From 343c08ed00b356f2b6cb6439da2c531fafaa236a Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Tue, 19 Aug 2025 09:30:26 -0700 Subject: [PATCH] Fixed issue with self-update on Linux --- CHANGELOG.md | 4 ++++ Cargo.toml | 2 +- README.md | 33 ++++----------------------------- src/update.rs | 11 +++++++++++ 4 files changed, 20 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5973cff..62d9cf8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ All notable changes to this project will be documented in this file. +## [1.44.0] +- Fixed issue with self-update on Linux + + ## [1.43.0] - Added rules for clearbit, kickbox, azure container registry, improved Azure Storage key - Grouped JSON and JSONL outputs by rule, restoring `matches` arrays in reports diff --git a/Cargo.toml b/Cargo.toml index 1a8eebe..ba14c38 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -10,7 +10,7 @@ publish = false [package] name = "kingfisher" -version = "1.43.0" +version = "1.44.0" description = "MongoDB's blazingly fast secret scanning and validation tool" edition.workspace = true rust-version.workspace = true diff --git a/README.md b/README.md index 1785749..7fa2626 100644 --- a/README.md +++ b/README.md @@ -158,8 +158,8 @@ Kingfisher ships with hundreds of rules that cover everything from classic cloud |----------|---------------| | **AI / LLM APIs** | OpenAI, Anthropic, Google Gemini, Cohere, Mistral, Stability AI, Replicate, xAI (Grok), and more | **Cloud Providers** | AWS, Azure, GCP, Alibaba Cloud, DigitalOcean, IBM Cloud, Cloudflare, and more -| **Dev & CI/CD** | GitHub/GitLab tokens, CircleCI, TravisCI, TeamCity, Docker Hub, npm & PyPI publish token, and more -| **Messaging & Comms** | Slack, Discord, Microsoft Teams, Twilio, Mailgun/SendGrid/Mailchimp, and more +| **Dev & CI/CD** | GitHub/GitLab tokens, CircleCI, TravisCI, TeamCity, Docker Hub, npm, PyPI, and more +| **Messaging & Comms** | Slack, Discord, Microsoft Teams, Twilio, Mailgun, SendGrid, Mailchimp, and more | **Databases & Data Ops** | MongoDB Atlas, PlanetScale, Postgres DSNs, Grafana Cloud, Datadog, Dynatrace, and more | **Payments & Billing** | Stripe, PayPal, Square, GoCardless, and more | **Security & DevSecOps** | Snyk, Dependency-Track, CodeClimate, Codacy, OpsGenie, PagerDuty, and more @@ -179,7 +179,7 @@ Once you've done that, you can provide your custom rules (defined in a YAML file ## Basic Examples -> **Note**  `kingfisher scan` detects whether the input is a Git repository or a plain directory—no extra flags required. +> **Note**  `kingfisher scan` detects whether the input is a Git repository or a plain directory, no extra flags required. ### Scan with secret validation @@ -614,36 +614,11 @@ Use `--rule-stats` to collect timing information for every rule. After scanning, kingfisher scan --help ``` -## Business Value - -By integrating Kingfisher into your development lifecycle, you can: - -- **Prevent Costly Breaches** - Early detection of embedded credentials avoids expensive incident response, legal fees, and reputation damage -- **Automate Compliance** - Enforce secret‑scanning policies across GitOps, CI/CD, and pull requests to help satisfy SOC 2, PCI‑DSS, GDPR, and other standards -- **Reduce Noise, Focus on Real Threats** - Validation logic filters out false positives and highlights only active, valid secrets (`--only-valid`) -- **Accelerate Dev Workflows** - Run in parallel across dozens of languages, integrate with GitHub Actions or any pipeline, and shift security left to minimize delays - -## The Risk of Leaked Secrets - -Real breaches show how one exposed key can snowball into a full-scale incident: - -- **Uber (2016):** GitHub-hosted AWS key let attackers access data on 57 M riders and 600 k drivers. [[BBC](https://www.bbc.com/news/technology-42075306)] [[Ars](https://arstechnica.com/tech-policy/2017/11/report-uber-paid-hackers-100000-to-keep-2016-data-breach-quiet/)] -- **AWS engineer (2020):** Pushed log files with root credentials to GitHub. [[Register](https://www.theregister.com/2020/01/23/aws_engineer_credentials_github/)] [[UpGuard](https://www.upguard.com/breaches/identity-and-access-misstep-how-an-amazon-engineer-exposed-credentials-and-more)] -- **Infosys (2023):** Full-admin AWS key left in a public PyPI package for a year. [[Stack](https://www.thestack.technology/infosys-leak-aws-key-exposed-on-pypi/)] [[Blog](https://tomforb.es/blog/infosys-leak/)] -- **Microsoft (2023):** Azure SAS token in an AI repo exposed 38 TB of internal data. [[Wiz](https://www.wiz.io/blog/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers)] [[TechCrunch](https://techcrunch.com/2023/09/18/microsoft-ai-researchers-accidentally-exposed-terabytes-of-internal-sensitive-data/)] -- **GitHub (2023):** RSA SSH host key briefly went public; company rotated it. [[GitHub](https://github.blog/news-insights/company-news/we-updated-our-rsa-ssh-host-key/)] - -Leaked secrets fuel unauthorized access, lateral movement, regulatory fines, and brand-damaging incident-response costs. - # Roadmap - More rules - More targets -- Please file a [feature request](https://github.com/mongodb/kingfisher/issues) if you have specific features you'd like added +- Please file a [feature request](https://github.com/mongodb/kingfisher/issues), or open a PR, if you have features you'd like added # License diff --git a/src/update.rs b/src/update.rs index a1dbe60..ea3e221 100644 --- a/src/update.rs +++ b/src/update.rs @@ -95,6 +95,17 @@ pub fn check_for_update(global_args: &GlobalArgs, base_url: Option<&str>) -> Opt #[cfg(all(target_os = "windows", target_arch = "x86_64"))] builder.target("windows-x64"); + // ────────────────────────────────────────────────────── + // Disambiguate archive format to avoid picking .deb packages. + // Linux and macOS releases use `.tgz`; Windows uses `.zip`. + // ────────────────────────────────────────────────────── + #[cfg(target_os = "windows")] + builder.identifier("zip"); + + // Linux releases also ship as .deb and .rpm packages; select the .tgz asset for self‑updates + #[cfg(not(target_os = "windows"))] + builder.identifier("tgz"); + // Build the updater. let Ok(updater) = builder.build() else { warn!("Failed to configure update checker");