+      (?:
+        api[\s_.-]*token
+      |
+        token
+      |
+        api[\s_.-]*key
+      )
+      (?:.|[\n\r]){0,16}?
+      (
+        [A-Za-z0-9]{40}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 1
+      min_lowercase: 1
+      ignore_if_contains:
+        - example
+        - placeholder
+        - yourtoken
+    min_entropy: 3.8
+    confidence: medium
+    examples:
+      - ZENDESK_API_TOKEN=a3B8f29E4d1C6a0578e23D9f41b6C8e2qR7tY4uI
+      - zendesk_token="E7d2A1f849c3B05d6e81F2a794c3D5b0pQ8wX1zK"
+    references:
+      - https://developer.zendesk.com/api-reference/introduction/security-and-auth/
+      - https://developer.zendesk.com/api-reference/ticketing/account-configuration/current_user/
+    depends_on_rule:
+      - rule_id: kingfisher.zendesk.1
+        variable: ZENDESK_SUBDOMAIN
+      - rule_id: kingfisher.zendesk.2
+        variable: ZENDESK_EMAIL
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: 'https://{{ ZENDESK_SUBDOMAIN }}/api/v2/users/me.json'
+          headers:
+            Accept: application/json
+            Authorization: 'Basic {{ ZENDESK_EMAIL | append: "/token:" | append: TOKEN | b64enc }}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              words:
+                - '"user"'