eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions

Fixed some rules. Added rules for mandrill, mapbox, microsoft teams, stripe

Browse source
This commit is contained in:
Mick Grove 2025-06-25 15:12:42 -07:00
commit 3fcb1c75d6
11 changed files with 270 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

2
data/rules/azuredevops.yml
View file

@ -13,7 +13,7 @@ rules:
min_entropy: 3
confidence: medium
examples:
- azure devops pat = FBdFol081crwkIHWJH2yiqDDyrFjVSi7HWl22hN2hTYfsB8NlGDpJQQJ77BAACAAAAAAAAAAAAASAZDOBucT
- azure devops pat = FBdFol081crwkIHWJH2yiqDDyrFjVSi7HWl22hN2hTYfsB8NlGDpJQQJ77BAACAAAAAAAAAAAAASAZDOBucTj
references:
- https://learn.microsoft.com/en-us/rest/api/azure/devops/profile/profiles/get?view=azure-devops-rest-7.1&tabs=HTTP
- https://learn.microsoft.com/en-us/azure/devops/release-notes/2024/general/sprint-241-update

5
data/rules/fileio.yml
View file

@ -10,9 +10,8 @@ rules:
(?:.|[\n\r]){0,16}?
\b
(
[A-Z0-9]{16}
(?:\.[A-Z0-9]{7}){2}
\.[A-Z0-9]{8}
[A-Z0-9]{20}
\.[A-Z0-9]{20}
)
\b
min_entropy: 3.3

1
data/rules/frame.io.yml
View file

@ -12,7 +12,6 @@ rules:
confidence: medium
examples:
- fio-u-TaWoPIBovaGCbBkUtGPKWS0D3cu254VA33IFCCrtwl8J2Dtq2pMJ9MvNHmNoL2XX
- ffio-u-TaWoPIBovaGCbBkUtGPKWS0D3cu254VA33IFCCrtwl8J2Dtq2pMJ9MvNHmNoL2XX
references:
- https://developer.frame.io/api/reference/operation/getMe/
validation:

4
data/rules/intercom.yml
View file

@ -2,9 +2,9 @@ rules:
- name: Intercom API Token
id: kingfisher.intercom.1
pattern: |
(?xi)
(?:^|[\s"'=])
(?xi)
(?:intercom(?:_access)?|ic)
(?:.|[\n\r]){0,16}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,16}?
(

2
data/rules/linear.yml
View file

@ -29,7 +29,7 @@ rules:
{
"query": "query { issues(first: 1) { nodes { id } } }"
}
url: https://api.linear.app/graphql
url: https://api.linear.app/graphql
response_matcher:
- report_response: true
- type: StatusMatch

38
data/rules/mandrill.yml Normal file
View file

@ -0,0 +1,38 @@
rules:
- name: Mandrill API Key
id: kingfisher.mandrill.1
pattern: |
(?x)
(?i)
\b
mandrill
(?:.|[\n\r]){0,32}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,32}?
\b
(
(?:[0-9A-Za-z_-]{11}){2}
)
min_entropy: 3.5
confidence: medium
examples:
- mandrill_token = taqnVL1P5AJrM4oU4opSqQ
categories:
- api
- identifier
validation:
type: Http
content:
request:
method: POST
headers:
Content-Type: application/json
body: |
{ "key": "{{ TOKEN }}" }
url: https://mandrillapp.com/api/1.0/users/ping.json
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: WordMatch
words: ['"PONG!"']

