eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions

Merge pull request #140 from mongodb/development

Browse source 
v1.62.0
This commit is contained in:
Mick Grove 2025-11-09 10:31:05 -08:00 committed by GitHub
commit 4ce710b544
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
249 changed files with 2905 additions and 668 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/release.yml vendored
View file

@ -119,7 +119,7 @@ jobs:
macos-x64:
name: macOS x64
runs-on: macos-13
runs-on: macos-15-intel
steps:
- uses: actions/checkout@v4

2
.gitignore vendored
View file

@ -11,6 +11,8 @@
custom.py
logs/*
*.patch
*.orig
*.rej
### macOS ###
# General

12
CHANGELOG.md
View file

@ -2,6 +2,18 @@
All notable changes to this project will be documented in this file.
## [v1.62.0]
- Added `pattern_requirements` checks to rules, providing lightweight post-regex character-class validation without lookarounds. See docs/RULES.md for detail
- Added an `ignore_if_contains` option to `pattern_requirements` to drop matches containing case-insensitive placeholder words, with tests covering the new behavior.
- Updated rules to adopt the new `pattern_requirements` support.
- Added checksum comparisons to `pattern_requirements`, new `suffix`, `crc32`, and `base62` Liquid filters, and verbose logging so mismatched checksums are skipped with context rather than reported as findings.
- Split GitHub token detections into fine-grained/fixed-format variants and enforce checksum validation for modern GitHub token families (PAT, OAuth, App, refresh) while preserving legacy coverage.
- Added a rule for Zuplo tokens.
- Added checksum calculation for Confluent, GitHub, and Zuplo tokens, which can drastically reduce false positive reports.
- Improved OpsGenie validation.
- Automatically enable `--no-dedup` when `--manage-baseline` is supplied so baseline management keeps every finding.
- This release is focused on further improving detection accuracy, before even attempting to validate findings.
## [v1.61.0]
- Fixed local filesystem scans to keep `open_path_as_is` enabled when opening Git repositories and only disable it for diff-based scans.
- Created Linux and Windows specific installer script

9
Cargo.toml
View file

@ -10,7 +10,7 @@ publish = false
[package]
name = "kingfisher"
version = "1.61.0"
version = "1.62.0"
description = "MongoDB's blazingly fast and accurate secret scanning and validation tool"
edition.workspace = true
rust-version.workspace = true
@ -75,9 +75,9 @@ include_dir = { version = "0.7", features = ["glob"] }
strum = { version = "0.26", features = ["derive"] }
sysinfo = "0.31.4"
reqwest = { version = "0.12", default-features = false, features = [
"json",
"gzip",
"brotli",
"json",
"gzip",
"brotli",
"deflate",
"stream",
"rustls-tls",
@ -196,6 +196,7 @@ gcloud-storage = { version = "1.1.1", default-features = false, features = [
"auth",
] }
tokei = "12.1.2"
crc32fast = "1.4.0"
[target.'cfg(not(windows))'.dependencies]
sha1 = { version = "0.10.6", features = ["asm"] }

46
README.md
View file

@ -36,6 +36,7 @@ For a look at how Kingfisher has grown from its early foundations into today's f
- **Broad AI SaaS coverage**: finds and validates tokens for OpenAI, Anthropic, Google Gemini, Cohere, Mistral, Stability AI, Replicate, xAI (Grok), Ollama, Langchain, Perplexity, Weights & Biases, Cerebras, Friendli, Fireworks.ai, NVIDIA NIM, Together.ai, Zhipu, and many more
- **Compressed Files**: Supports extracting and scanning compressed files for secrets
- **Baseline management**: generate and track baselines to suppress known secrets ([docs/BASELINE.md](/docs/BASELINE.md))
- **Checksum-aware detection**: verifies tokens with built-in checksums (e.g., GitHub, Confluent, Zuplo) — no API calls required
**Learn more:** [Introducing Kingfisher: RealTime Secret Detection and Validation](https://www.mongodb.com/blog/post/product-release-announcements/introducing-kingfisher-real-time-secret-detection-validation)
@ -67,6 +68,8 @@ See ([docs/COMPARISON.md](docs/COMPARISON.md))
- [ Run Kingfisher in Docker](#-run-kingfisher-in-docker)
- [🔐 Detection Rules at a Glance](#-detection-rules-at-a-glance)
- [📝 Write Custom Rules!](#-write-custom-rules)
- [Pattern requirements and placeholder filtering](#pattern-requirements-and-placeholder-filtering)
- [🔍 Checksum Intelligence (New!)](#-checksum-intelligence-new)
- [🎉 Usage](#-usage)
- [Basic Examples](#basic-examples)
- [Scan with secret validation](#scan-with-secret-validation)
@ -323,8 +326,45 @@ However, you may want to add your own custom rules, or modify a detection to bet
First, review [docs/RULES.md](/docs/RULES.md) to learn how to create custom Kingfisher rules.
### Pattern requirements and placeholder filtering
Every rule can declare optional `pattern_requirements` to enforce additional character checks after a regex matches. Each field
is independent:
- `min_digits`, `min_uppercase`, `min_lowercase`, and `min_special_chars` enforce complexity thresholds.
- `special_chars` lets you override the set of characters counted as "special" when `min_special_chars` is used.
- `ignore_if_contains` lists case-insensitive substrings that should cause a match to be discarded (for example, to drop
`test`, `demo`, or `localhost` values).
- `checksum` lets you compare an extracted portion of the match against a Liquid-rendered expectation. Provide `actual.template`
and `expected` Liquid snippets (with access to `{{ MATCH }}`, `{{ FULL_MATCH }}`, and any named capture as both its original
case and uppercase alias) and Kingfisher will skip the finding when the rendered values differ. Optional keys such as
`requires_capture` and `skip_if_missing` help you guard against legacy formats while onboarding the checksum-aware variant.
When a match is skipped because of `ignore_if_contains` or a checksum mismatch, Kingfisher logs the event at the `DEBUG` level alongside the rule that was evaluated. If you need to keep those matches for a particular scan, pass `--no-ignore-if-contains` to `kingfisher scan` to disable the substring filter without editing any rule files. Verbose mode (`-v`) will also show you the
checksum mismatch lengths so you can confirm why a finding was suppressed.
Once you've done that, you can provide your custom rules (defined in a YAML file) and provide it to Kingfisher at runtime --- no recompiling required!
### 🔍 Checksum Intelligence (New!)
Modern API tokens increasingly include **built-in checksums**, short internal digests that make each credential self-verifiable. (For background, see [GitHubs write-up on their newer token formats](https://github.blog/engineering/platform-security/behind-githubs-new-authentication-token-formats/) and why checksums slash false positives.)
Kingfisher supports **checksum-aware matching** in rules, enabling **offline structural verification** of credentials *without* calling third-party APIs.
By validating each tokens internal checksum (for tokens that support checksums), Kingfisher eliminates nearly all false positives—automatically skipping structurally invalid or fake tokens before validation ever runs.
**Why this matters**
- ✅ **Offline verification** — no API call required
- 🧠 **Industry-aligned** — compatible with prefix + checksum token designs (e.g., modern PATs)
- ⚡ **Lower false positives** — invalid tokens are filtered out by structure alone
**Learn more**: implementation details and templating are documented in **[docs/RULES.md](docs/RULES.md)**
---
<!-- Optional: add this one-liner to your “Performance, Accuracy, and Hundreds of Rules” bullets -->
- **Checksum-aware detection**: verifies tokens with embedded checksums (offline) to cut false positives — see [docs/RULES.md](docs/RULES.md)
# 🎉 Usage
## Basic Examples
@ -1083,6 +1123,8 @@ kingfisher scan /path/to/code \
--baseline-file ./baseline-file.yml
```
`--manage-baseline` automatically enables `--no-dedup` so the baseline captures every individual occurrence.
Use the same YAML file with the `--baseline-file` option on future scans to hide all recorded findings:
```bash
@ -1159,13 +1201,15 @@ leaves the default unchanged.
- `--redact`: Replaces discovered secrets with a one-way hash for secure output
- `--exclude <PATTERN>`: Skip any file or directory whose path matches this glob pattern (repeatable, uses gitignore-style syntax, case sensitive)
- `--baseline-file <FILE>`: Ignore matches listed in a baseline YAML file
- `--manage-baseline`: Create or update the baseline file with current findings
- `--manage-baseline`: Create or update the baseline file with current findings (automatically enables `--no-dedup`)
- `--skip-regex <PATTERN>`: Ignore findings whose text matches this regex (repeatable)
- `--skip-word <WORD>`: Ignore findings containing this case-insensitive word (repeatable)
- `--skip-aws-account <ACCOUNT_ID>`: Skip live AWS validation for findings tied to the specified AWS account number (repeatable, accepts comma-separated lists)
- `--skip-aws-account-file <FILE>`: Load AWS account numbers to skip from a file (one account per line; `#` comments allowed)
- `--ignore-comment <DIRECTIVE>`: Honor additional inline directives from other scanners (repeatable; e.g. `--ignore-comment "gitleaks:allow"`)
- `--no-ignore`: Disable inline directives entirely so every match is reported
- `--no-ignore-if-contains`: Ignore the `ignore_if_contains` filter in rules so placeholder words still produce findings
## Understanding `--confidence`
The `--confidence` flag sets a minimum confidence threshold, not an exact match.

