From 2d63146078d8e9bc2c7a2457c1cfa978f47d7bc2 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Fri, 17 Apr 2026 18:06:17 -0700 Subject: [PATCH] performance improvements and rule improvements --- README.md | 12 +-- docs-site/docs/index.md | 2 +- docs-site/docs/reference/library.md | 2 +- docs-site/docs/rules/builtin-rules.md | 106 ++++++++++++++++++++++++-- docs-site/docs/usage/advanced.md | 2 +- docs-site/overrides/home.html | 4 +- docs-site/overrides/main.html | 2 +- docs/ADVANCED.md | 2 +- docs/LIBRARY.md | 2 +- 9 files changed, 112 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 1594801..503dca8 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ License - Detection Rules + Detection Rules
@@ -17,7 +17,7 @@ Kingfisher is an open source secret scanner and **live secret validation** tool built in Rust. -It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and **ships with 923 built-in rules** to detect, **validate**, and triage leaked API keys, tokens, and credentials before they ever reach production. +It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and **ships with 934 built-in rules** to detect, **validate**, and triage leaked API keys, tokens, and credentials before they ever reach production. Designed for offensive security engineers and blue-team defenders alike, Kingfisher helps you scan repositories, cloud storage, chat, docs, and CI pipelines to find and verify exposed secrets quickly. @@ -49,9 +49,9 @@ Kingfisher is a high-performance, open source secret detection tool for source c -### Performance, Accuracy, and 923 Rules +### Performance, Accuracy, and 934 Rules - **Performance**: multithreaded, Hyperscan‑powered scanning built for huge codebases -- **Extensible rules**: 923 built-in rules plus YAML-defined custom rules ([docs/RULES.md](/docs/RULES.md)) +- **Extensible rules**: 934 built-in rules plus YAML-defined custom rules ([docs/RULES.md](/docs/RULES.md)) - **Validate & Revoke**: live validation of discovered secrets, plus direct revocation for supported platforms (GitHub, GitLab, Slack, AWS, GCP, and more) ([docs/USAGE.md](/docs/USAGE.md)) - **Revocation support matrix**: current built-in revocation coverage across providers and rule IDs ([docs/REVOCATION_PROVIDERS.md](/docs/REVOCATION_PROVIDERS.md)) - **Blast Radius Mapping**: instantly map leaked keys to their effective cloud identities and exposed resources with `--access-map`. Supports 39 providers (see table below). @@ -347,7 +347,7 @@ gh attestation verify kingfisher-linux-x64.tgz --repo mongodb/kingfisher # Detection Rules -Kingfisher ships with [923 built-in rules](crates/kingfisher-rules/data/rules/) covering cloud keys, AI tokens, CI/CD secrets, database credentials, and SaaS API keys. Below is an overview — see the full list in [crates/kingfisher-rules/data/rules/](crates/kingfisher-rules/data/rules/): +Kingfisher ships with [934 built-in rules](crates/kingfisher-rules/data/rules/) covering cloud keys, AI tokens, CI/CD secrets, database credentials, and SaaS API keys. Below is an overview — see the full list in [crates/kingfisher-rules/data/rules/](crates/kingfisher-rules/data/rules/): | Category | What we catch | |----------|---------------| @@ -364,7 +364,7 @@ Kingfisher ships with [923 built-in rules](crates/kingfisher-rules/data/rules/) ## Write Custom Rules -Kingfisher ships with 923 rules with HTTP and service‑specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential. +Kingfisher ships with 605 built-in rules with HTTP and service-specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential. However, you may want to add your own custom rules, or modify a detection to better suit your needs / environment. diff --git a/docs-site/docs/index.md b/docs-site/docs/index.md index 39c414d..7582ad1 100644 --- a/docs-site/docs/index.md +++ b/docs-site/docs/index.md @@ -2,7 +2,7 @@ title: Kingfisher — Open Source Secret Scanner with Live Validation description: >- Kingfisher is an open source secret scanner with live validation, blast radius - mapping, and credential revocation. 921 detection rules. Built in Rust by MongoDB. + mapping, and credential revocation. 934 detection rules. Built in Rust by MongoDB. template: home.html hide: - navigation diff --git a/docs-site/docs/reference/library.md b/docs-site/docs/reference/library.md index 5eef2f3..9011327 100644 --- a/docs-site/docs/reference/library.md +++ b/docs-site/docs/reference/library.md @@ -268,7 +268,7 @@ flowchart TD ### Loading Builtin Rules -Kingfisher currently ships with 921 built-in rules for common secret types: +Kingfisher currently ships with 934 built-in rules for common secret types: ```rust use kingfisher_rules::{get_builtin_rules, Confidence}; diff --git a/docs-site/docs/rules/builtin-rules.md b/docs-site/docs/rules/builtin-rules.md index ec4497c..841fc2a 100644 --- a/docs-site/docs/rules/builtin-rules.md +++ b/docs-site/docs/rules/builtin-rules.md @@ -1,11 +1,13 @@ --- title: "Built-in Rules List" -description: "Complete list of all 923 built-in secret detection rules in Kingfisher. Searchable and filterable by provider, confidence level, and validation support." +description: "Complete list of all 934 built-in secret detection rules in Kingfisher. Searchable and filterable by provider, confidence level, and validation support." --- # Built-in Rules -Kingfisher ships with **923 detection rules** across **579 providers** +Kingfisher ships with **934 detection rules** across **579 providers** +(813 detectors + 121 dependent rules). +Of these, **605** include live validation and **53** support direct revocation. !!! tip "Search" Use the search box below to filter rules by provider name, rule ID, or confidence level. @@ -162,6 +164,22 @@ Kingfisher ships with **923 detection rules** across **579 providers** +Aikido +Aikido Client ID +kingfisher.aikido.2 +Medium + + + + +Aikido +Aikido Client Secret +kingfisher.aikido.3 +Medium +Yes + + + Airbrake Airbrake User Key kingfisher.airbrake.1 @@ -1182,6 +1200,14 @@ Kingfisher ships with **923 detection rules** across **579 providers** Canva Connect API Client Secret kingfisher.canva.1 Medium +Yes + + + +Canva +Canva Connect API Client ID +kingfisher.canva.2 +Medium @@ -1435,7 +1461,7 @@ Kingfisher ships with **923 detection rules** across **579 providers** Cockroachlabs -CockroachDB Cloud API Key +CockroachDB Cloud Service Account API Key kingfisher.cockroachlabs.1 Medium Yes @@ -1522,6 +1548,14 @@ Kingfisher ships with **923 detection rules** across **579 providers** +Composio +Composio Consumer API Key +kingfisher.composio.2 +Medium + + + + Configcat ConfigCat SDK Key kingfisher.configcat.1 @@ -1602,6 +1636,14 @@ Kingfisher ships with **923 detection rules** across **579 providers** +Convex +Convex Management Access Token +kingfisher.convex.2 +Medium +Yes + + + Couchbase Couchbase Capella API Key kingfisher.couchbase.1 @@ -2173,7 +2215,7 @@ Kingfisher ships with **923 detection rules** across **579 providers** Duo Duo Security Integration Key kingfisher.duo.1 -Low +Medium @@ -4322,6 +4364,22 @@ Kingfisher ships with **923 detection rules** across **579 providers** +Miro +Miro Client Secret +kingfisher.miro.2 +Medium +Yes + + + +Miro +Miro Client ID +kingfisher.miro.3 +Medium + + + + Mistral Mistral AI API Key kingfisher.mistral.1 @@ -4338,6 +4396,30 @@ Kingfisher ships with **923 detection rules** across **579 providers** +Mixpanel +Mixpanel Service Account Secret +kingfisher.mixpanel.2 +Medium +Yes + + + +Mixpanel +Mixpanel API Key or Secret +kingfisher.mixpanel.3 +Medium +Yes + + + +Mixpanel +Mixpanel Service Account Username +kingfisher.mixpanel.4 +Medium + + + + Modal Modal CLI Token Pair kingfisher.modal.1 @@ -5011,7 +5093,7 @@ Kingfisher ships with **923 detection rules** across **579 providers** Pinata -Pinata API Key +Pinata API Key ID kingfisher.pinata.1 Medium @@ -5026,6 +5108,14 @@ Kingfisher ships with **923 detection rules** across **579 providers** +Pinata +Pinata JWT +kingfisher.pinata.3 +Medium +Yes + + + Pinecone Pinecone API Key kingfisher.pinecone.1 @@ -5438,7 +5528,7 @@ Kingfisher ships with **923 detection rules** across **579 providers** Ramp Client Secret kingfisher.ramp.2 Medium - +Yes @@ -5645,7 +5735,7 @@ Kingfisher ships with **923 detection rules** across **579 providers** Rootly Rootly API Key kingfisher.rootly.1 -High +Medium Yes @@ -6477,7 +6567,7 @@ Kingfisher ships with **923 detection rules** across **579 providers** Telnyx Telnyx API V2 Key kingfisher.telnyx.1 -High +Medium Yes diff --git a/docs-site/docs/usage/advanced.md b/docs-site/docs/usage/advanced.md index 84c6d21..c8bb49d 100644 --- a/docs-site/docs/usage/advanced.md +++ b/docs-site/docs/usage/advanced.md @@ -300,7 +300,7 @@ kingfisher scan ./my-project \ ## Custom Rules -Kingfisher currently ships with 921 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs. +Kingfisher currently ships with 934 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs. First, review [RULES.md](../rules/overview.md) to learn how to create custom Kingfisher rules. diff --git a/docs-site/overrides/home.html b/docs-site/overrides/home.html index b2e5fcb..39f7cb5 100644 --- a/docs-site/overrides/home.html +++ b/docs-site/overrides/home.html @@ -36,7 +36,7 @@
- 921 + 934 Detection Rules
@@ -90,7 +90,7 @@

Direct Revocation

- Revoke compromised credentials directly from the CLI for 28 provider families + Revoke compromised credentials directly from the CLI for 34 provider families including GitHub, GitLab, Slack, AWS, GCP, Heroku, and Cloudflare.

diff --git a/docs-site/overrides/main.html b/docs-site/overrides/main.html index 8075164..e46e75e 100644 --- a/docs-site/overrides/main.html +++ b/docs-site/overrides/main.html @@ -7,7 +7,7 @@ "@context": "https://schema.org", "@type": "SoftwareApplication", "name": "Kingfisher", - "description": "Open source secret scanner with live validation. 921 detection rules, blast radius mapping, and credential revocation.", + "description": "Open source secret scanner with live validation. 934 detection rules, blast radius mapping, and credential revocation.", "applicationCategory": "DeveloperApplication", "operatingSystem": "Linux, macOS, Windows", "license": "https://opensource.org/licenses/Apache-2.0", diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md index 001c8a4..233be3e 100644 --- a/docs/ADVANCED.md +++ b/docs/ADVANCED.md @@ -297,7 +297,7 @@ kingfisher scan ./my-project \ ## Custom Rules -Kingfisher currently ships with 921 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs. +Kingfisher currently ships with 934 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs. First, review [RULES.md](RULES.md) to learn how to create custom Kingfisher rules. diff --git a/docs/LIBRARY.md b/docs/LIBRARY.md index 2de14e2..d13d7dd 100644 --- a/docs/LIBRARY.md +++ b/docs/LIBRARY.md @@ -265,7 +265,7 @@ flowchart TD ### Loading Builtin Rules -Kingfisher currently ships with 921 built-in rules for common secret types: +Kingfisher currently ships with 934 built-in rules for common secret types: ```rust use kingfisher_rules::{get_builtin_rules, Confidence};