performance improvements and rule improvements

2026-04-17 18:06:17 -07:00 · 2026-04-17 18:06:17 -07:00 · 2d63146078
commit 2d63146078
parent 5ff11a14dc
9 changed files with 112 additions and 22 deletions
--- a/README.md
+++ b/README.md
@ -7,7 +7,7 @@
    <img src="https://img.shields.io/badge/License-Apache%202.0-blue.svg" alt="License" style="height: 24px;" />
  </a>
  <a href="https://github.com/mongodb/kingfisher">
-    <img src="https://img.shields.io/badge/Detection%20Rules-921-2ea043.svg" alt="Detection Rules" style="height: 24px;" />
+    <img src="https://img.shields.io/badge/Detection%20Rules-934-2ea043.svg" alt="Detection Rules" style="height: 24px;" />
  </a>
  <br>
  <a href="https://github.com/mongodb/kingfisher/pkgs/container/kingfisher">
@ -17,7 +17,7 @@

 Kingfisher is an open source secret scanner and **live secret validation** tool built in Rust.

-It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and **ships with 923 built-in rules** to detect, **validate**, and triage leaked API keys, tokens, and credentials before they ever reach production.
+It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and **ships with 934 built-in rules** to detect, **validate**, and triage leaked API keys, tokens, and credentials before they ever reach production.

 Designed for offensive security engineers and blue-team defenders alike, Kingfisher helps you scan repositories, cloud storage, chat, docs, and CI pipelines to find and verify exposed secrets quickly.

@ -49,9 +49,9 @@ Kingfisher is a high-performance, open source secret detection tool for source c

 </div>

-### Performance, Accuracy, and 923 Rules
+### Performance, Accuracy, and 934 Rules
 - **Performance**: multithreaded, Hyperscan‑powered scanning built for huge codebases  
- **Extensible rules**: 923 built-in rules plus YAML-defined custom rules ([docs/RULES.md](/docs/RULES.md))
+- **Extensible rules**: 934 built-in rules plus YAML-defined custom rules ([docs/RULES.md](/docs/RULES.md))
 - **Validate & Revoke**: live validation of discovered secrets, plus direct revocation for supported platforms (GitHub, GitLab, Slack, AWS, GCP, and more) ([docs/USAGE.md](/docs/USAGE.md))
 - **Revocation support matrix**: current built-in revocation coverage across providers and rule IDs ([docs/REVOCATION_PROVIDERS.md](/docs/REVOCATION_PROVIDERS.md))
 - **Blast Radius Mapping**: instantly map leaked keys to their effective cloud identities and exposed resources with `--access-map`. Supports 39 providers (see table below).
@ -347,7 +347,7 @@ gh attestation verify kingfisher-linux-x64.tgz --repo mongodb/kingfisher

 # Detection Rules

-Kingfisher ships with [923 built-in rules](crates/kingfisher-rules/data/rules/) covering cloud keys, AI tokens, CI/CD secrets, database credentials, and SaaS API keys. Below is an overview — see the full list in [crates/kingfisher-rules/data/rules/](crates/kingfisher-rules/data/rules/):
+Kingfisher ships with [934 built-in rules](crates/kingfisher-rules/data/rules/) covering cloud keys, AI tokens, CI/CD secrets, database credentials, and SaaS API keys. Below is an overview — see the full list in [crates/kingfisher-rules/data/rules/](crates/kingfisher-rules/data/rules/):

 | Category | What we catch |
 |----------|---------------|
@ -364,7 +364,7 @@ Kingfisher ships with [923 built-in rules](crates/kingfisher-rules/data/rules/)

 ## Write Custom Rules

-Kingfisher ships with 923 rules with HTTP and service‑specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential.
+Kingfisher ships with 605 built-in rules with HTTP and service-specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential.

 However, you may want to add your own custom rules, or modify a detection to better suit your needs / environment.