74
data/rules/mapbox.yml Normal file
View file

@ -0,0 +1,74 @@
rules:
- name: Mapbox Public Access Token
id: kingfisher.mapbox.1
pattern: '(?i)(?s)mapbox.{0,30}(pk\.[a-z0-9\-+/=]{32,128}\.[a-z0-9\-+/=]{20,30})(?:[^a-z0-9\-+/=]|$)'
min_entropy: 3.3
confidence: medium
examples:
- |
mapboxApiKey:
'pk.eyJ1Ijoia3Jpc3R3IiwiYSI6ImNqbGg1N242NTFlczczdnBcf99iMjgzZ2sifQ.lUneM-o3NucXN189EYyXxQ'
references:
- https://docs.mapbox.com/api/accounts/tokens/#token-format
- https://docs.mapbox.com/help/getting-started/access-tokens/
- https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely
validation:
type: Http
content:
request:
method: GET
# smallest public-data endpoint: returns JSON style definition
url: https://api.mapbox.com/styles/v1/mapbox/streets-v11?access_token={{ TOKEN }}
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: JsonValid
- name: Mapbox Secret Access Token
id: kingfisher.mapbox.2
pattern: '(?i)(?s)mapbox.{0,30}(sk\.[a-z0-9\-+/=]{32,128}\.[a-z0-9\-+/=]{20,30})(?:[^a-z0-9\-+/=]|$)'
min_entropy: 3.3
confidence: medium
examples:
- " //mapboxgl.accessToken = 'sk.eyJ1Ijoic2hlbmdsaWgiLCJhIjCf99ttaWF5bDBsMGNlaDJubGZyMGUwZXNmaCJ9.eI8KXNm5zKZXOKh0c8u9vg';"
- 'export MAPBOX_SECRET_TOKEN=sk.eyJ1IjoiY2FwcGVsYWVyZSIsImEicf99c1BaTkZnIn0.P4lD1eHeSEx7AsBq1zbJ4g'
references:
- https://docs.mapbox.com/api/accounts/tokens/#token-format
- https://docs.mapbox.com/help/getting-started/access-tokens/
- https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely
validation:
type: Http
content:
request:
method: GET
url: https://api.mapbox.com/styles/v1/mapbox/streets-v11?access_token={{ TOKEN }}
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: JsonValid
- name: Mapbox Temporary Access Token
id: kingfisher.mapbox.3
pattern: '(?i)(?s)mapbox.{0,30}(tk\.[a-z0-9\-+/=]{32,128}\.[a-z0-9\-+/=]{20,30})(?:[^a-z0-9\-+/=]|$)'
min_entropy: 3.3
confidence: medium
examples:
- " //mapboxgl.accessToken = 'tk.eyJ1Ijoic2hlbmdsaWgiLCJhIjCf99ttaWF5bDBsMGNlaDJubGZyMGUwZXNmaCJ9.eI8KXNm5zKZXOKh0c8u9vg';"
- 'export MAPBOX_TEMP_TOKEN=tk.eyJ1IjoiY2FwcGVsYWVyZSIsImEicf99c1BaTkZnIn0.P4lD1eHeSEx7AsBq1zbJ4g'
references:
- https://docs.mapbox.com/api/accounts/tokens/#token-format
- https://docs.mapbox.com/help/getting-started/access-tokens/
- https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely
validation:
type: Http
content:
request:
method: GET
url: https://api.mapbox.com/styles/v1/mapbox/streets-v11?access_token={{ TOKEN }}
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: JsonValid

