From 507b8e2b5eb3a9890f72dbe70e2861ad2e040543 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Tue, 15 Jul 2025 16:42:22 -0700
Subject: [PATCH] Added dockerfile and github action to build and publish it

---
 .github/workflows/release-docker.yml | 30 ++++++++++++++++++++++++++++
 Makefile                             |  7 +++++++
 README.md                            | 20 +++++++++++++++++++
 data/rules/datadog.yml               |  5 ++---
 4 files changed, 59 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/release-docker.yml

diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
new file mode 100644
index 0000000..dcd1ea9
--- /dev/null
+++ b/.github/workflows/release-docker.yml
@@ -0,0 +1,30 @@
+# .github/workflows/release-docker.yml
+name: Publish Docker image
+on:
+  push:
+    tags: ["v*.*.*"]        # every semantic-version tag
+permissions:
+  contents: read
+  packages: write
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/mongodb/kingfisher:latest
+            ghcr.io/mongodb/kingfisher:${{ github.ref_name }}
diff --git a/Makefile b/Makefile
index 540959e..41f74ba 100644
--- a/Makefile
+++ b/Makefile
@@ -366,6 +366,13 @@ all: linux darwin
 	@echo -e "\nCombined Checksums:"
 	@cat target/release/CHECKSUMS.txt
 
+dockerfile:
+# Build for the host architecture (default)
+	docker build -t kingfisher:latest .
+
+# Cross‑build for arm64 from an x64 machine
+	docker buildx build --platform linux/arm64 -t kingfisher:arm64 .
+
 list-archives:
 	@echo -e "\n=== Built archives ==="
 	@found=0; \
diff --git a/README.md b/README.md
index f94fc36..7e3e5cf 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,26 @@ make darwin-all # builds both x64 and arm64
 make all # builds for every OS and architecture supported
 ```
 
+### Run Kingfisher in Docker
+
+
+Run the dockerized Kingfisher container:
+```bash
+# GitHub Container Registry 
+docker run --rm ghcr.io/mongodb/kingfisher:latest --version
+
+# Scan the current working directory
+# (mounts your code at /src and scans it)
+docker run --rm -v "$PWD":/src ghcr.io/mongodb/kingfisher:latest scan /src
+
+# Scan while providing a GitHub token
+docker run --rm -e KF_GITHUB_TOKEN=ghp_… -v "$PWD":/proj ghcr.io/mongodb/kingfisher:latest scan --git-url https://github.com/org/private_repo.git
+
+# Scan and output as json
+docker run --rm -v "$PWD":/proj ghcr.io/mongodb/kingfisher:latest scan /proj --format json --output findings.json
+```
+
+
 # Write Custom Rules!
 
 Kingfisher ships with hundreds of rules with HTTP and service‑specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential.
diff --git a/data/rules/datadog.yml b/data/rules/datadog.yml
index 1fc5420..c851ed8 100644
--- a/data/rules/datadog.yml
+++ b/data/rules/datadog.yml
@@ -5,7 +5,7 @@ rules:
       (?xi) 
       \b
       (?:datadog|dd-|dd_)
-      (?:.|[\n\r]){0,32}?
+      (?:.|[\n\r]){0,16}?
       (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
       (?:.|[\n\r]){0,32}?
       \b                     
@@ -46,8 +46,7 @@ rules:
       \b                     
       (?:
         dd[_-]?\w{0,8}[_-]?(?:key|secret) |
-        datadog |
-        dog
+        datadog
       )
       (?:.|[\n\r]){0,64}?
       \b