diff --git a/CHANGELOG.md b/CHANGELOG.md index 24e27b2..b5f84c6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,9 @@ All notable changes to this project will be documented in this file. ## [v1.96.0] - Added live HTTP validation for 18 rules across 15 providers: Val Town, Polar, hCaptcha, Thunderstore, Elastic Cloud (2 rules), LlamaCloud, Gemfury (2 rules), Vonage, ThingsBoard, Zapier, Facebook Access Token, GitLab Session Cookie, PostHog Feature Flags, Unkey API Key, and Hop.io (2 rules). - Added revocation support for 7 rules across 6 providers: Discord webhooks (single-step DELETE), DigitalOcean PATs (self-revoke via OAuth), and multi-step HttpMultiStep revocation for LaunchDarkly, Resend, Linode, and Netlify (2 rules). Built-in revocation coverage is now 34 provider families with 53 revocation-enabled rules. +- Expanded Alibaba Cloud coverage with STS temporary credential detection for STS access key IDs, STS security tokens, and STS access key secrets. Built-in rule coverage is now 921 rules total. - Added 61 new detection rules across 46 providers: Axiom (API token + PAT), Trigger.dev (secret key + PAT), Dub.co, Svix webhook signing secret, Liveblocks, Inngest (signing key + event key), Seam, Courier, Cal.com, Arcjet, WarpStream, Mem0, Mintlify, Pirsch, Tinybird, Tolgee (project key + PAT), Ory (API key + session + OAuth2 tokens), Xendit, Xata, Crossmint (server + client keys), DeepL (Free + Pro), Flagsmith, E2B, Infisical, WooCommerce (consumer key + secret), Nightfall AI, Ramp (client ID + secret), Hex.pm (personal + workspace tokens), Convex deploy key, MiniMax, Mappedin (key + secret), Pollinations (secret + publishable), Fal.ai, Aikido, Hack Club, GuardSquare, Browser Use, Composio, Gamma, Hex.tech, Mastra, redirect.pizza, Upstash, and WorkOS. Also added new prefixed-token rules for Netlify (`nfp_`), Cloudflare (`cfut_`), and Supabase (`sb_publishable_`). Added live HTTP validation for 30 of these rules. +- Added 32 new detection rules across 25 providers: Ghost CMS (admin + content keys), UpCloud (`ucat_`), Voiceflow (`VF.DM.`/`VF.WS.`), Robinhood Crypto (`rh-api-`), ClickUp (`pk_`), Unleash (client/admin + personal tokens), ConfigCat (standard + extended SDK keys), SaladCloud (`salad_cloud_`), Tigris (`tid_`/`tsec_`), Portainer (`ptr_`), Permit.io (`permit_key_`), Builder.io (`bpk-`), LiveKit (API key + secret), Close CRM (`api_`), Hetzner Cloud, Censys (API ID + secret), Wistia, PandaDoc, Pinata (key + secret), ZeroTier, Detectify, ChartMogul, Moralis, ButterCMS, and Loops. Includes HTTP validation for 19 of these rules. - Removed 17 direct dependencies from the root crate by dropping unused deps (`p256`, `ed25519-dalek`, `jsonwebtoken`, `gitlab`, `lazy_static`, `base32`, `pem`, `byteorder`, `reqwest-middleware`, `sha1`, `time`, `ring`, `num_cpus`, `strum_macros`), replacing `once_cell` with `std::sync::{LazyLock, OnceLock}`, and using `std::thread::available_parallelism()` in place of `num_cpus`. Salt generation now uses `rand` instead of `ring`, and all `strum_macros::Display` imports are consolidated under `strum::Display`. ## [v1.95.0] diff --git a/README.md b/README.md index 9de1ebf..2a27a56 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ License - Detection Rules + Detection Rules
@@ -17,7 +17,7 @@ Kingfisher is an open source secret scanner and **live secret validation** tool built in Rust. -It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and **ships with 800+ built-in rules** to detect, **validate**, and triage leaked API keys, tokens, and credentials before they ever reach production. +It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and **ships with 921 built-in rules** to detect, **validate**, and triage leaked API keys, tokens, and credentials before they ever reach production. Designed for offensive security engineers and blue-team defenders alike, Kingfisher helps you scan repositories, cloud storage, chat, docs, and CI pipelines to find and verify exposed secrets quickly. @@ -49,9 +49,9 @@ Kingfisher is a high-performance, open source secret detection tool for source c -### Performance, Accuracy, and 800+ Rules +### Performance, Accuracy, and 921 Rules - **Performance**: multithreaded, Hyperscan‑powered scanning built for huge codebases -- **Extensible rules**: 800+ built-in rules plus YAML-defined custom rules ([docs/RULES.md](/docs/RULES.md)) +- **Extensible rules**: 921 built-in rules plus YAML-defined custom rules ([docs/RULES.md](/docs/RULES.md)) - **Validate & Revoke**: live validation of discovered secrets, plus direct revocation for supported platforms (GitHub, GitLab, Slack, AWS, GCP, and more) ([docs/USAGE.md](/docs/USAGE.md)) - **Revocation support matrix**: current built-in revocation coverage across providers and rule IDs ([docs/REVOCATION_PROVIDERS.md](/docs/REVOCATION_PROVIDERS.md)) - **Blast Radius Mapping**: instantly map leaked keys to their effective cloud identities and exposed resources with `--access-map`. Supports 39 providers (see table below). @@ -345,7 +345,7 @@ gh attestation verify kingfisher-linux-x64.tgz --repo mongodb/kingfisher # Detection Rules -Kingfisher ships with [800+ built-in rules](crates/kingfisher-rules/data/rules/) covering cloud keys, AI tokens, CI/CD secrets, database credentials, and SaaS API keys. Below is an overview — see the full list in [crates/kingfisher-rules/data/rules/](crates/kingfisher-rules/data/rules/): +Kingfisher ships with [921 built-in rules](crates/kingfisher-rules/data/rules/) covering cloud keys, AI tokens, CI/CD secrets, database credentials, and SaaS API keys. Below is an overview — see the full list in [crates/kingfisher-rules/data/rules/](crates/kingfisher-rules/data/rules/): | Category | What we catch | |----------|---------------| @@ -362,7 +362,7 @@ Kingfisher ships with [800+ built-in rules](crates/kingfisher-rules/data/rules/) ## Write Custom Rules -Kingfisher ships with 800+ rules with HTTP and service‑specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential. +Kingfisher ships with 921 rules with HTTP and service‑specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential. However, you may want to add your own custom rules, or modify a detection to better suit your needs / environment. diff --git a/crates/kingfisher-rules/data/rules/alibaba.yml b/crates/kingfisher-rules/data/rules/alibaba.yml index 70e1658..3265dd7 100644 --- a/crates/kingfisher-rules/data/rules/alibaba.yml +++ b/crates/kingfisher-rules/data/rules/alibaba.yml @@ -3,8 +3,9 @@ rules: id: kingfisher.alibabacloud.1 pattern: | (?x) + \b ( - LTAI([a-zA-Z0-9]{12,20}) + LTAI[A-Za-z0-9]{17,21} ) \b pattern_requirements: @@ -25,8 +26,12 @@ rules: pattern: | (?x) \b - (?i:alibaba|alibaba[\s_-]*cloud|aliyun) - (?:.|[\n\r]){0,40}? + (?: + (?i:alibaba|alibaba[\s_-]*cloud|aliyun) + | + LTAI[A-Za-z0-9]{17,21} + ) + (?:.|[\n\r]){0,80}? (?i:access[\s_-]*key[\s_-]*secret|access[\s_-]*secret|secret|token|key) (?:.|[\n\r]){0,16}? (?: @@ -46,6 +51,7 @@ rules: examples: - alibaba_secret = 7jkWdTjKLnSlGddwPR5gBn65PHcZG6 - alibaba-token = aJHKLnSlGddwPR5g7jkWdTBn65PHc5 + - AccessKeyId=LTAI8x2NiGqfyJGx7eLDhp12 AccessKeySecret=7jkWdTjKLnSlGddwPR5gBn65PHcZG6 validation: type: Http content: @@ -81,4 +87,119 @@ rules: - https://www.alibabacloud.com/help/en/ram/latest/create-an-accesskey-pair depends_on_rule: - rule_id: kingfisher.alibabacloud.1 - variable: AKID \ No newline at end of file + variable: AKID + - name: Alibaba STS Access Key ID + id: kingfisher.alibabacloud.3 + pattern: | + (?x) + \b + ( + STS\.[A-Za-z0-9]{16,64} + ) + \b + min_entropy: 3.0 + confidence: medium + visible: false + examples: + - STS.NTKaenSkmLhG4HpM576UV + - STS.FJ6EMcS1JLZgAcBJSTDG1Z4CE + references: + - https://www.alibabacloud.com/help/en/openapi/credentials + - https://www.alibabacloud.com/help/en/ram/developer-reference/api-sts-2015-04-01-assumerole + - name: Alibaba STS Security Token + id: kingfisher.alibabacloud.4 + pattern: | + (?xi) + \b + (?:security[\s_-]*token|sts[\s_-]*token|x[\s_-]*oss[\s_-]*security[\s_-]*token|alibaba[\s_-]*cloud[\s_-]*security[\s_-]*token|aliyun[\s_-]*security[\s_-]*token) + (?:.|[\n\r]){0,16}? + (?: + [=:] + | + ["']\s*:\s*["'] + ) + \s* + ["']? + ( + CAIS[A-Za-z0-9+/_=-]{20,1024} + ) + (?:["'\s,;}&\]]|$) + min_entropy: 4.0 + confidence: medium + visible: false + examples: + - securityToken = "CAISuwJ1q6Ft5B2yu9Kiaa5E0VnVJ8q2o3P4r5S6t7U8v9W0xYz" + - ALIBABA_CLOUD_SECURITY_TOKEN=CAIS/gF1q6Ft5B2yfSjIr5eDA9xjJCcl57eKC7A3ThnJA + references: + - https://www.alibabacloud.com/help/en/openapi/credentials + - https://www.alibabacloud.com/help/en/ram/developer-reference/api-sts-2015-04-01-assumerole + - name: Alibaba STS Access Key Secret + id: kingfisher.alibabacloud.5 + pattern: | + (?x) + \b + (?: + (?i:alibaba|alibaba[\s_-]*cloud|aliyun|sts) + | + STS\.[A-Za-z0-9]{16,64} + ) + (?:.|[\n\r]){0,120}? + (?i:access[\s_-]*key[\s_-]*secret|access[\s_-]*secret) + (?:.|[\n\r]){0,16}? + (?: + [=:] + | + ["']\s*:\s*["'] + ) + \s* + ["']? + ( + [A-Za-z0-9]{30,64} + ) + \b + ["']? + min_entropy: 4.2 + confidence: medium + examples: + - STS.NTKaenSkmLhG4HpM576UV AccessKeySecret=wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK + - "aliyun sts access_key_secret: 6itECZnhbG2RU6ktTSBSd6JxeLHKPWyBtSS62" + validation: + type: Http + content: + request: + method: GET + url: > + {%- assign nonce = "" | uuid | upcase -%} + {%- assign raw_timestamp = "" | iso_timestamp_no_frac -%} + {%- assign timestamp = raw_timestamp | replace: ":", "%3A" -%} + + {%- capture params -%} + AccessKeyId={{ STS_AKID | url_encode }}&Action=GetCallerIdentity&Format=JSON&SecurityToken={{ SECURITY_TOKEN | url_encode }}&SignatureMethod=HMAC-SHA1&SignatureNonce={{ nonce }}&SignatureVersion=1.0&Timestamp={{ timestamp }}&Version=2015-04-01 + {%- endcapture -%} + {%- assign encoded_params = params | replace: "+", "%20" | replace: "*", "%2A" | replace: "%7E", "~" -%} + {%- assign query_string = encoded_params | url_encode | replace: "%2D", "-" | replace: "%2E", "." -%} + + {%- assign signature_base_string = "GET&%2F&" | append: query_string -%} + {%- assign token_amp = TOKEN | append: "&" -%} + + {%- assign hmacsignature = signature_base_string | hmac_sha1: token_amp | url_encode -%} + + https://sts.aliyuncs.com/?{{ params }}&Signature={{ hmacsignature }} + headers: + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: ['"Arn"'] + references: + - https://www.alibabacloud.com/help/en/openapi/credentials + - https://www.alibabacloud.com/help/en/nas/request-signatures + - https://www.alibabacloud.com/help/en/ram/developer-reference/api-sts-2015-04-01-getcalleridentity + - https://www.alibabacloud.com/help/en/ram/developer-reference/api-sts-2015-04-01-assumerole + depends_on_rule: + - rule_id: kingfisher.alibabacloud.3 + variable: STS_AKID + - rule_id: kingfisher.alibabacloud.4 + variable: SECURITY_TOKEN diff --git a/crates/kingfisher-rules/data/rules/builderio.yml b/crates/kingfisher-rules/data/rules/builderio.yml new file mode 100644 index 0000000..ea5389b --- /dev/null +++ b/crates/kingfisher-rules/data/rules/builderio.yml @@ -0,0 +1,23 @@ +rules: + - name: Builder.io Private API Key + id: kingfisher.builderio.1 + pattern: | + (?x) + \b + ( + bpk-[a-f0-9]{32} + ) + \b + pattern_requirements: + min_digits: 2 + min_lowercase: 2 + min_entropy: 3.5 + confidence: medium + examples: + - 'BUILDER_PRIVATE_KEY=bpk-326204939cb941afb1431bf19bdc007d' + - 'builder_key: "bpk-7e3094a4265949f69b98a02b80e82cb8"' + - 'bpk-3d990a73da74423ca9ac00b9a2cf0f08' + references: + - https://www.builder.io/c/docs/using-your-api-key + - https://www.builder.io/c/docs/write-api + # No validation: documented Private API Key endpoints are mutating Write API calls. diff --git a/crates/kingfisher-rules/data/rules/buttercms.yml b/crates/kingfisher-rules/data/rules/buttercms.yml new file mode 100644 index 0000000..9f7c38b --- /dev/null +++ b/crates/kingfisher-rules/data/rules/buttercms.yml @@ -0,0 +1,35 @@ +rules: + - name: ButterCMS API Key + id: kingfisher.buttercms.1 + pattern: | + (?xi) + \b(?:butter(?:cms|_cms)) + (?:.|[\n\r]){0,32}? + (?:API[_-]?(?:KEY|TOKEN)|SECRET|TOKEN|KEY) + (?:.|[\n\r]){0,16}? + \b + ( + [a-z0-9]{40} + ) + \b + pattern_requirements: + min_digits: 3 + min_entropy: 3.5 + confidence: medium + examples: + - 'BUTTERCMS_API_TOKEN=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0' + references: + - https://buttercms.com/docs/api/ + validation: + type: Http + content: + request: + method: GET + url: "https://api.buttercms.com/v2/posts/?auth_token={{ TOKEN }}&page_size=1" + headers: + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/censys.yml b/crates/kingfisher-rules/data/rules/censys.yml new file mode 100644 index 0000000..58fa708 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/censys.yml @@ -0,0 +1,62 @@ +rules: + - name: Censys API ID + id: kingfisher.censys.1 + visible: false + pattern: | + (?xi) + \b + censys + (?:.|[\n\r]){0,32}? + (?:API[_-]?ID|APP[_-]?ID|ID) + (?:.|[\n\r]){0,16}? + \b + ( + [0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} + ) + \b + min_entropy: 3.0 + confidence: medium + examples: + - 'CENSYS_API_ID=a1b2c3d4-e5f6-7890-abcd-ef1234567890' + + - name: Censys API Secret + id: kingfisher.censys.2 + pattern: | + (?xi) + \b + censys + (?:.|[\n\r]){0,32}? + (?:SECRET|API[_-]?SECRET|KEY|TOKEN) + (?:.|[\n\r]){0,16}? + \b + ( + [A-Za-z0-9]{32} + ) + \b + pattern_requirements: + min_digits: 3 + min_uppercase: 3 + min_lowercase: 3 + min_entropy: 3.5 + confidence: medium + examples: + - 'CENSYS_API_SECRET=aBcDeFgHiJkLmNoPqRsTuVwXyZ012345' + references: + - https://search.censys.io/api + depends_on_rule: + - rule_id: kingfisher.censys.1 + variable: CENSYS_API_ID + validation: + type: Http + content: + request: + method: GET + url: https://search.censys.io/api/v1/account + headers: + Accept: application/json + Authorization: "Basic {{ CENSYS_API_ID | append: ':' | append: TOKEN | b64enc }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/chartmogul.yml b/crates/kingfisher-rules/data/rules/chartmogul.yml new file mode 100644 index 0000000..42cdb52 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/chartmogul.yml @@ -0,0 +1,40 @@ +rules: + - name: ChartMogul API Key + id: kingfisher.chartmogul.1 + pattern: | + (?xi) + \b + chartmogul + (?:.|[\n\r]){0,32}? + (?:API[_-]?KEY|SECRET|TOKEN|KEY) + (?:.|[\n\r]){0,16}? + \b + ( + [a-z0-9]{32} + ) + \b + pattern_requirements: + min_digits: 3 + min_entropy: 3.5 + confidence: medium + examples: + - 'CHARTMOGUL_API_KEY=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6' + references: + - https://dev.chartmogul.com/reference/authentication + validation: + type: Http + content: + request: + method: GET + url: https://api.chartmogul.com/v1/ping + headers: + Accept: application/json + Authorization: "Basic {{ TOKEN | append: ':' | b64enc }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid + - type: WordMatch + words: + - '"pong"' diff --git a/crates/kingfisher-rules/data/rules/clickup.yml b/crates/kingfisher-rules/data/rules/clickup.yml new file mode 100644 index 0000000..6082d59 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/clickup.yml @@ -0,0 +1,39 @@ +rules: + - name: ClickUp Personal API Token + id: kingfisher.clickup.1 + pattern: | + (?xi) + \b + clickup + (?:.|[\n\r]){0,32}? + (?:API[_-]?KEY|SECRET|TOKEN|KEY) + (?:.|[\n\r]){0,16}? + \b + ( + pk_[0-9]{7,9}_[0-9A-Z]{32} + ) + \b + pattern_requirements: + min_digits: 8 + min_uppercase: 4 + min_entropy: 3.5 + confidence: medium + examples: + - 'CLICKUP_API_TOKEN=pk_4753994_EXP7MPOJ7XQM5UJDV2M45MPF0YHH5YHO' + - 'clickup_token: "pk_12345678_A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6"' + references: + - https://clickup.com/api/ + validation: + type: Http + content: + request: + method: GET + url: https://api.clickup.com/api/v2/user + headers: + Accept: application/json + Authorization: "{{ TOKEN }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/closecrm.yml b/crates/kingfisher-rules/data/rules/closecrm.yml new file mode 100644 index 0000000..a654887 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/closecrm.yml @@ -0,0 +1,35 @@ +rules: + - name: Close CRM API Key + id: kingfisher.closecrm.1 + pattern: | + (?xi) + \b + ( + api_[A-Za-z0-9]{18,26}\.[A-Za-z0-9]{18,26} + ) + \b + pattern_requirements: + min_digits: 2 + min_uppercase: 2 + min_lowercase: 2 + min_entropy: 3.5 + confidence: medium + examples: + - 'CLOSE_API_KEY=api_7b8KOSMa0OevK9qJvT6F9s.2H3Bt8ktGaQ9kVK45P7j7p' + - 'close_key: "api_aBcDeFgHiJkLmNoPqRsT.uVwXyZ0123456789abcD"' + references: + - https://developer.close.com/ + validation: + type: Http + content: + request: + method: GET + url: https://api.close.com/api/v1/me/ + headers: + Accept: application/json + Authorization: "Basic {{ TOKEN | append: ':' | b64enc }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/configcat.yml b/crates/kingfisher-rules/data/rules/configcat.yml new file mode 100644 index 0000000..7feeac6 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/configcat.yml @@ -0,0 +1,69 @@ +rules: + - name: ConfigCat SDK Key + id: kingfisher.configcat.1 + pattern: | + (?xi) + \b + configcat + (?:.|[\n\r]){0,32}? + (?:API[_-]?KEY|SECRET|TOKEN|KEY) + [\s:=}"']{1,16} + ( + [A-Za-z0-9_-]{22}/[A-Za-z0-9_-]{22} + ) + \b + pattern_requirements: + min_digits: 2 + min_uppercase: 2 + min_lowercase: 2 + min_entropy: 3.5 + confidence: medium + examples: + - 'CONFIGCAT_SDK_KEY=PKDVCLf-Hq-h-kCzMp-L7Q/psuH7BGHoUmdONrzzUOY7A' + - 'configcat_key: "PKDVCLf-Hq-h-kCzMp-L7Q/psuH7BGHoUmdONrzzUOY7A"' + references: + - https://configcat.com/docs/sdk-reference/overview/ + validation: + type: Http + content: + request: + method: GET + url: "https://cdn-global.configcat.com/configuration-files/{{ TOKEN }}/config_v6.json" + headers: + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid + + - name: ConfigCat SDK Key (Extended) + id: kingfisher.configcat.2 + pattern: | + (?xi) + \b + ( + configcat-sdk-1/[A-Za-z0-9_-]{22}/[A-Za-z0-9_-]{22} + ) + \b + pattern_requirements: + min_digits: 2 + min_entropy: 3.5 + confidence: medium + examples: + - 'CONFIGCAT_SDK_KEY=configcat-sdk-1/PKDVCLf-Hq-h-kCzMp-L7Q/psuH7BGHoUmdONrzzUOY7A' + references: + - https://configcat.com/docs/sdk-reference/overview/ + validation: + type: Http + content: + request: + method: GET + url: "https://cdn-global.configcat.com/configuration-files/{{ TOKEN }}/config_v6.json" + headers: + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/detectify.yml b/crates/kingfisher-rules/data/rules/detectify.yml new file mode 100644 index 0000000..b13ed24 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/detectify.yml @@ -0,0 +1,37 @@ +rules: + - name: Detectify API Key + id: kingfisher.detectify.1 + pattern: | + (?xi) + \b + detectify + (?:.