52
data/rules/microsoft_teams.yml Normal file
View file

@ -0,0 +1,52 @@
rules:
- name: Microsoft Teams Webhook
id: kingfisher.msteams.1
pattern: |
(?xi)
(
https://
outlook\.office\.com/webhook/
[0-9a-f]{8}-
[0-9a-f]{4}-
[0-9a-f]{4}-
[0-9a-f]{4}-
[0-9a-f]{12}
@
[0-9a-f]{8}-
[0-9a-f]{4}-
[0-9a-f]{4}-
[0-9a-f]{4}-
[0-9a-f]{12}
/IncomingWebhook/
[0-9a-f]{32}
/
[0-9a-f]{8}-
[0-9a-f]{4}-
[0-9a-f]{4}-
[0-9a-f]{4}-
[0-9a-f]{12}
)
min_entropy: 3.3
confidence: medium
examples:
- 'https://outlook.office.com/webhook/9da5da9c-4218-4c22-aed6-b5c8baebfff5@2f2b54b7-0141-4ba7-8fcd-ab7d17a60547/IncomingWebhook/1bf66ccbb8e745e791fa6e6de0cf465b/4361420b-8fde-48eb-b62a-0e34fec63f5c'
- 'https://outlook.office.com/webhook/fa4983ab-49ea-4c1b-9297-2658ea56164c@f784fbed-7fc7-4c7a-aae9-d2f387b67c5d/IncomingWebhook/4d2b3a16113d47b080b7a083b5a5e533/74f315eb-1dde-4731-b6b5-2524b77f2acd'
- 'https://outlook.office.com/webhook/555aa7fc-ea71-4fb7-ae9e-755caa4404ed@72f988bf-86f1-41af-91ab-2d7cd011db47/IncomingWebhook/16085df23e564bb9076842605ede3af2/51dab674-ad95-4f0a-8964-8bdefc25b6d9'
- 'https://outlook.office.com/webhook/2f92c502-7feb-4a6c-86f1-477271ae576f@990414fa-d0a3-42f5-b740-21d865a44a28/IncomingWebhook/54e43eb586f14aa9984d5c0bec3d5050/539ce6fa-e9aa-413f-a79b-fb7e8998fcac'
validation:
type: Http
content:
request:
method: POST
url: '{{ TOKEN }}'
headers:
Content-Type: application/json
body: '{"text":""}'
response_matcher:
- report_response: true
- type: StatusMatch
status:
- 400
- type: WordMatch
words:
- 'Text is required'

38
data/rules/microsoftteamswebhook.yml Normal file
View file

@ -0,0 +1,38 @@
rules:
- name: Microsoft Teams Webhook
id: kingfisher.microsoftteamswebhook.1
pattern: |
(?x)
https://[a-zA-Z0-9]+\.webhook\.office\.com/webhookb2
/
[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}
@
[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}
/
IncomingWebhook
/
[a-zA-Z0-9]{32}
/
[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}
min_entropy: 3.3
confidence: medium
examples:
- "https://contoso.webhook.office.com/webhookb2/12345678-abcd-1234-efgh-56789abcdef0@12345678-abcd-1234-efgh-56789abcdef0/IncomingWebhook/abcdefgh12345678abcdefgh12345678/12345678-abcd-1234-efgh-56789abcdef0"
validation:
type: Http
content:
request:
body: |
{'text':''}
headers:
Content-Type: application/json
method: POST
response_matcher:
- type: StatusMatch
status:
- 200
- report_response: true
type: WordMatch
words:
- "Text is required"
url: '{{ TOKEN }}'

60
data/rules/stripe.yml Normal file
View file

@ -0,0 +1,60 @@
rules:
- name: Stripe Publishable Key
id: kingfisher.stripe.1
pattern: |
(?xi)
(?:stripe|strp)
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,32}?
(
pk_live_
(?:[0-9A-Za-z]{6}){4,30}
)
(?=$|[\s"'])
min_entropy: 3.3
confidence: medium
categories: [api, key]
examples:
- stripe_pub_key = pk_live_HQS0j4H75XpthOW87eY1sXa2BYz3Ab
- name: Stripe Secret / Restricted Key
id: kingfisher.stripe.2
pattern: |
(?ix)
(?:^|[\s"'=])
(?:stripe|strp)
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,32}?
(
(?:
sk|rk
)_live_
(?:[0-9A-Za-z]{8}){3,25}
)
(?=$|[\s"'])
min_entropy: 3.3
confidence: medium
categories: [api, key]
examples:
- stripe_secret_key = sk_live_f01c79xuuug7yodgzj5ws0h1x2kyvho3
- "strp_sec_key: rk_live_4haG9YwGkL2hXqTj5pSzo8FzB3uCwE7n"
validation:
type: Http
content:
request:
method: GET
headers:
Authorization: Bearer {{ TOKEN }}
Accept: application/json
url: https://api.stripe.com/v1/account
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: WordMatch
match_all_words: true
words: ['"object":"account"']

4
data/rules/tailscale.yml
View file

@ -12,8 +12,8 @@ rules:
min_entropy: 3.0
confidence: medium
examples:
- tskey-secret-12345678-abcd
- tskey-api-abcdefg-123456789
- tskey-secret-12345678-abcdefghijkl
- tskey-api-abcdefg-1234567890123
references:
- https://tailscale.com/kb/1215/oauth-clients
validation: