From 45e3933dfab30f5917f4a824b78c5ec0980d13fa Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Tue, 14 Apr 2026 13:46:08 -0700 Subject: [PATCH] added more rules + validators --- CHANGELOG.md | 2 +- crates/kingfisher-rules/data/rules/gamma.yml | 37 ++++++++++++++++++ crates/kingfisher-rules/data/rules/hex.yml | 40 ++++++++++++++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 crates/kingfisher-rules/data/rules/gamma.yml create mode 100644 crates/kingfisher-rules/data/rules/hex.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 1032b19..24e27b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file. ## [v1.96.0] - Added live HTTP validation for 18 rules across 15 providers: Val Town, Polar, hCaptcha, Thunderstore, Elastic Cloud (2 rules), LlamaCloud, Gemfury (2 rules), Vonage, ThingsBoard, Zapier, Facebook Access Token, GitLab Session Cookie, PostHog Feature Flags, Unkey API Key, and Hop.io (2 rules). - Added revocation support for 7 rules across 6 providers: Discord webhooks (single-step DELETE), DigitalOcean PATs (self-revoke via OAuth), and multi-step HttpMultiStep revocation for LaunchDarkly, Resend, Linode, and Netlify (2 rules). Built-in revocation coverage is now 34 provider families with 53 revocation-enabled rules. -- Added 59 new detection rules across 44 providers: Axiom (API token + PAT), Trigger.dev (secret key + PAT), Dub.co, Svix webhook signing secret, Liveblocks, Inngest (signing key + event key), Seam, Courier, Cal.com, Arcjet, WarpStream, Mem0, Mintlify, Pirsch, Tinybird, Tolgee (project key + PAT), Ory (API key + session + OAuth2 tokens), Xendit, Xata, Crossmint (server + client keys), DeepL (Free + Pro), Flagsmith, E2B, Infisical, WooCommerce (consumer key + secret), Nightfall AI, Ramp (client ID + secret), Hex.pm (personal + workspace tokens), Convex deploy key, MiniMax, Mappedin (key + secret), Pollinations (secret + publishable), Fal.ai, Aikido, Hack Club, GuardSquare, Browser Use, Composio, Mastra, redirect.pizza, Upstash, and WorkOS. Also added new prefixed-token rules for Netlify (`nfp_`), Cloudflare (`cfut_`), and Supabase (`sb_publishable_`). Added live HTTP validation for 28 of these rules. +- Added 61 new detection rules across 46 providers: Axiom (API token + PAT), Trigger.dev (secret key + PAT), Dub.co, Svix webhook signing secret, Liveblocks, Inngest (signing key + event key), Seam, Courier, Cal.com, Arcjet, WarpStream, Mem0, Mintlify, Pirsch, Tinybird, Tolgee (project key + PAT), Ory (API key + session + OAuth2 tokens), Xendit, Xata, Crossmint (server + client keys), DeepL (Free + Pro), Flagsmith, E2B, Infisical, WooCommerce (consumer key + secret), Nightfall AI, Ramp (client ID + secret), Hex.pm (personal + workspace tokens), Convex deploy key, MiniMax, Mappedin (key + secret), Pollinations (secret + publishable), Fal.ai, Aikido, Hack Club, GuardSquare, Browser Use, Composio, Gamma, Hex.tech, Mastra, redirect.pizza, Upstash, and WorkOS. Also added new prefixed-token rules for Netlify (`nfp_`), Cloudflare (`cfut_`), and Supabase (`sb_publishable_`). Added live HTTP validation for 30 of these rules. - Removed 17 direct dependencies from the root crate by dropping unused deps (`p256`, `ed25519-dalek`, `jsonwebtoken`, `gitlab`, `lazy_static`, `base32`, `pem`, `byteorder`, `reqwest-middleware`, `sha1`, `time`, `ring`, `num_cpus`, `strum_macros`), replacing `once_cell` with `std::sync::{LazyLock, OnceLock}`, and using `std::thread::available_parallelism()` in place of `num_cpus`. Salt generation now uses `rand` instead of `ring`, and all `strum_macros::Display` imports are consolidated under `strum::Display`. ## [v1.95.0] diff --git a/crates/kingfisher-rules/data/rules/gamma.yml b/crates/kingfisher-rules/data/rules/gamma.yml new file mode 100644 index 0000000..de8948f --- /dev/null +++ b/crates/kingfisher-rules/data/rules/gamma.yml @@ -0,0 +1,37 @@ +rules: + - name: Gamma API Key + id: kingfisher.gamma.1 + pattern: | + (?x) + \b + ( + sk-gamma- + [A-Za-z0-9_-]{8} + (?:[A-Za-z0-9_-]{8}){3,7} + ) + \b + confidence: medium + min_entropy: 3.5 + validation: + type: Http + content: + request: + method: GET + url: https://public-api.gamma.app/v1.0/themes?limit=1 + headers: + X-API-KEY: "{{ TOKEN }}" + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: + - '"data"' + - '"hasMore"' + match_all_words: true + references: + - https://developers.gamma.app/readme + - https://developers.gamma.app/docs/workspace/list-themes + examples: + - 'GAMMA_API_KEY="sk-gamma-a1b2c3d4E5f6g7h8I9j0k1l2M3n4o5p6"' diff --git a/crates/kingfisher-rules/data/rules/hex.yml b/crates/kingfisher-rules/data/rules/hex.yml new file mode 100644 index 0000000..7d29fd1 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/hex.yml @@ -0,0 +1,40 @@ +rules: + - name: Hex Technologies API Token + id: kingfisher.hex.1 + pattern: | + (?xi) + \b + ( + hxt[wp]_ + [a-f0-9]{16} + (?:[a-f0-9]{16}){5} + ) + \b + pattern_requirements: + min_digits: 12 + confidence: medium + min_entropy: 3.5 + validation: + type: Http + content: + request: + method: GET + url: https://app.hex.tech/api/v1/projects?limit=1 + headers: + Authorization: "Bearer {{ TOKEN }}" + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: + - '"values"' + - '"pagination"' + match_all_words: true + references: + - https://learn.hex.tech/docs/api-integrations/api/overview + - https://learn.hex.tech/docs/api-integrations/api/reference + examples: + - "HEX_API_TOKEN=hxtp_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" + - "HEX_WORKSPACE_TOKEN=hxtw_fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210"