--- a/docs-site/docs/index.md
+++ b/docs-site/docs/index.md
@ -2,7 +2,7 @@
 title: Kingfisher — Open Source Secret Scanner with Live Validation
 description: >-
  Kingfisher is an open source secret scanner with live validation, blast radius
-  mapping, and credential revocation. 921 detection rules. Built in Rust by MongoDB.
+  mapping, and credential revocation. 934 detection rules. Built in Rust by MongoDB.
 template: home.html
 hide:
  - navigation
--- a/docs-site/docs/reference/library.md
+++ b/docs-site/docs/reference/library.md
@ -268,7 +268,7 @@ flowchart TD

 ### Loading Builtin Rules

-Kingfisher currently ships with 921 built-in rules for common secret types:
+Kingfisher currently ships with 934 built-in rules for common secret types:

 ```rust
 use kingfisher_rules::{get_builtin_rules, Confidence};
--- a/docs-site/docs/rules/builtin-rules.md
+++ b/docs-site/docs/rules/builtin-rules.md
@ -1,11 +1,13 @@
 ---
 title: "Built-in Rules List"
-description: "Complete list of all 923 built-in secret detection rules in Kingfisher. Searchable and filterable by provider, confidence level, and validation support."
+description: "Complete list of all 934 built-in secret detection rules in Kingfisher. Searchable and filterable by provider, confidence level, and validation support."
 ---

 # Built-in Rules

-Kingfisher ships with **923 detection rules** across **579 providers**
+Kingfisher ships with **934 detection rules** across **579 providers**
+(813 detectors + 121 dependent rules).
+Of these, **605** include live validation and **53** support direct revocation.

 !!! tip "Search"
    Use the search box below to filter rules by provider name, rule ID, or confidence level.
@ -162,6 +164,22 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 <td></td>
 </tr>
 <tr>
+<td>Aikido</td>
+<td>Aikido Client ID</td>
+<td><code>kingfisher.aikido.2</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Aikido</td>
+<td>Aikido Client Secret</td>
+<td><code>kingfisher.aikido.3</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Airbrake</td>
 <td>Airbrake User Key</td>
 <td><code>kingfisher.airbrake.1</code></td>
@ -1182,6 +1200,14 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 <td>Canva Connect API Client Secret</td>
 <td><code>kingfisher.canva.1</code></td>
 <td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Canva</td>
+<td>Canva Connect API Client ID</td>
+<td><code>kingfisher.canva.2</code></td>
+<td>Medium</td>
 <td></td>
 <td></td>
 </tr>
@ -1435,7 +1461,7 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 </tr>
 <tr>
 <td>Cockroachlabs</td>
-<td>CockroachDB Cloud API Key</td>
+<td>CockroachDB Cloud Service Account API Key</td>
 <td><code>kingfisher.cockroachlabs.1</code></td>
 <td>Medium</td>
 <td>Yes</td>
@ -1522,6 +1548,14 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 <td></td>
 </tr>
 <tr>
+<td>Composio</td>
+<td>Composio Consumer API Key</td>
+<td><code>kingfisher.composio.2</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Configcat</td>
 <td>ConfigCat SDK Key</td>
 <td><code>kingfisher.configcat.1</code></td>
@ -1602,6 +1636,14 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 <td></td>
 </tr>
 <tr>
+<td>Convex</td>
+<td>Convex Management Access Token</td>
+<td><code>kingfisher.convex.2</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Couchbase</td>
 <td>Couchbase Capella API Key</td>
 <td><code>kingfisher.couchbase.1</code></td>
@ -2173,7 +2215,7 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 <td>Duo</td>
 <td>Duo Security Integration Key</td>
 <td><code>kingfisher.duo.1</code></td>
-<td>Low</td>
+<td>Medium</td>
 <td></td>
 <td></td>
 </tr>
@ -4322,6 +4364,22 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 <td></td>
 </tr>
 <tr>
+<td>Miro</td>
+<td>Miro Client Secret</td>
+<td><code>kingfisher.miro.2</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Miro</td>
+<td>Miro Client ID</td>
+<td><code>kingfisher.miro.3</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Mistral</td>
 <td>Mistral AI API Key</td>
 <td><code>kingfisher.mistral.1</code></td>
@ -4338,6 +4396,30 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 <td></td>
 </tr>
 <tr>
+<td>Mixpanel</td>
+<td>Mixpanel Service Account Secret</td>
+<td><code>kingfisher.mixpanel.2</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Mixpanel</td>
+<td>Mixpanel API Key or Secret</td>
+<td><code>kingfisher.mixpanel.3</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Mixpanel</td>
+<td>Mixpanel Service Account Username</td>
+<td><code>kingfisher.mixpanel.4</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Modal</td>
 <td>Modal CLI Token Pair</td>
 <td><code>kingfisher.modal.1</code></td>
@ -5011,7 +5093,7 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 </tr>
 <tr>
 <td>Pinata</td>
-<td>Pinata API Key</td>
+<td>Pinata API Key ID</td>
 <td><code>kingfisher.pinata.1</code></td>
 <td>Medium</td>
 <td></td>
@ -5026,6 +5108,14 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 <td></td>
 </tr>
 <tr>
+<td>Pinata</td>
+<td>Pinata JWT</td>
+<td><code>kingfisher.pinata.3</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Pinecone</td>
 <td>Pinecone API Key</td>
 <td><code>kingfisher.pinecone.1</code></td>
@ -5438,7 +5528,7 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 <td>Ramp Client Secret</td>
 <td><code>kingfisher.ramp.2</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@ -5645,7 +5735,7 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 <td>Rootly</td>
 <td>Rootly API Key</td>
 <td><code>kingfisher.rootly.1</code></td>
-<td>High</td>
+<td>Medium</td>
 <td>Yes</td>
 <td></td>
 </tr>
@ -6477,7 +6567,7 @@ Kingfisher ships with **923 detection rules** across **579 providers**
 <td>Telnyx</td>
 <td>Telnyx API V2 Key</td>
 <td><code>kingfisher.telnyx.1</code></td>
-<td>High</td>
+<td>Medium</td>
 <td>Yes</td>
 <td></td>
 </tr>
--- a/docs-site/docs/usage/advanced.md
+++ b/docs-site/docs/usage/advanced.md
@ -300,7 +300,7 @@ kingfisher scan ./my-project \

 ## Custom Rules

-Kingfisher currently ships with 921 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs.
+Kingfisher currently ships with 934 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs.

 First, review [RULES.md](../rules/overview.md) to learn how to create custom Kingfisher rules.

--- a/docs-site/overrides/home.html
+++ b/docs-site/overrides/home.html
@ -36,7 +36,7 @@
  <section class="kf-stats">
    <div class="kf-stats__inner md-grid">
      <div class="kf-stats__item">
-        <span class="kf-stats__number">921</span>
+        <span class="kf-stats__number">934</span>
        <span class="kf-stats__label">Detection Rules</span>
      </div>
      <div class="kf-stats__item">
@ -90,7 +90,7 @@
        <div class="kf-feature">
          <h3>Direct Revocation</h3>
          <p>
-            Revoke compromised credentials directly from the CLI for 28 provider families
+            Revoke compromised credentials directly from the CLI for 34 provider families
            including GitHub, GitLab, Slack, AWS, GCP, Heroku, and Cloudflare.
          </p>
        </div>
--- a/docs-site/overrides/main.html
+++ b/docs-site/overrides/main.html
@ -7,7 +7,7 @@
    "@context": "https://schema.org",
    "@type": "SoftwareApplication",
    "name": "Kingfisher",
-    "description": "Open source secret scanner with live validation. 921 detection rules, blast radius mapping, and credential revocation.",
+    "description": "Open source secret scanner with live validation. 934 detection rules, blast radius mapping, and credential revocation.",
    "applicationCategory": "DeveloperApplication",
    "operatingSystem": "Linux, macOS, Windows",
    "license": "https://opensource.org/licenses/Apache-2.0",
--- a/docs/ADVANCED.md
+++ b/docs/ADVANCED.md
@ -297,7 +297,7 @@ kingfisher scan ./my-project \

 ## Custom Rules

-Kingfisher currently ships with 921 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs.
+Kingfisher currently ships with 934 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs.

 First, review [RULES.md](RULES.md) to learn how to create custom Kingfisher rules.

--- a/docs/LIBRARY.md
+++ b/docs/LIBRARY.md
@ -265,7 +265,7 @@ flowchart TD

 ### Loading Builtin Rules

-Kingfisher currently ships with 921 built-in rules for common secret types:
+Kingfisher currently ships with 934 built-in rules for common secret types:

 ```rust
 use kingfisher_rules::{get_builtin_rules, Confidence};