|[\n\r]){0,32}? + (?:API[_-]?KEY|SECRET|TOKEN|KEY) + (?:.|[\n\r]){0,16}? + \b + ( + [0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} + ) + \b + pattern_requirements: + min_digits: 4 + min_entropy: 3.5 + confidence: medium + examples: + - 'DETECTIFY_API_KEY=2230dbea-051a-47f1-bc1d-c1b73b609420' + references: + - https://developer.detectify.com/ + validation: + type: Http + content: + request: + method: GET + url: https://api.detectify.com/rest/v3/ips?limit=1 + headers: + Accept: application/json + Authorization: "{{ TOKEN }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/ghost.yml b/crates/kingfisher-rules/data/rules/ghost.yml new file mode 100644 index 0000000..52d823c --- /dev/null +++ b/crates/kingfisher-rules/data/rules/ghost.yml @@ -0,0 +1,50 @@ +rules: + - name: Ghost CMS Admin API Key + id: kingfisher.ghost.1 + pattern: | + (?xi) + \b + ghost + (?:.|[\n\r]){0,32}? + (?:ADMIN|SECRET|TOKEN|KEY) + (?:.|[\n\r]){0,16}? + \b + ( + [0-9a-f]{24}:[0-9a-f]{64} + ) + \b + pattern_requirements: + min_digits: 4 + min_lowercase: 4 + min_entropy: 3.5 + confidence: medium + examples: + - 'GHOST_ADMIN_API_KEY=1efedd9db174adee2d23d982:4b74dca0219bad629852191af326a45037346c2231240e0f7aec1f9371cc14e8' + - 'ghost_key = "6101c750c9d0ab0e34567890:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890"' + references: + - https://ghost.org/docs/admin-api/ + - https://ghost.org/docs/admin-api/#token-authentication + + - name: Ghost CMS Content API Key + id: kingfisher.ghost.2 + pattern: | + (?xi) + \b(?:ghost|content[_-]?api) + (?:.|[\n\r]){0,48}? + (?:KEY|TOKEN|SECRET|API) + (?:.|[\n\r]){0,24}? + \b + ( + [0-9a-f]{26} + ) + \b + pattern_requirements: + min_digits: 3 + min_entropy: 3.0 + confidence: medium + examples: + - 'GHOST_CONTENT_API_KEY=22444f78447824223cefc48062' + - 'ghost_api_key: "a1b2c3d4e5f6a7b8c9d0e1f2a3"' + references: + - https://ghost.org/docs/content-api/ + # No validation: Ghost Content API keys are site-specific and require the Ghost site URL. diff --git a/crates/kingfisher-rules/data/rules/hetzner.yml b/crates/kingfisher-rules/data/rules/hetzner.yml new file mode 100644 index 0000000..4fffdd8 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/hetzner.yml @@ -0,0 +1,39 @@ +rules: + - name: Hetzner Cloud API Token + id: kingfisher.hetzner.1 + pattern: | + (?xi) + \b(?:hetzner|hcloud) + (?:.|[\n\r]){0,48}? + (?:API[_-]?TOKEN|TOKEN|SECRET|KEY) + (?:.|[\n\r]){0,24}? + \b + ( + [A-Za-z0-9]{64} + ) + \b + pattern_requirements: + min_digits: 3 + min_uppercase: 3 + min_lowercase: 3 + min_entropy: 4.0 + confidence: medium + examples: + - 'HETZNER_API_TOKEN=CqM049yakVZO8EndHyyawia3EjIboWMVeoEeMW0UVN0SpTXryKh0zrtnGpeyAjTs' + - 'HCLOUD_TOKEN=aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789aBcDeFgHiJkLmNoPqRsTuVwXy012' + references: + - https://docs.hetzner.cloud/ + validation: + type: Http + content: + request: + method: GET + url: https://api.hetzner.cloud/v1/servers?per_page=1 + headers: + Accept: application/json + Authorization: "Bearer {{ TOKEN }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/livekit.yml b/crates/kingfisher-rules/data/rules/livekit.yml new file mode 100644 index 0000000..9d50693 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/livekit.yml @@ -0,0 +1,52 @@ +rules: + - name: LiveKit API Key + id: kingfisher.livekit.1 + visible: false + pattern: | + (?xi) + \b(?:livekit|LIVEKIT) + (?:.|[\n\r]){0,32}? + (?:API[_-]?KEY|KEY|ACCESS) + (?:.|[\n\r]){0,16}? + \b + ( + API[A-Za-z0-9]{12} + ) + \b + pattern_requirements: + min_digits: 1 + min_uppercase: 3 + min_entropy: 2.5 + confidence: medium + examples: + - 'LIVEKIT_API_KEY=APIa3B4c5D6e7F8' + - 'livekit_key: "API2K4m6N8p3R5s"' + references: + - https://docs.livekit.io/home/get-started/authentication/ + + - name: LiveKit API Secret + id: kingfisher.livekit.2 + pattern: | + (?xi) + \b(?:livekit|LIVEKIT) + (?:.|[\n\r]){0,32}? + (?:SECRET|PRIVATE|ACCESS) + (?:.|[\n\r]){0,16}? + \b + ( + [A-Za-z0-9]{40,48} + ) + \b + pattern_requirements: + min_digits: 3 + min_uppercase: 3 + min_lowercase: 3 + min_entropy: 4.0 + confidence: medium + examples: + - 'LIVEKIT_API_SECRET=aBcDeFgHiJkLmNoPqRsTuVwXyZ01234567890abcde' + references: + - https://docs.livekit.io/home/get-started/authentication/ + depends_on_rule: + - rule_id: kingfisher.livekit.1 + variable: LIVEKIT_API_KEY diff --git a/crates/kingfisher-rules/data/rules/loops.yml b/crates/kingfisher-rules/data/rules/loops.yml new file mode 100644 index 0000000..97c3bde --- /dev/null +++ b/crates/kingfisher-rules/data/rules/loops.yml @@ -0,0 +1,41 @@ +rules: + - name: Loops Email API Key + id: kingfisher.loops.1 + pattern: | + (?xi) + \b + loops + (?:.|[\n\r]){0,32}? + (?:API[_-]?KEY|SECRET|TOKEN|KEY) + (?:.|[\n\r]){0,16}? + \b + ( + [0-9a-f]{32} + ) + \b + pattern_requirements: + min_digits: 3 + min_entropy: 3.5 + confidence: medium + examples: + - 'LOOPS_API_KEY=d2d561f5ff80136f69b4b5a31b9fb3c9' + references: + - https://loops.so/docs/api-reference/intro + validation: + type: Http + content: + request: + method: GET + url: https://app.loops.so/api/v1/api-key + headers: + Accept: application/json + Authorization: "Bearer {{ TOKEN }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: + - '"success"' + - 'true' + match_all_words: true diff --git a/crates/kingfisher-rules/data/rules/moralis.yml b/crates/kingfisher-rules/data/rules/moralis.yml new file mode 100644 index 0000000..3a34d78 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/moralis.yml @@ -0,0 +1,39 @@ +rules: + - name: Moralis API Key + id: kingfisher.moralis.1 + pattern: | + (?xi) + \b + moralis + (?:.