6
data/rules/adobe.yml
View file

@ -6,11 +6,13 @@ rules:
\b
adobe
(?:.|[\n\r]){0,32}?
\b
\b
(
[A-F0-9]{32}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
examples:
- adobeKey = 1a2b3c4d5e6f7890abcdef1234567890
@ -60,7 +62,7 @@ rules:
(
p8e-[A-Z0-9-]{32}
)
(?:[^A-Z0-9-]|$)
(?:[^A-Z0-9-])
min_entropy: 3.5
examples:
- |

7
data/rules/age.yml
View file

@ -3,11 +3,14 @@ rules:
id: kingfisher.age.1
pattern: |
(?xi)
\b
(
age1[0-9a-z]{58}
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:
@ -21,11 +24,9 @@ rules:
id: kingfisher.age.2
pattern: |
(?xi)
\b
(
AGE-SECRET-KEY-1[0-9A-Z]{58}
)
\b
min_entropy: 3.3
confidence: medium
examples:

4
data/rules/ai21.yml
View file

@ -19,6 +19,10 @@ rules:
[0-9a-f]{12}
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.2
confidence: medium
examples:

6
data/rules/airbrake.yml
View file

@ -9,7 +9,11 @@ rules:
(
[A-Z0-9-]{40}
)
\b
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 4.5
confidence: medium
examples:

7
data/rules/airtable.yml
View file

@ -10,7 +10,11 @@ rules:
\.
[a-z0-9]{62,66}
)
\b
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:
@ -37,7 +41,6 @@ rules:
id: kingfisher.airtable.2
pattern: |
(?xi)
\b
(
[A-Z0-9]+\.v1\.[A-Z0-9_-]+\.[a-f0-9]+
)

5
data/rules/aiven.yml
View file

@ -9,6 +9,11 @@ rules:
(
[a-z0-9/+=]{372}
)
(?:[^A-Za-z0-9/+=])
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:

9
data/rules/algolia.yml
View file

@ -5,11 +5,13 @@ rules:
(?xi)
algolia
(?:.|[\n\r]){0,32}?
\b
(
[a-z0-9]{32}
)
\b
pattern_requirements:
min_digits: 2
min_lowercase: 1
min_entropy: 3.5
confidence: medium
examples:
@ -38,11 +40,12 @@ rules:
(?xi)
algolia
(?:.|[\n\r]){0,16}?
\b
(
[A-Z0-9]{10}
)
\b
\b
pattern_requirements:
min_digits: 2
min_entropy: 2.0
visible: false
confidence: medium

7
data/rules/alibaba.yml
View file

@ -3,11 +3,14 @@ rules:
id: kingfisher.alibabacloud.1
pattern: |
(?xi)
\b
(
LTAI[a-z0-9]{17,21}
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 4.0
confidence: medium
visible: false
@ -21,11 +24,9 @@ rules:
\b
alibaba
(?:.|[\n\r]){0,32}?
\b
(
[a-z0-9]{30}
)
\b
min_entropy: 4.2
confidence: medium
examples:

11
data/rules/anthropic.yml
View file

@ -10,15 +10,16 @@ rules:
-
[\w\-]{93}
AA
)
\b
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:
- sk-ant-api668-Clm512odot9WDD7itfUU9R880nefA1EtYZDbpE-C9b0XQEWpqFKf9DQUo03vOfXl16oSmyar1CLF1SzV3YzpZJ6bahcpLAA
categories:
- api
- secret
references:
- https://docs.anthropic.com/claude/reference/authentication
validation:

8
data/rules/anypoint.yml
View file

@ -18,8 +18,12 @@ rules:
[0-9a-z]{4}
-
[0-9a-z]{12}
)
\b
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.5
confidence: medium
examples:

5
data/rules/apify.yml
View file

@ -3,11 +3,14 @@ rules:
id: kingfisher.apify.1
pattern: |
(?xi)
\b
(
apify_api_[A-Z0-9]{34,38}
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
confidence: medium
min_entropy: 3.5
validation:

4
data/rules/artifactory.yml
View file

@ -8,6 +8,10 @@ rules:
AKC[A-Z0-9]{64,74}
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.5
confidence: medium
examples:

14
data/rules/asana.yml
View file

@ -10,7 +10,9 @@ rules:
(
[0-9]{16}
)
\b
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:
@ -30,7 +32,11 @@ rules:
(
[a-z0-9]{30,40}
)
\b
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.5
confidence: medium
examples:
@ -54,7 +60,9 @@ rules:
[a-z0-9]{32,64}
)?
)
\b
\b
pattern_requirements:
min_digits: 4
min_entropy: 3.5
confidence: medium
examples:

3
data/rules/assemblyai.yml
View file

@ -11,6 +11,9 @@ rules:
[0-9a-z]{32}
)
\b
pattern_requirements:
min_digits: 2
min_lowercase: 1
min_entropy: 3.0
confidence: medium
examples:

5
data/rules/atlassian.yml
View file

@ -10,7 +10,10 @@ rules:
(
[a-z0-9]{24}
)
\b
\b
pattern_requirements:
min_digits: 2
min_lowercase: 1
min_entropy: 3.5
confidence: medium
examples:

5
data/rules/auth0.yml
View file

@ -10,7 +10,10 @@ rules:
(
[a-z0-9_-]{32,60}
)
\b
\b
pattern_requirements:
min_digits: 2
min_lowercase: 1
min_entropy: 3.5
confidence: medium
visible: false

4
data/rules/authress.yml
View file

@ -6,6 +6,10 @@ rules:
(
(?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120}
)
\b
pattern_requirements:
min_digits: 2
min_lowercase: 1
confidence: medium
min_entropy: 4.0
validation:

10
data/rules/aws.yml
View file

@ -3,12 +3,14 @@ rules:
id: kingfisher.aws.1
pattern: |
(?xi)
\b
\b
(
(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)
[2-7A-Z]{16}
)
\b
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.2
visible: false
confidence: medium
@ -37,6 +39,8 @@ rules:
([A-Za-z0-9/+]{40})
\b
)
pattern_requirements:
min_digits: 2
min_entropy: 4.5
confidence: medium
examples:
@ -60,6 +64,8 @@ rules:
- name: AWS Session Token
id: kingfisher.aws.4
pattern: '(?i)(?:aws.?session|aws.?session.?token|aws.?token)["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([a-z0-9/+=]{16,200})[^a-z0-9/+=]'
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

2
data/rules/azure.yml
View file

@ -90,6 +90,8 @@ rules:
[A-Z0-9+/]{42}\+ACR[A-Z0-9]{6}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 4.0
validation:

4
data/rules/azuredevops.yml
View file

@ -21,9 +21,11 @@ rules:
(?xi)
\b
(
[a-z0-9]{75,76}AZDO[a-z0-9]{4,5}
[a-z0-9]{76}AZDO[a-z0-9]{4,5}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3
confidence: medium
examples:

3
data/rules/azureopenai.yml
View file

@ -14,6 +14,9 @@ rules:
[a-f0-9]{32}
)
\b
pattern_requirements:
min_digits: 2
min_lowercase: 2
min_entropy: 3.5
confidence: medium
examples:

4
data/rules/azuresearchquery.yml
View file

@ -12,6 +12,10 @@ rules:
[0-9A-Z]{52}
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 2
min_entropy: 3.3
confidence: medium
examples:

16
data/rules/azurestorage.yml
View file

@ -33,13 +33,25 @@ rules:
(?:.|[\n\r]){0,128}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,128}?
["':\s=}\]\)]
(
[A-Z0-9+\\/-]{86,88}={0,2}
(?:
[A-Z0-9+\-]{86,88}={1,2}
)
|
(?:
[A-Z0-9+\-]{86,88}\b
)
)
pattern_requirements:
min_digits: 2
min_uppercase: 2
min_lowercase: 2
min_entropy: 4.0
confidence: medium
examples:
- Azure AccountKey=Xy9aB8cD7eF6gH5iJ4kL3mN2oP1qR0sT9uV8wX7yZ6aB5cD4eF3gH2iJ1kL0mN9oP8qR7sT6uV5wX4yZ3aB2cD1eF0gH9iJ8kL7mN6oP5q==\
- Azure AccountKey=Xy9aB8cD7eF6gH5iJ4kL3mN2oP1qR0sT9uV8wX7yZ6aB5cD4eF3gH2iJ1kL0mN9oP8qR7sT6uV5wX4yZ3aB2cD1q
- Azure AccountKey=Ky7aC1cD7eF6gH5iJ4kL3mN2oP1qR0sT9uV8wX7yZ6aB5cD4eF3gH2iJ1kL0mN9oP8qR7sT6uV5wX4yZ3aB2cD1g==\
validation:
type: AzureStorage
depends_on_rule:

4
data/rules/baremetrics.yml
View file

@ -10,7 +10,9 @@ rules:
(
[a-z0-9_-]{25}
)
\b
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
references:

4
data/rules/baseten.yml
View file

@ -13,6 +13,10 @@ rules:
[A-Za-z0-9]{32}
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.4
confidence: medium
examples:

7
data/rules/beamer.yml
View file

@ -9,7 +9,12 @@ rules:
\b
(
b_[A-Z0-9=_\\/\\\-+]{44}
)
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.0
confidence: medium
examples:

8
data/rules/bitbucket.yml
View file

@ -8,9 +8,10 @@ rules:
(?:.|[\n\r]){0,16}?
(?:client|id)
(?:.|[\n\r]){0,16}?
\b
([a-z0-9]{30,40})
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:
@ -43,11 +44,14 @@ rules:
(
[a-z0-9+_\-+]{44}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:
- bitbucket_key=HedmnK9h6KD_eh9KK8FlI9ahUc8WfaNZ4gulbrtN2ouV
- bitbucket_secret=kd8j2h4jf9s8mf6l4k9j2h4jf9s8mf6l4k9j2h4jf9s8mf6l
- bitbucket_secret=kd8j2h4jf9s8mf6l4k9j2h4jf9s8mf6l4k9j2h4jf9s8
validation:
type: Http
content:

4
data/rules/bitly.yml
View file

@ -8,11 +8,13 @@ rules:
(?:.|[\n\r]){0,32}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,32}?
\b
(
[a-f0-9]{40}
)
\b
pattern_requirements:
min_digits: 2
min_lowercase: 2
confidence: medium
min_entropy: 3.0
validation:

20
data/rules/blynk.yml
View file

@ -6,6 +6,10 @@ rules:
https://(?:fra1\.|lon1\.|ny3\.|sgp1\.|blr1\.)*blynk\.cloud/external/api/[A-Z0-9/]*\?token=
([A-Z0-9_\-]{32})
&
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:
@ -21,6 +25,10 @@ rules:
-H\s*"Authorization:\s*Bearer\s*
([A-Z0-9_\-]{40})
"
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:
@ -35,6 +43,10 @@ rules:
-H\s*"Authorization:\s*Bearer\s*
([A-Z0-9_\-]{40})
"[\s\\]*https://(?:fra1\.|lon1\.|ny3\.|sgp1\.|blr1\.)*blynk\.cloud/api
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:
@ -50,6 +62,10 @@ rules:
(oa2-client-id_[A-Z0-9_\-]{32})
(?: : | &client_secret= )
([A-Z0-9_\-]{40})
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:
@ -66,6 +82,10 @@ rules:
(oa2-client-id_[A-Z0-9_\-]{32})
:([A-Z0-9_\-]{40})
[\s\\]*https://(fra1\.|lon1\.|ny3\.|sgp1\.|blr1\.)*blynk\.cloud/oauth2
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:

4
data/rules/buildkite.yml
View file

@ -3,11 +3,13 @@ rules:
id: kingfisher.buildkite.1
pattern: |
(?xi)
\b
(
bkua_[a-z0-9]{40}
)
\b
pattern_requirements:
min_digits: 2
min_lowercase: 1
min_entropy: 3.5
confidence: medium
examples:

4
data/rules/cerebras.yml
View file

@ -3,11 +3,13 @@ rules:
id: kingfisher.cerebras.1
pattern: |
(?xi)
\b
(
csk-[a-z0-9]{48}
)
\b
pattern_requirements:
min_digits: 2
min_lowercase: 2
confidence: medium
min_entropy: 3.0
validation:

9
data/rules/circleci.yml
View file

@ -20,7 +20,9 @@ rules:
_
[a-z0-9]{40}
)
\b
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:
@ -56,7 +58,10 @@ rules:
(
[a-f0-9]{40}
)
\b
\b
pattern_requirements:
min_digits: 2
min_lowercase: 2
min_entropy: 3.3
confidence: medium
examples:

3
data/rules/ciscomeraki.yml
View file

@ -5,11 +5,12 @@ rules:
(?xi)
meraki
(?:.|[\n\r]){0,32}?
\b
(
[0-9a-f]{40}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

2
data/rules/clarifai.yml
View file

@ -11,6 +11,8 @@ rules:
[0-9a-f]{32,36}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.0
confidence: medium
examples:

2
data/rules/clearbit.yml
View file

@ -13,6 +13,8 @@ rules:
[0-9a-z_]{35}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

6
data/rules/clickhouse.yml
View file

@ -8,6 +8,8 @@ rules:
4b1d[a-z0-9]{38}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 3.5
examples:
@ -43,11 +45,11 @@ rules:
(?:.|[\n\r]){0,16}?
(?:ID|USER)
(?:.|[\n\r]){0,16}?
\b
(
[a-z0-9]{20}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
visible: false
min_entropy: 3.0

6
data/rules/clojars.yml
View file

@ -10,9 +10,11 @@ rules:
(?:.|[\n\r]){0,16}?
\b
(
[a-zA-Z0-9_-]{3,}
[a-z0-9_-]{3,}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 1.5
visible: false
@ -28,6 +30,8 @@ rules:
CLOJARS_[a-z0-9]{60}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 4.0
examples:

14
data/rules/cloudflare.yml
View file

@ -12,7 +12,11 @@ rules:
(
[a-z0-9_-]{38,42}
)
\b
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.5
confidence: medium
examples:
@ -47,8 +51,9 @@ rules:
(
v1\.0-[a-z0-9._-]{160,}
)
["'`]?
\b
\b
pattern_requirements:
min_digits: 2
min_entropy: 4.5
confidence: medium
examples:
@ -58,9 +63,6 @@ rules:
references:
- https://developers.cloudflare.com/api/keys/
- https://developers.cloudflare.com/fundamentals/api/get-started/keys/
categories:
- api
- secret
validation:
type: Http
content:

6
data/rules/cloudsight.yml
View file

@ -11,8 +11,10 @@ rules:
\b
(
[a-z0-9]{20,24}
)
\b
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

3
data/rules/codacy.yml
View file

@ -12,6 +12,9 @@ rules:
(
[0-9A-Z]{20,24}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

3
data/rules/codeclimate.yml
View file

@ -5,10 +5,13 @@ rules:
(?xi)
(?: CODECLIMATE| CC_TEST_REPORTER_ID)
(?:.|[\n\r]){0,64}?
\b
(
[a-f0-9]{64}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

3
data/rules/codecov.yml
View file

@ -8,10 +8,13 @@ rules:
(?:.|[\n\r]){0,32}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,32}?
\b
(
[A-Z0-9-]{36}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 3.5
validation:

3
data/rules/cohere.yml
View file

@ -6,10 +6,13 @@ rules:
\b
cohere
(?:.|[\n\r]){0,16}?
\b
(
[A-Z0-9]{40}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

4
data/rules/coinbase.yml
View file

@ -10,9 +10,11 @@ rules:
(?:.|[\n\r]){0,16}?
\b
(
[a-zA-Z-0-9]{32}
[a-z-0-9]{32}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
examples:
- coinbase_token = 32iAkQCcHHYxXGx20VogBZoj27PC1ouI

43
data/rules/confluent.yml
View file

@ -10,6 +10,8 @@ rules:
[A-Z0-9]{16}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3
confidence: medium
visible: false
@ -33,8 +35,45 @@ rules:
min_entropy: 3.3
confidence: medium
examples:
- confluent secret=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890ab
- kafka_token=ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCD
- confluent secret=cbadefghijklmnopqrstuvwxyzcbaDEFGHIJKLMNOPQRSTUVWXYZ3214567890ab
- kafka_token=cbaDEFGHIJKLMNOPQRSTUVWXYZ3214567890cbadefghijklmnopqrstuvwxyzAB
references:
- https://docs.confluent.io/cloud/current/api.html#tag/API-Keys-(iamv2)/operation/getIamV2ApiKey
validation:
type: Http
content:
request:
headers:
Authorization: 'Basic {{ CLIENTID | append: ":" | append: TOKEN | b64enc }}'
method: GET
response_matcher:
- report_response: true
- status:
- 200
type: StatusMatch
url: https://api.confluent.cloud/iam/v2/api-keys/{{ CLIENTID }}
depends_on_rule:
- rule_id: "kingfisher.confluent.1"
variable: CLIENTID
- name: Confluent API Secret - Updated Format
id: kingfisher.confluent.3
pattern: |
(?xi)
\b
(
cflt(?P<body>[A-Za-z0-9\+/]{54})(?P<checksum>[A-Za-z0-9\+/]{6})
)
pattern_requirements:
checksum:
actual:
template: "{{ MATCH | suffix: 6 }}"
requires_capture: checksum
expected: "{{ BODY | crc32_le_b64: 6 }}"
skip_if_missing: true
min_entropy: 3.3
confidence: medium
examples:
- confluent secret=cfltqPLd2lLPAtWtHGNhN32WlZxoEj30pcg8mzaPlPJ937JlMa7n9YCRLooqgifw
references:
- https://docs.confluent.io/cloud/current/api.html#tag/API-Keys-(iamv2)/operation/getIamV2ApiKey
validation:

9
data/rules/contentful.yml
View file

@ -10,9 +10,12 @@ rules:
(?:.|[\n\r]){0,32}?
\b
(
[a-zA-Z0-9_-]{43,45}
[A-Z0-9_-]{43,45}
)
\b
pattern_requirements:
min_digits: 2
min_special_chars: 1
confidence: medium
min_entropy: 4.0
validation:
@ -42,11 +45,11 @@ rules:
id: kingfisher.contentful.2
pattern: |
(?xi)
\b
(
CFPAT-[A-Z0-9_-]{43}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 3.5
validation:

18
data/rules/coze.yml
View file

@ -1,7 +1,17 @@
rules:
- name: Coze Personal Access Token
id: kingfisher.coze.1
pattern: '(?i)\b(pat_[a-zA-Z0-9]{64})\b'
pattern: |
(?xi)
coze
(?:.|[\n\r]){0,32}?
\b
(
pat_[A-Z0-9]{64}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 5.0
validation:
@ -26,6 +36,6 @@ rules:
- https://www.coze.com/docs/developer_guides/coze_api_overview
- https://www.coze.com/docs/developer_guides/retrieve_files
examples:
- "pat_DlOG7fNcVfmw8cYhPWNcdfwrjjzwDr9EkV8EBjzHdgRWU2DzqHC1pPe0x590NN5f"
- "pat_93QiTdIvZGuRCFcfGTQJJ1VIYZ9dNHanX88wKoMojwMk3tX5tKqfFtxUp0ux8CjI"
- "pat_WvUTLYq5yZyaqegkyLSxXJMjXAJotjYEuC1sqT8daFlfwM3BiaRVJIZsER42DnhV"
- "key_coze = pat_DlOG7fNcVfmw8cYhPWNcdfwrjjzwDr9EkV8EBjzHdgRWU2DzqHC1pPe0x590NN5f"
- "coze_token = pat_93QiTdIvZGuRCFcfGTQJJ1VIYZ9dNHanX88wKoMojwMk3tX5tKqfFtxUp0ux8CjI"
- "coze-key: pat_WvUTLYq5yZyaqegkyLSxXJMjXAJotjYEuC1sqT8daFlfwM3BiaRVJIZsER42DnhV"

2
data/rules/crates.io.yml
View file

@ -8,6 +8,8 @@ rules:
cio[A-Z0-9]{32}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

9
data/rules/databricks.yml
View file

@ -2,12 +2,17 @@ rules:
- name: Databricks API token
id: kingfisher.databricks.1
pattern: |
(?xi)
(?xi)
\b
(
dapi
[a-f0-9]{32}
)
\b
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:

8
data/rules/datadog.yml
View file

@ -13,6 +13,8 @@ rules:
[a-z0-9]{32}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:
@ -47,11 +49,13 @@ rules:
(?:.|[\n\r]){0,64}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,16}?
\b
(
[a-z0-9]{40}
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:

4
data/rules/deepgram.yml
View file

@ -6,11 +6,13 @@ rules:
\b
deepgram
(?:.|[\n\r]){0,32}?
\b
\b
(
[0-9a-f]{40}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

4
data/rules/deepseek.yml
View file

@ -6,8 +6,10 @@ rules:
\b
(
sk-[a-f0-9]{32}
)
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.7
confidence: medium
examples:

2
data/rules/dependency_track.yml
View file

@ -8,6 +8,8 @@ rules:
odt_[A-Z0-9]{32,255}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

2
data/rules/diffbot.yml
View file

@ -11,6 +11,8 @@ rules:
[0-9a-z]{32}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.0
examples:
- diffbot_key = a7424adbafc4624e61482d0f60e43016

4
data/rules/digitalocean.yml
View file

@ -9,6 +9,8 @@ rules:
[a-f0-9]{64}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:
@ -33,12 +35,10 @@ rules:
id: kingfisher.digitalocean.2
pattern: |
(?x)
\b
(
dor_v1_
[a-f0-9]{64}
)
\b
min_entropy: 3.3
confidence: medium
examples:

7
data/rules/discord.yml
View file

@ -10,6 +10,9 @@ rules:
(
[0-9a-z_\-]{68}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:
@ -32,7 +35,6 @@ rules:
id: kingfisher.discord.2
pattern: |
(?xi)
\b
(
[MNO][A-Z0-9_-]{23}\.[A-Z0-9_-]{6}\.[A-Z0-9_-]{27}
)
@ -61,14 +63,11 @@ rules:
id: kingfisher.discord.3
pattern: |
(?xi)
\b
(?:discord|botid|bot_id)
(?:.|[\n\r]){0,64}?
\b
(
\d{17,19}
)
\b
min_entropy: 3.5
visible: false
confidence: medium

1
data/rules/django.yml
View file

@ -5,7 +5,6 @@ rules:
(?x)
[DJANGO]\w{0,8}SECRET_KEY
.{1,16}?
\b
(
[A-Za-z0-9*!$@\#&_%^-]{45,55}
)

2
data/rules/docker.yml
View file

@ -12,6 +12,8 @@ rules:
\}
[^}]*?
\}
pattern_requirements:
min_digits: 2
min_entropy: 2.0
confidence: medium
examples:

2
data/rules/dockerhub.yml
View file

@ -8,6 +8,8 @@ rules:
dckr_pat_[A-Z0-9_-]{27}
)
(?: $ | [^A-Z0-9_-] )
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

6
data/rules/doppler.yml
View file

@ -4,8 +4,12 @@ rules:
pattern: |
(?xi)
\b
(dp\.ct\.[A-Z0-9]{40,44})
(
dp\.ct\.[A-Z0-9]{40,44}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

2
data/rules/droneci.yml
View file

@ -15,6 +15,8 @@ rules:
[a-f0-9]{32,64}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

5
data/rules/dropbox.yml
View file

@ -4,11 +4,12 @@ rules:
pattern: |
(?xi)
\b
sl\.
(
[A-Z0-9\-\_]{130,152}
sl\.[A-Z0-9\-\_]{130,152}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

2
data/rules/duffel.yml
View file

@ -8,6 +8,8 @@ rules:
duffel_(?:test|live)_[a-z0-9_\-=]{43}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.2
confidence: medium
examples:

2
data/rules/dynatrace.yml
View file

@ -12,6 +12,8 @@ rules:
[A-Z0-9]{64}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

2
data/rules/easypost.yml
View file

@ -9,6 +9,8 @@ rules:
[A-Za-z0-9]{54}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

6
data/rules/elevenlabs.yml
View file

@ -2,13 +2,15 @@ rules:
- name: ElevenLabs API Key
id: kingfisher.elevenlabs.1
pattern: |
(?xi)
\b
(?xi)
\b
(
sk_
[0-9a-f]{48}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

15
data/rules/facebook.yml
View file

@ -11,8 +11,10 @@ rules:
\b
(
\d{15}
)
\b
)
\b
pattern_requirements:
min_digits: 15
min_entropy: 2.0
visible: false
confidence: medium
@ -37,6 +39,8 @@ rules:
- " var fbApiKey = '0278fc1adf6dc1d82a156f306ce2c5cc';"
- ' fbApiKey: "171e84fd57f430fc59afa8fad3dbda2a",'
- '"facebook appSecret = "ce3f9f0362bbe5ab01dfc8ee565e4372"'
pattern_requirements:
min_digits: 2
validation:
type: Http
content:
@ -69,9 +73,12 @@ rules:
(?:access_token|access[\s-]token)
(?:.|[\n\r]){0,32}?
)?
(
EAACEdEose0cBA[A-Z0-9]{20,}
)
\b
(EAACEdEose0cBA[A-Z0-9]{20,})
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

2
data/rules/fastly.yml
View file

@ -13,6 +13,8 @@ rules:
[a-z0-9_-]{32}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

6
data/rules/figma.yml
View file

@ -8,6 +8,8 @@ rules:
figd_[A-Z0-9_-]{38,42}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:
@ -36,14 +38,14 @@ rules:
(?xi)
figma
(?:.|[\n\r]){0,32}?
\b
(
[0-9A-F]{4}
-[0-9A-F]{8}
(?:-[0-9A-F]{4}){3}
-[0-9A-F]{12}
)
\b
pattern_requirements:
min_digits: 2
examples:
- "--header='X-Figma-Token: 1394-0ca7a5be-8e22-40ee-8c40-778d41ab2313'"
references:

2
data/rules/fileio.yml
View file

@ -14,6 +14,8 @@ rules:
\.[A-Z0-9]{20}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

2
data/rules/finicity.yml
View file

@ -13,6 +13,8 @@ rules:
[a-f0-9]{32}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

2
data/rules/finnhub.yml
View file

@ -11,6 +11,8 @@ rules:
[a-z0-9]{20}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.0
confidence: medium
examples:

2
data/rules/firecrawl.yml
View file

@ -8,6 +8,8 @@ rules:
fc-[a-f0-9]{32}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 3.0
validation:

2
data/rules/fireworksai.yml
View file

@ -8,6 +8,8 @@ rules:
fw_[A-Z0-9]{24}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 3.5
validation:

6
data/rules/flickr.yml
View file

@ -13,6 +13,8 @@ rules:
[a-f0-9]{32}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 3.0
validation:
@ -43,11 +45,11 @@ rules:
(?:.|[\n\r]){0,32}?
(?:OAUTH|ACCESS|TOKEN)?
(?:.|[\n\r]){0,32}?
\b
(
[a-f0-9]{32}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 3.0
validation:

2
data/rules/flyio.yml
View file

@ -8,6 +8,8 @@ rules:
FlyV1\s[A-Za-z0-9=_\-,/+]{100,}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 4.0
validation:

6
data/rules/frame.io.yml
View file

@ -7,7 +7,11 @@ rules:
(
fio-u-(?:[A-Z0-9_-]{16}){4}
)
\b
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.5
confidence: medium
examples:

3
data/rules/frameio.yml
View file

@ -7,6 +7,9 @@ rules:
(
fio-u-[a-z0-9\-_=]{64}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

2
data/rules/freshbooks.yml
View file

@ -11,6 +11,8 @@ rules:
[a-z0-9]{64}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

2
data/rules/friendli.yml
View file

@ -8,6 +8,8 @@ rules:
flp_[A-Z0-9]{46}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 3.0
validation:

10
data/rules/gcp.yml
View file

@ -15,6 +15,8 @@ rules:
"auth_provider_x509_cert_url":\s*".+?"
(?:[^{}]|\{(?:[^{}]|\{[^{}]*\})*\})*
\}
pattern_requirements:
min_digits: 2
min_entropy: 4.5
confidence: high
examples:
@ -48,9 +50,13 @@ rules:
[=:]
\s{0,8}
["']?
([0-9a-z]{35,40})
(
[0-9a-z]{35,40}
)
["']?
\b
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

21
data/rules/generic.yml
View file

@ -5,9 +5,12 @@ rules:
(?xi)
secret
.{0,20}
(
[0-9a-z]{32,64}
)
\b
([0-9a-z]{32,64})
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: low
examples:
@ -18,9 +21,12 @@ rules:
(?xi)
(?: api_key | apikey | access_key | accesskey )
(?:.|[\n\r]){0,8}?
(
[0-9a-z][0-9a-z\-._/+]{30,62}[0-9a-z]
)
\b
([0-9a-z][0-9a-z\-._/+]{30,62}[0-9a-z])
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: low
examples:
@ -31,7 +37,6 @@ rules:
pattern: |
(?xi)
(?: username | user)
\b
(?:.|[\n\r]){0,16}?
(?: password | pass )
(?:.|[\n\r]){0,16}?
@ -66,7 +71,6 @@ rules:
pattern: |
(?xi)
(?: username | user)
\b
(?:.|[\n\r]){0,16}?
(?: password | pass )
(?:.|[\n\r]){0,16}?
@ -89,7 +93,6 @@ rules:
pattern: |
(?xi)
password
\b
(?:.|[\n\r]){0,16}?
["']
([^$<%@.,\s'"(){}&/\#\-][^\s'"(){}/]{4,}) (?# password )
@ -130,7 +133,6 @@ rules:
id: kingfisher.generic.6
pattern: |
(?xi)
\b
(
blink\d{3,6}
|correcthorsebatterystaple\d{0,6}
@ -144,7 +146,6 @@ rules:
|qwerty\d{3,6}
|trustno\d{1,6}
)
\b
min_entropy: 1.0
confidence: low
examples:
@ -158,7 +159,6 @@ rules:
pattern: |
(?xi)
(?: db_user | db_USERNAME | db_name)
\b
(?:.|[\n\r]){0,8}?
["'] ([^"']{5,40}) ["']
(?:.|[\n\r]){0,32}?
@ -197,7 +197,6 @@ rules:
id: kingfisher.generic.9
pattern: |
(?xi)
\b
(
(?P<USER> [a-z0-9._-]+ \+ [a-z0-9._-]+ )
:

2
data/rules/gitalk.yml
View file

@ -7,6 +7,8 @@ rules:
new \s+ Gitalk \s* \( \s* \{ \s*
clientID: \s* '([a-f0-9]{20})', \s*
clientSecret: \s* '([a-f0-9]{40})',
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 3.0
references:

180
data/rules/github.yml
View file

@ -1,23 +1,58 @@
rules:
- name: GitHub Personal Access Token
- name: GitHub Personal Access Token - fine-grained permissions
id: kingfisher.github.1
pattern: |
(?xi)
(
github_pat_
[A-Z0-9_+]{82,84}
)
\b
pattern_requirements:
min_digits: 2
min_lowercase: 2
min_entropy: 3.5
examples:
- "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"
references:
- https://docs.github.com/en/rest/users?apiVersion=2022-11-28
validation:
type: Http
content:
request:
method: POST
url: https://api.github.com/graphql
headers:
Authorization: token {{ TOKEN }}
Accept: application/vnd.github+json
Content-Type: application/json
body: |
{
"query": "{ viewer { login } }"
}
response_matcher:
- report_response: true
- match_all_words: true
type: WordMatch
words:
- '"login"'
- name: GitHub Personal Access Token
id: kingfisher.github.2
pattern: |
(?xi)
\b
(
(?: # for token prefixes
ghp| # Personal Access Token
gho| # OAuth Token
ghu| # GitHub App User-to-Server Token
ghs| # GitHub App Server-to-Server Token
ghr| # Refresh Token
github_pat # Alternative format for Personal Access Token
)_
(?: # for token body
[a-z0-9_]{35,235} # 35 to 235 lowercase alphanumeric characters or underscores
)
)
\b
(
ghp_(?P<body>[A-Z0-9]{30})(?P<checksum>[A-Z0-9]{6})
)
pattern_requirements:
min_digits: 2
min_lowercase: 2
checksum:
actual:
template: "{{ MATCH | suffix: 6 }}"
requires_capture: checksum
expected: "{{ BODY | crc32 | base62: 6 }}"
skip_if_missing: true
min_entropy: 3.5
examples:
- "GITHUB_KEY=ghp_XIxB7KMNdAr3zqWtQqhE94qglHqOzn1D1stg"
@ -25,8 +60,6 @@ rules:
- |
## git developer settings
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
- "oauth_token: gho_fq75OMU7UVbS9pTZmoCCzJT6TM5d1w099FgG"
- "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"
references:
- https://docs.github.com/en/rest/users?apiVersion=2022-11-28
validation:
@ -50,15 +83,21 @@ rules:
words:
- '"login"'
- name: GitHub OAuth Access Token
id: kingfisher.github.2
id: kingfisher.github.3
pattern: |
(?xi)
\b
(
gho_
[A-Z0-9]{36}
)
\b
gho_(?P<body>[A-Z0-9]{30})(?P<checksum>[A-Z0-9]{6})
)
pattern_requirements:
min_digits: 2
checksum:
actual:
template: "{{ MATCH | suffix: 6 }}"
requires_capture: checksum
expected: "{{ BODY | crc32 | base62: 6 }}"
skip_if_missing: true
min_entropy: 3.5
confidence: medium
examples:
@ -86,17 +125,49 @@ rules:
type: WordMatch
words:
- '"login"'
- name: GitHub App Token
id: kingfisher.github.3
- name: GitHub App User-to-Server Token
id: kingfisher.github.4
pattern: |
(?xi)
\b
(
(?:ghu|ghs)_[A-Z0-9]{36}
ghu_(?P<body>[A-Z0-9]{30})(?P<checksum>[A-Z0-9]{6})
)
\b
examples:
- ' "token": "ghu_16C7e42F292c69C2E7C10c838347Ae178B4a",'
- |
Example usage:
git clone http://ghu_RguXIkihJjwHAP6eXEYxaPNvywurTr5IOAbg@github.com/username/repo.git
references:
- https://docs.github.com/en/rest/users?apiVersion=2022-11-28
validation:
type: Http
content:
request:
method: POST
url: https://api.github.com/graphql
headers:
Authorization: token {{ TOKEN }}
Accept: application/vnd.github+json
Content-Type: application/json
body: |
{
"query": "{ viewer { login } }"
}
response_matcher:
- report_response: true
- match_all_words: true
type: WordMatch
words:
- '"login"'
- name: GitHub App Server-to-Server Token
id: kingfisher.github.5
pattern: |
(?xi)
(
ghs_(?P<body>[A-Z0-9]{30})(?P<checksum>[A-Z0-9]{6})
)
examples:
- ' "token": "ghs_16C7e42F292c69C2E7C10c838347Ae178B4a",'
- |
Example usage:
git clone http://ghs_RguXIkihJjwHAP6eXEYxaPNvywurTr5IOAbg@github.com/username/repo.git
@ -123,14 +194,12 @@ rules:
words:
- '"login"'
- name: GitHub Refresh Token
id: kingfisher.github.4
id: kingfisher.github.6
pattern: |
(?xi)
\b
(
ghr_[A-Z0-9]{76}
ghr_(?P<body>[A-Z0-9]{30})(?P<checksum>[A-Z0-9]{6})
)
\b
examples:
- ' "refresh_token": "ghr_1B4a2e77838347a7E420ce178F2E7c6912E169246c3CE1ccbF66C46812d16D5B1A9Dc86A1498",'
references:
@ -156,7 +225,7 @@ rules:
words:
- '"login"'
- name: GitHub Client ID
id: kingfisher.github.5
id: kingfisher.github.7
pattern: |
(?xi)
(?:github)
@ -172,16 +241,18 @@ rules:
GITHUB_CLIENT_ID=ac58d6da7d7a84c039b7
GITHUB_SECRET=37d02377a3e9d849e18704c3ec883f9c5787d857
- name: GitHub Secret Key
id: kingfisher.github.6
id: kingfisher.github.8
pattern: |
(?xi)
github
.?
(?: api | app | application | client | consumer | customer | secret | key )
.?
(?: key | oauth | sec | secret )?
.{0,2} \s{0,20} .{0,2} \s{0,20} .{0,2}
\b ([a-z0-9]{40}) \b
(?:.|[\n\r]){0,32}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,32}?
\b
(
[a-z0-9]{40}
)
\b
depends_on_rule:
- rule_id: "kingfisher.github.5"
variable: GITHUB_CLIENT_ID
@ -206,34 +277,3 @@ rules:
- |
GITHUB_CLIENT_ID=ac58d6da7d7a84c039b7
GITHUB_SECRET=37d02377a3e9d849e18704c3ec883f9c5787d857
- name: GitHub Personal Access Token (fine-grained permissions)
id: kingfisher.github.7
pattern: |
(?xi)
\b
(
github_pat_[0-9A-Z_]{82}
)
\b
examples:
- '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'
validation:
type: Http
content:
request:
method: POST
url: https://api.github.com/graphql
headers:
Authorization: token {{ TOKEN }}
Accept: application/vnd.github+json
Content-Type: application/json
body: |
{
"query": "{ viewer { login } }"
}
response_matcher:
- report_response: true
- match_all_words: true
type: WordMatch
words:
- '"login"'

17
data/rules/gitlab.yml
View file

@ -2,12 +2,15 @@ rules:
- name: GitLab Private Token
id: kingfisher.gitlab.1
pattern: |
(?xi)
\b
(?xi)
\b
(
glpat-
[0-9A-Z_-]{20}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:
@ -42,6 +45,8 @@ rules:
GR1348941[0-9A-Z_-]{20}
)
\b
pattern_requirements:
min_digits: 2
examples:
- |
sudo gitlab-runner register \
@ -85,7 +90,8 @@ rules:
(
glptt-[0-9a-f]{40}
)
\b
pattern_requirements:
min_digits: 2
examples:
- |
curl \
@ -117,11 +123,14 @@ rules:
- name: GitLab Private Token - Updated Format
id: kingfisher.gitlab.4
pattern: |
(?x)
(?x)
\b
(
glpat-[A-Za-z0-9_-]{36,38}\.01\.[a-z0-9]{9}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.5
confidence: medium
examples:

2
data/rules/gitter.yml
View file

@ -11,6 +11,8 @@ rules:
[a-z0-9_-]{40}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.2
confidence: medium
examples:

6
data/rules/gocardless.yml
View file

@ -13,7 +13,11 @@ rules:
(?:[A-Z0-9=_-]{8}){3}
[A-Z0-9=_-]{0,2}
)
\b
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.5
confidence: medium
examples:

32
data/rules/google.yml
View file

@ -15,9 +15,12 @@ rules:
id: kingfisher.google.2
pattern: |
(?xi)
\b
(GOCSPX-[A-Z0-9_-]{28})
(?:[^A-Z0-9_-] | $)
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:
@ -28,9 +31,14 @@ rules:
pattern: |
(?xi)
client.?secret .{0,10}
\b
([a-z0-9_-]{24})
(
[a-z0-9_-]{24}
)
(?: [^a-z0-9_-] |$)
pattern_requirements:
min_digits: 4
min_uppercase: 3
min_lowercase: 3
min_entropy: 3.3
confidence: medium
examples:
@ -42,9 +50,12 @@ rules:
id: kingfisher.google.4
pattern: |
(?xi)
\b
(ya29\.[0-9A-Z_-]{20,1024})
(?: [^0-9A-Z_-]|$)
(?: [^0-9A-Z_-])
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:
@ -66,12 +77,10 @@ rules:
id: kingfisher.google.6
pattern: |
(?xi)
\b
([0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com)
(?:
(?s).{0,40}
)
\b
(?:
(GOCSPX-[A-Z0-9_-]{28})
|
@ -80,6 +89,10 @@ rules:
)
)
(?:[^A-Z0-9_-] | $)
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.3
confidence: medium
examples:
@ -98,11 +111,16 @@ rules:
id: kingfisher.google.7
pattern: |
(?xi)
\b
(
AIza
[A-Za-z0-9_-]{35}
)
\b
pattern_requirements:
min_digits: 2
min_uppercase: 1
min_lowercase: 1
min_entropy: 3.5
confidence: medium
examples:

9
data/rules/grafana.yml
View file

@ -8,6 +8,8 @@ rules:
eyJrIjoi[a-z0-9]{60,100}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:
@ -20,12 +22,15 @@ rules:
id: kingfisher.grafana.2
pattern: |
(?xi)
\b
\b
(
glc_
[a-z0-9+/]{40,150}
={0,2}
)
pattern_requirements:
min_digits: 2
min_lowercase: 2
min_entropy: 3.3
confidence: medium
examples:
@ -56,6 +61,8 @@ rules:
glsa_[A-Z0-9]{32}_[A-F0-9]{8}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples:

2
data/rules/groq.yml
View file

@ -8,6 +8,8 @@ rules:
gsk_[a-zA-Z0-9]{52}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 4.5
validation:

11
data/rules/hashes.yml
View file

@ -7,6 +7,8 @@ rules:
- https://unix.stackexchange.com/a/511017
- https://hashcat.net/wiki/doku.php?id=example_hashes
- https://passwordvillage.org/salted.html#md5crypt
pattern_requirements:
min_digits: 2
min_entropy: 3.3
confidence: medium
examples: # generated with `openssl passwd -1 -salt 'OKgLCmVl' 'a'`
@ -38,6 +40,8 @@ rules:
\$ [./A-Za-z0-9]{8,16}
\$ [./A-Za-z0-9]{43}
)
pattern_requirements:
min_digits: 2
references:
- https://en.wikipedia.org/wiki/Crypt_(C)#Key_derivation_functions_supported_by_crypt
- https://hashcat.net/wiki/doku.php?id=example_hashes
@ -58,6 +62,8 @@ rules:
\$ [./A-Za-z0-9]{8,16}
\$ [./A-Za-z0-9]{86}
)
pattern_requirements:
min_digits: 2
references:
- https://en.wikipedia.org/wiki/Crypt_(C)#Key_derivation_functions_supported_by_crypt
- https://hashcat.net/wiki/doku.php?id=example_hashes
@ -76,6 +82,8 @@ rules:
\$ [./A-Za-z0-9]{8,16}
\$ [./A-Za-z0-9]{43}
)
pattern_requirements:
min_digits: 2
references:
- https://en.wikipedia.org/wiki/Crypt_(C)#Key_derivation_functions_supported_by_crypt
- https://hashcat.net/wiki/doku.php?id=example_hashes
@ -96,7 +104,8 @@ rules:
[0-9a-f]{32}
\$ [0-9a-f]{64,}
)
\b
pattern_requirements:
min_digits: 2
references:
- https://hashcat.net/wiki/doku.php?id=example_hashes
min_entropy: 3.3

30
data/rules/hashicorp.yml
View file

@ -5,16 +5,20 @@ rules:
pattern: |
(?x)
(?i: hashicorp | vault | token | key | secret )
["':=\ ]{0,5}
(?:.|[\n\r]){0,32}?
\b
(s\.[A-Za-z0-9_-]{24,128})
(?: [^A-Za-z0-9_-] | $ )
(
s\.[A-Za-z0-9_-]{24,128}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 3.0
examples:
- 'VAULT_CLIENT_TOKEN="s.Z4bTMtngfLeQ18AqVoBBkUAOD1"'
- '`-vaultToken s.CAESIP2jTxc9S3K7Z6CtcFWQv7-044m_oSsxkingfisher.0H3nF89l3GiYKHGh3cy5sQmlIZVNyTWJNcDRsYWJpQjlhYjVlb2cQh6PL8wEYAg"`'
- 'vaultToken="s.CAESIP2jTxc9S3K7Z6CtcFWQv7-044m_oS.0H3nF89l3GiYKHGh3cy5sQmlIZVNyTWJNcDRsYWJpQjlhYjVlb2cQh6PL8wEYAg"`'
references:
- https://developer.hashicorp.com/vault/docs/concepts/tokens
@ -26,9 +30,10 @@ rules:
(?x)
(?i: hashicorp | vault | token | key | secret )
["':=\ ]{0,5}
\b
(b\.[A-Za-z0-9_-]{24,500})
(?: [^A-Za-z0-9_-] | $ )
pattern_requirements:
min_digits: 2
examples:
- 'VAULT_CLIENT_TOKEN="b.Z4bTMtngfLeQ18AqVoBBkUAOD1"'
@ -44,9 +49,10 @@ rules:
(?x)
(?i: hashicorp | vault | token | key | secret )
["':=\ ]{0,5}
\b
(r\.[A-Za-z0-9_-]{24,500})
(?: [^A-Za-z0-9_-] | $ )
pattern_requirements:
min_digits: 2
examples:
- 'VAULT_CLIENT_TOKEN="r.Z4bTMtngfLeQ18AqVoBBkUAOD1"'
@ -62,9 +68,10 @@ rules:
pattern: |
(?x)
\b
(hvs\.[A-Za-z0-9]{24,130})
(?: [^A-Za-z0-9_-] | $ )
pattern_requirements:
min_digits: 2
examples:
- "apikey: hvs.JGbZZaCkOSgsZ56uhGlTK2zyC1j2mwhy0VLp4"
@ -79,9 +86,10 @@ rules:
pattern: |
(?x)
\b
(hvb\.[A-Za-z0-9_-]{24,500})
(?: [^A-Za-z0-9_-] | $ )
pattern_requirements:
min_digits: 2
examples:
- "apikey: hvb.JGbZZaCkOSgsZ56uhGlTK2zyC1j2mwhy0VLp4"
@ -98,9 +106,10 @@ rules:
pattern: |
(?x)
\b
(hvr\.[A-Za-z0-9]{24,130})
(?: [^A-Za-z0-9_-] | $ )
pattern_requirements:
min_digits: 2
examples:
- "apikey: hvr.JGbZZaCkOSgsZ56uhGlTK2zyC1j2mwhy0VLp4"
@ -119,9 +128,10 @@ rules:
(?i: unseal )
\b
.{1,10}
\b
([a-zA-Z0-9+/]{44})
(?: [^a-zA-Z0-9+/] | $ )
pattern_requirements:
min_digits: 2
examples:
- "Unseal Key 2: 0tZn+7QQCxphpHwTm7/dC3LpP5JGIbYl3PK8Sy81R+P2"

7
data/rules/heroku.yml
View file

@ -5,13 +5,15 @@ rules:
(?xi)
\b
heroku
(?:.|[\n\r]){0,32}?
(?:.|[\n\r]){0,32}?
\b
(
[0-9a-f]{8}-[0-9a-f]{4}-
[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
)
\b
pattern_requirements:
min_digits: 2
min_entropy: 3.0
confidence: medium
examples:
@ -35,10 +37,11 @@ rules:
id: kingfisher.heroku.2
pattern: |
(?xi)
\b
(
HRKU-[A-Z0-9_]{60}
)
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 4.0
validation:

2
data/rules/hubspot.yml
View file

@ -8,6 +8,8 @@ rules:
pat-[a-z0-9]{2,3}-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
)
\b
pattern_requirements:
min_digits: 2
confidence: medium
min_entropy: 3.0
validation:

3
data/rules/huggingface.yml
View file

@ -3,7 +3,6 @@ rules:
id: kingfisher.huggingface.1
pattern: |
(?xi)
\b
(?:
(
(?:api_org|hf)_
@ -11,6 +10,8 @@ rules:
)
)
\b
pattern_requirements:
min_digits: 2
references:
- https://huggingface.co/docs/hub/security-tokens
min_entropy: 3.3

Some files were not shown because too many files have changed in this diff Show more