|[\n\r]){0,32}? + (?:API[_-]?KEY|SECRET|TOKEN|KEY|WEB3) + (?:.|[\n\r]){0,16}? + \b + ( + [0-9a-zA-Z]{64} + ) + \b + pattern_requirements: + min_digits: 3 + min_uppercase: 3 + min_lowercase: 3 + min_entropy: 4.0 + confidence: medium + examples: + - 'MORALIS_API_KEY=aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789aBcDeFgHiJkLmNoPqRsTuVwXy012' + references: + - https://docs.moralis.io/web3-data-api/evm/reference + validation: + type: Http + content: + request: + method: GET + url: https://deep-index.moralis.io/api/v2.2/web3/version + headers: + Accept: application/json + X-API-Key: "{{ TOKEN }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/pandadoc.yml b/crates/kingfisher-rules/data/rules/pandadoc.yml new file mode 100644 index 0000000..d0c4fa0 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/pandadoc.yml @@ -0,0 +1,38 @@ +rules: + - name: PandaDoc API Key + id: kingfisher.pandadoc.1 + pattern: | + (?xi) + \b(?:pandadoc) + (?:.|[\n\r]){0,32}? + (?:API[_-]?KEY|SECRET|TOKEN|KEY) + (?:.|[\n\r]){0,16}? + \b + ( + [a-zA-Z0-9]{40} + ) + \b + pattern_requirements: + min_digits: 3 + min_uppercase: 3 + min_lowercase: 3 + min_entropy: 3.5 + confidence: medium + examples: + - 'PANDADOC_API_KEY=aBcDeFgHiJkLmNoPqRsTuVwXyZ01234567890abc' + references: + - https://developers.pandadoc.com/reference/about + validation: + type: Http + content: + request: + method: GET + url: https://api.pandadoc.com/public/v1/documents?count=1 + headers: + Accept: application/json + Authorization: "API-Key {{ TOKEN }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/permitio.yml b/crates/kingfisher-rules/data/rules/permitio.yml new file mode 100644 index 0000000..f0e267b --- /dev/null +++ b/crates/kingfisher-rules/data/rules/permitio.yml @@ -0,0 +1,35 @@ +rules: + - name: Permit.io API Key + id: kingfisher.permitio.1 + pattern: | + (?x) + \b + ( + permit_key_[0-9A-Za-z]{85,86} + ) + \b + pattern_requirements: + min_digits: 2 + min_uppercase: 2 + min_lowercase: 2 + min_entropy: 3.5 + confidence: medium + examples: + - 'PERMIT_API_KEY=permit_key_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVW' + - 'permit_key: "permit_key_9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA9876543210zyxwvutsrqponm"' + references: + - https://docs.permit.io/overview/get-api-key/ + validation: + type: Http + content: + request: + method: GET + url: https://api.permit.io/v2/api-key/scope + headers: + Accept: application/json + Authorization: "Bearer {{ TOKEN }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/pinata.yml b/crates/kingfisher-rules/data/rules/pinata.yml new file mode 100644 index 0000000..b44cb6a --- /dev/null +++ b/crates/kingfisher-rules/data/rules/pinata.yml @@ -0,0 +1,66 @@ +rules: + - name: Pinata API Key + id: kingfisher.pinata.1 + visible: false + pattern: | + (?xi) + \b + pinata + (?:.|[\n\r]){0,32}? + (?:API[_-]?KEY|KEY) + (?:.|[\n\r]){0,16}? + \b + ( + [0-9a-f]{64} + ) + \b + pattern_requirements: + min_digits: 4 + min_entropy: 3.5 + confidence: medium + examples: + - 'PINATA_API_KEY=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2' + + - name: Pinata API Secret + id: kingfisher.pinata.2 + pattern: | + (?xi) + \b + pinata + (?:.|[\n\r]){0,32}? + (?:API[_-]?SECRET|SECRET[_-]?KEY|SECRET) + (?:.|[\n\r]){0,16}? + \b + ( + [0-9a-f]{64} + ) + \b + pattern_requirements: + min_digits: 4 + min_entropy: 3.5 + confidence: medium + examples: + - 'PINATA_API_SECRET=f0e1d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a7f8e9d0c1b2a3f4e5d6c7b8a9f0e1' + references: + - https://docs.pinata.cloud/api-reference/introduction + depends_on_rule: + - rule_id: kingfisher.pinata.1 + variable: PINATA_API_KEY + validation: + type: Http + content: + request: + method: GET + url: https://api.pinata.cloud/data/testAuthentication + headers: + Accept: application/json + pinata_api_key: "{{ PINATA_API_KEY }}" + pinata_secret_api_key: "{{ TOKEN }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: + - '"message"' + - 'Congratulations' diff --git a/crates/kingfisher-rules/data/rules/portainer.yml b/crates/kingfisher-rules/data/rules/portainer.yml new file mode 100644 index 0000000..4e48690 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/portainer.yml @@ -0,0 +1,22 @@ +rules: + - name: Portainer API Token + id: kingfisher.portainer.1 + pattern: | + (?x) + \b + ( + ptr_[A-Za-z0-9/+_=-]{32,52} + ) + \b + pattern_requirements: + min_digits: 2 + min_uppercase: 2 + min_lowercase: 2 + min_entropy: 3.5 + confidence: medium + examples: + - 'PORTAINER_API_KEY=ptr_aBcDeFgHiJkLmNoPqRsTuVwXyZ012345678901' + - 'portainer_token: "ptr_xY9zW8vU7tS6rQ5pN4mL3kJ2iH1gF0eD9cB8aZ7"' + references: + - https://docs.portainer.io/api/access + # No validation: Portainer API tokens require the user's Portainer server URL. diff --git a/crates/kingfisher-rules/data/rules/robinhood.yml b/crates/kingfisher-rules/data/rules/robinhood.yml new file mode 100644 index 0000000..fd63eee --- /dev/null +++ b/crates/kingfisher-rules/data/rules/robinhood.yml @@ -0,0 +1,21 @@ +rules: + - name: Robinhood Crypto API Key + id: kingfisher.robinhood.1 + pattern: | + (?x) + \b + ( + rh-api- + [0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12} + ) + \b + pattern_requirements: + min_digits: 4 + min_entropy: 3.0 + confidence: medium + examples: + - 'ROBINHOOD_API_KEY=rh-api-a1b2c3d4-e5f6-7890-abcd-ef1234567890' + - 'rh_api_key: "rh-api-12345678-abcd-ef01-2345-6789abcdef01"' + references: + - https://docs.robinhood.com/crypto/trading/ + # No validation: Robinhood Crypto requests require an API key plus Ed25519 request signing. diff --git a/crates/kingfisher-rules/data/rules/saladcloud.yml b/crates/kingfisher-rules/data/rules/saladcloud.yml new file mode 100644 index 0000000..56cbf3d --- /dev/null +++ b/crates/kingfisher-rules/data/rules/saladcloud.yml @@ -0,0 +1,34 @@ +rules: + - name: SaladCloud API Key + id: kingfisher.saladcloud.1 + pattern: | + (?x) + \b + ( + salad_cloud_[0-9A-Za-z]{1,7}_[0-9A-Za-z]{7,40} + ) + \b + pattern_requirements: + min_digits: 2 + min_lowercase: 4 + min_entropy: 3.0 + confidence: medium + examples: + - 'SALAD_API_KEY=salad_cloud_abc1234_xY9zW8vU7tS6rQ5pN4mL3kJ2iH1gF0e' + - 'salad_key: "salad_cloud_org42_a1B2c3D4e5F6g7H8i9J0"' + references: + - https://docs.salad.com/reference/api-reference + validation: + type: Http + content: + request: + method: GET + url: https://api.salad.com/api/public/organizations + headers: + Accept: application/json + Salad-Api-Key: "{{ TOKEN }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/tigris.yml b/crates/kingfisher-rules/data/rules/tigris.yml new file mode 100644 index 0000000..5a6040b --- /dev/null +++ b/crates/kingfisher-rules/data/rules/tigris.yml @@ -0,0 +1,45 @@ +rules: + - name: Tigris Access Key ID + id: kingfisher.tigris.1 + visible: false + pattern: | + (?x) + \b + ( + tid_[A-Za-z0-9_]{43,55} + ) + \b + pattern_requirements: + min_uppercase: 4 + min_lowercase: 4 + min_entropy: 3.5 + confidence: medium + examples: + - 'TIGRIS_ACCESS_KEY=tid_zkrUeBLpqV_TOdaZzjYefcGEZJrZJqQHvmidyMx_VJtknmcWhC' + - 'AWS_ACCESS_KEY_ID=tid_sIYWNboOecJPzFPmgbOmxsfSqjwbmYmSoGAlrylliULbhiysCJ' + references: + - https://www.tigrisdata.com/docs/concepts/authnz/ + + - name: Tigris Secret Access Key + id: kingfisher.tigris.2 + pattern: | + (?xi) + \b + ( + tsec_[A-Za-z0-9_]{43,55} + ) + \b + pattern_requirements: + min_digits: 2 + min_uppercase: 4 + min_lowercase: 4 + min_entropy: 3.5 + confidence: medium + examples: + - 'TIGRIS_SECRET_KEY=tsec_pQrStUvWxYzAbCdEfGhIjKlMnOpQrStUvWxYz_012345678aB' + - 'AWS_SECRET_ACCESS_KEY=tsec_mNbVcXzAsWqErTyUiOpLkJhGfDsAzXcVbNmQwErTyUi_9876' + references: + - https://www.tigrisdata.com/docs/concepts/authnz/ + depends_on_rule: + - rule_id: kingfisher.tigris.1 + variable: TIGRIS_ACCESS_KEY diff --git a/crates/kingfisher-rules/data/rules/unleash.yml b/crates/kingfisher-rules/data/rules/unleash.yml new file mode 100644 index 0000000..bd49e6f --- /dev/null +++ b/crates/kingfisher-rules/data/rules/unleash.yml @@ -0,0 +1,52 @@ +rules: + - name: Unleash Client/Admin API Token + id: kingfisher.unleash.1 + pattern: | + (?xi) + \b + unleash + (?:.|[\n\r]){0,32}? + (?:API[_-]?TOKEN|CLIENT[_-]?KEY|ADMIN[_-]?TOKEN|TOKEN|KEY) + (?:.|[\n\r]){0,16}? + ( + (?:\*|\[\]|[a-z][a-z0-9-]*) + : + [a-z][a-z0-9-]* + \. + [0-9a-f]{56} + ) + \b + pattern_requirements: + min_digits: 4 + min_lowercase: 10 + min_entropy: 3.0 + confidence: medium + examples: + - 'UNLEASH_API_TOKEN=default:development.be44368985f7fb3237c584ef86f3d6bdada42ddbd63a019d26955178' + - 'unleash_token: "*:production.a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8"' + references: + - https://docs.getunleash.io/reference/api-tokens-and-client-keys + + - name: Unleash Personal Access Token + id: kingfisher.unleash.2 + pattern: | + (?xi) + \b + unleash + (?:.|[\n\r]){0,32}? + (?:PAT|PERSONAL[_-]?ACCESS[_-]?TOKEN|API[_-]?TOKEN|TOKEN|KEY) + (?:.|[\n\r]){0,16}? + \b + ( + user:[0-9a-f]{56} + ) + \b + pattern_requirements: + min_digits: 4 + min_entropy: 3.5 + confidence: medium + examples: + - 'UNLEASH_PAT=user:be7536c3a160ff15e3a92da45de531dd54bc1ae15d8455c0476f086b' + - 'unleash_pat: "user:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8"' + references: + - https://docs.getunleash.io/reference/api-tokens-and-client-keys diff --git a/crates/kingfisher-rules/data/rules/upcloud.yml b/crates/kingfisher-rules/data/rules/upcloud.yml new file mode 100644 index 0000000..113f9a8 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/upcloud.yml @@ -0,0 +1,35 @@ +rules: + - name: UpCloud API Token + id: kingfisher.upcloud.1 + pattern: | + (?xi) + \b + ( + ucat_[0-9A-HJKMNP-TV-Z]{26} + ) + \b + pattern_requirements: + min_digits: 2 + min_uppercase: 4 + min_entropy: 3.5 + confidence: medium + examples: + - 'UPCLOUD_API_TOKEN=ucat_01DQE3AJDEBFEKECFM558TGH2F' + - 'upcloud_token: "ucat_01J9K4BNZM3RGXW7VDQFTHY5PC"' + references: + - https://upcloud.com/docs/guides/managing-api-tokens/ + - https://developers.upcloud.com/1.3/24-api-tokens/ + validation: + type: Http + content: + request: + method: GET + url: https://api.upcloud.com/1.3/account + headers: + Accept: application/json + Authorization: "Bearer {{ TOKEN }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/voiceflow.yml b/crates/kingfisher-rules/data/rules/voiceflow.yml new file mode 100644 index 0000000..dbf372a --- /dev/null +++ b/crates/kingfisher-rules/data/rules/voiceflow.yml @@ -0,0 +1,43 @@ +rules: + - name: Voiceflow API Key + id: kingfisher.voiceflow.1 + pattern: | + (?xi) + \b + ( + VF\.(?:(?:DM|WS)\.) + [0-9a-f]{24} + \. + [0-9a-zA-Z]{16} + ) + \b + pattern_requirements: + min_digits: 3 + min_lowercase: 4 + min_entropy: 3.0 + confidence: medium + examples: + - 'VOICEFLOW_API_KEY=VF.DM.6421e3d5b1e4a9001d2b7c8f.a1B2c3D4e5F6g7H8' + - 'voiceflow_key: "VF.WS.53a1b2c3d4e5f6001a2b3c4d.xY9zW8vU7tS6rQ5p"' + references: + - https://developer.voiceflow.com/reference/overview + validation: + type: Http + content: + request: + method: POST + url: https://general-runtime.voiceflow.com/knowledge-base/query + headers: + Accept: application/json + Authorization: "{{ TOKEN }}" + Content-Type: application/json + body: | + {"question": "test"} + response_matcher: + - report_response: true + - type: StatusMatch + status: [200, 400, 404] + - type: WordMatch + negative: true + words: + - '"Unauthorized"' diff --git a/crates/kingfisher-rules/data/rules/wistia.yml b/crates/kingfisher-rules/data/rules/wistia.yml new file mode 100644 index 0000000..b4da6c8 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/wistia.yml @@ -0,0 +1,36 @@ +rules: + - name: Wistia API Token + id: kingfisher.wistia.1 + pattern: | + (?xi) + \b + wistia + (?:.|[\n\r]){0,32}? + (?:API[_-]?(?:KEY|TOKEN|PASSWORD)|TOKEN|SECRET|KEY) + (?:.|[\n\r]){0,16}? + \b + ( + [0-9a-f]{64} + ) + \b + pattern_requirements: + min_digits: 4 + min_entropy: 3.5 + confidence: medium + examples: + - 'WISTIA_API_TOKEN=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2' + references: + - https://wistia.com/support/developers/data-api + validation: + type: Http + content: + request: + method: GET + url: "https://api.wistia.com/v1/account.json?api_password={{ TOKEN }}" + headers: + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/crates/kingfisher-rules/data/rules/zerotier.yml b/crates/kingfisher-rules/data/rules/zerotier.yml new file mode 100644 index 0000000..23b9977 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/zerotier.yml @@ -0,0 +1,40 @@ +rules: + - name: ZeroTier API Token + id: kingfisher.zerotier.1 + pattern: | + (?xi) + \b + (?:zerotier|zt) + (?:.|[\n\r]){0,32}? + (?:API[_-]?(?:TOKEN|KEY)|TOKEN|SECRET|KEY|ACCESS) + (?:.|[\n\r]){0,16}? + \b + ( + [A-Za-z0-9]{32} + ) + \b + pattern_requirements: + min_digits: 3 + min_uppercase: 3 + min_lowercase: 3 + min_entropy: 3.5 + confidence: medium + examples: + - 'ZEROTIER_API_TOKEN=aBcDeFgHiJkLmNoPqRsTuVwXyZ012345' + - 'ZT_TOKEN=xY9zW8vU7tS6rQ5pN4mL3kJ2iH1gF0eD' + references: + - https://docs.zerotier.com/api/tokens/ + validation: + type: Http + content: + request: + method: GET + url: https://api.zerotier.com/api/v1/status + headers: + Accept: application/json + Authorization: "token {{ TOKEN }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/docs-site/docs/changelog.md b/docs-site/docs/changelog.md index ff04027..b9084ad 100644 --- a/docs-site/docs/changelog.md +++ b/docs-site/docs/changelog.md @@ -7,9 +7,13 @@ description: "Kingfisher release history: new features, rules, bug fixes, and im All notable changes to this project will be documented in this file. -## [v1.97.0] +## [v1.96.0] - Added live HTTP validation for 18 rules across 15 providers: Val Town, Polar, hCaptcha, Thunderstore, Elastic Cloud (2 rules), LlamaCloud, Gemfury (2 rules), Vonage, ThingsBoard, Zapier, Facebook Access Token, GitLab Session Cookie, PostHog Feature Flags, Unkey API Key, and Hop.io (2 rules). - Added revocation support for 7 rules across 6 providers: Discord webhooks (single-step DELETE), DigitalOcean PATs (self-revoke via OAuth), and multi-step HttpMultiStep revocation for LaunchDarkly, Resend, Linode, and Netlify (2 rules). Built-in revocation coverage is now 34 provider families with 53 revocation-enabled rules. +- Expanded Alibaba Cloud coverage with STS temporary credential detection for STS access key IDs, STS security tokens, and STS access key secrets. Built-in rule coverage is now 921 rules total. +- Added 61 new detection rules across 46 providers: Axiom (API token + PAT), Trigger.dev (secret key + PAT), Dub.co, Svix webhook signing secret, Liveblocks, Inngest (signing key + event key), Seam, Courier, Cal.com, Arcjet, WarpStream, Mem0, Mintlify, Pirsch, Tinybird, Tolgee (project key + PAT), Ory (API key + session + OAuth2 tokens), Xendit, Xata, Crossmint (server + client keys), DeepL (Free + Pro), Flagsmith, E2B, Infisical, WooCommerce (consumer key + secret), Nightfall AI, Ramp (client ID + secret), Hex.pm (personal + workspace tokens), Convex deploy key, MiniMax, Mappedin (key + secret), Pollinations (secret + publishable), Fal.ai, Aikido, Hack Club, GuardSquare, Browser Use, Composio, Gamma, Hex.tech, Mastra, redirect.pizza, Upstash, and WorkOS. Also added new prefixed-token rules for Netlify (`nfp_`), Cloudflare (`cfut_`), and Supabase (`sb_publishable_`). Added live HTTP validation for 30 of these rules. +- Added 32 new detection rules across 25 providers: Ghost CMS (admin + content keys), UpCloud (`ucat_`), Voiceflow (`VF.DM.`/`VF.WS.`), Robinhood Crypto (`rh-api-`), ClickUp (`pk_`), Unleash (client/admin + personal tokens), ConfigCat (standard + extended SDK keys), SaladCloud (`salad_cloud_`), Tigris (`tid_`/`tsec_`), Portainer (`ptr_`), Permit.io (`permit_key_`), Builder.io (`bpk-`), LiveKit (API key + secret), Close CRM (`api_`), Hetzner Cloud, Censys (API ID + secret), Wistia, PandaDoc, Pinata (key + secret), ZeroTier, Detectify, ChartMogul, Moralis, ButterCMS, and Loops. Includes HTTP validation for 19 of these rules. +- Removed 17 direct dependencies from the root crate by dropping unused deps (`p256`, `ed25519-dalek`, `jsonwebtoken`, `gitlab`, `lazy_static`, `base32`, `pem`, `byteorder`, `reqwest-middleware`, `sha1`, `time`, `ring`, `num_cpus`, `strum_macros`), replacing `once_cell` with `std::sync::{LazyLock, OnceLock}`, and using `std::thread::available_parallelism()` in place of `num_cpus`. Salt generation now uses `rand` instead of `ring`, and all `strum_macros::Display` imports are consolidated under `strum::Display`. ## [v1.95.0] - Fixed scan performance regression: the rule profiler was unconditionally active even without `--rule-stats`, causing RwLock contention across scan threads. Scans are now ~15% faster than v1.94.0. diff --git a/docs-site/docs/index.md b/docs-site/docs/index.md index afc7ea3..39c414d 100644 --- a/docs-site/docs/index.md +++ b/docs-site/docs/index.md @@ -2,7 +2,7 @@ title: Kingfisher — Open Source Secret Scanner with Live Validation description: >- Kingfisher is an open source secret scanner with live validation, blast radius - mapping, and credential revocation. 825 detection rules. Built in Rust by MongoDB. + mapping, and credential revocation. 921 detection rules. Built in Rust by MongoDB. template: home.html hide: - navigation diff --git a/docs-site/docs/reference/library.md b/docs-site/docs/reference/library.md index c9f0fa6..98e7ee1 100644 --- a/docs-site/docs/reference/library.md +++ b/docs-site/docs/reference/library.md @@ -268,7 +268,7 @@ flowchart TD ### Loading Builtin Rules -Kingfisher currently ships with 825 built-in rules for common secret types: +Kingfisher currently ships with 921 built-in rules for common secret types: ```rust use kingfisher_rules::{get_builtin_rules, Confidence}; diff --git a/docs-site/docs/rules/builtin-rules.md b/docs-site/docs/rules/builtin-rules.md index 1e1bf4e..075bd72 100644 --- a/docs-site/docs/rules/builtin-rules.md +++ b/docs-site/docs/rules/builtin-rules.md @@ -1,13 +1,13 @@ --- title: "Built-in Rules List" -description: "Complete list of all 825 built-in secret detection rules in Kingfisher. Searchable and filterable by provider, confidence level, and validation support." +description: "Complete list of all 921 built-in secret detection rules in Kingfisher. Searchable and filterable by provider, confidence level, and validation support." --- # Built-in Rules -Kingfisher ships with **825 detection rules** across **510 providers** -(719 detectors + 106 dependent rules). -Of these, **521** include live validation and **46** support direct revocation. +Kingfisher ships with **921 detection rules** across **579 providers** +(808 detectors + 113 dependent rules). +Of these, **596** include live validation and **53** support direct revocation. !!! tip "Search" Use the search box below to filter rules by provider name, rule ID, or confidence level. @@ -55,7 +55,7 @@ Of these, **521** include live validation and **46** support direct revocation. Adafruitio Adafruit IO Key kingfisher.adafruitio.1 -High +Medium Yes @@ -156,6 +156,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Aikido +Aikido CI Token +kingfisher.aikido.1 +Medium +Yes + + + Airbrake Airbrake User Key kingfisher.airbrake.1 @@ -191,7 +199,7 @@ Of these, **521** include live validation and **46** support direct revocation. Akamai Akamai API Client Token kingfisher.akamai.1 -High +Medium @@ -260,6 +268,30 @@ Of these, **521** include live validation and **46** support direct revocation. +Alibaba +Alibaba STS Access Key ID +kingfisher.alibabacloud.3 +Medium + + + + +Alibaba +Alibaba STS Security Token +kingfisher.alibabacloud.4 +Medium + + + + +Alibaba +Alibaba STS Access Key Secret +kingfisher.alibabacloud.5 +Medium +Yes + + + Amazonmws Amazon MWS Auth Token kingfisher.amazonmws.1 @@ -287,7 +319,7 @@ Of these, **521** include live validation and **46** support direct revocation. Anthropic Anthropic API Key kingfisher.anthropic.1 -High +Medium Yes @@ -332,6 +364,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Arcjet +Arcjet API Key +kingfisher.arcjet.1 +Medium + + + + Artifactory Artifactory Access Token kingfisher.artifactory.1 @@ -516,6 +556,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Axiom +Axiom API Token +kingfisher.axiom.1 +Medium +Yes + + + +Axiom +Axiom Personal Access Token +kingfisher.axiom.2 +Medium +Yes + + + Azure Azure Connection String kingfisher.azure.1 @@ -1068,6 +1124,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Browseruse +Browser Use API Key +kingfisher.browseruse.1 +Medium +Yes + + + +Builderio +Builder.io Private API Key +kingfisher.builderio.1 +Medium + + + + Buildkite Buildkite API Key kingfisher.buildkite.1 @@ -1084,6 +1156,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Buttercms +ButterCMS API Key +kingfisher.buttercms.1 +Medium +Yes + + + +Calcom +Cal.com API Key +kingfisher.calcom.1 +Medium +Yes + + + Calendly Calendly Personal Access Token kingfisher.calendly.1 @@ -1095,7 +1183,7 @@ Of these, **521** include live validation and **46** support direct revocation. Canva Canva Connect API Client Secret kingfisher.canva.1 -High +Medium @@ -1108,6 +1196,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Censys +Censys API ID +kingfisher.censys.1 +Medium + + + + +Censys +Censys API Secret +kingfisher.censys.2 +Medium +Yes + + + Cerebras Cerebras AI API Key kingfisher.cerebras.1 @@ -1124,6 +1228,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Chartmogul +ChartMogul API Key +kingfisher.chartmogul.1 +Medium +Yes + + + Checkout Checkout.com Secret Key kingfisher.checkout.1 @@ -1220,6 +1332,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Clickup +ClickUp Personal API Token +kingfisher.clickup.1 +Medium +Yes + + + Clockwork Clockwork SMS API Key kingfisher.clockwork.1 @@ -1244,10 +1364,18 @@ Of these, **521** include live validation and **46** support direct revocation. +Closecrm +Close CRM API Key +kingfisher.closecrm.1 +Medium +Yes + + + Cloudant IBM Cloudant Legacy Credentials kingfisher.cloudant.1 -High +Medium @@ -1268,6 +1396,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Cloudflare +Cloudflare User API Token (cfut_ prefix) +kingfisher.cloudflare.3 +Medium +Yes + + + Cloudinary Cloudinary API Secret kingfisher.cloudinary.1 @@ -1380,6 +1516,30 @@ Of these, **521** include live validation and **46** support direct revocation. +Composio +Composio API Key +kingfisher.composio.1 +Medium +Yes + + + +Configcat +ConfigCat SDK Key +kingfisher.configcat.1 +Medium +Yes + + + +Configcat +ConfigCat SDK Key (Extended) +kingfisher.configcat.2 +Medium +Yes + + + Confluent Confluent Client ID kingfisher.confluent.1 @@ -1436,6 +1596,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Convex +Convex Deploy Key +kingfisher.convex.1 +Medium + + + + Couchbase Couchbase Capella API Key kingfisher.couchbase.1 @@ -1444,6 +1612,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Courier +Courier API Key +kingfisher.courier.1 +Medium +Yes + + + Coveralls Coveralls Repo Identifier kingfisher.coveralls.1 @@ -1484,6 +1660,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Crossmint +Crossmint Server API Key +kingfisher.crossmint.1 +Medium +Yes + + + +Crossmint +Crossmint Client API Key +kingfisher.crossmint.2 +Medium + + + + Curl Curl Basic Authentication Credentials kingfisher.curl.1 @@ -1644,6 +1836,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Deepl +DeepL API Key (Free) +kingfisher.deepl.1 +Medium +Yes + + + +Deepl +DeepL API Key (Pro) +kingfisher.deepl.2 +Medium +Yes + + + Deepseek DeepSeek API Key kingfisher.deepseek.1 @@ -1684,6 +1892,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Detectify +Detectify API Key +kingfisher.detectify.1 +Medium +Yes + + + Devcycle DevCycle Client SDK Key kingfisher.devcycle.1 @@ -1737,7 +1953,7 @@ Of these, **521** include live validation and **46** support direct revocation. kingfisher.digitalocean.1 Medium Yes - +Yes Digitalocean @@ -1753,7 +1969,7 @@ Of these, **521** include live validation and **46** support direct revocation. kingfisher.discord.1 Medium Yes - +Yes Discord @@ -1940,6 +2156,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Dub +Dub.co API Key +kingfisher.dub.1 +Medium +Yes + + + Duffel Duffel API Token kingfisher.duffel.1 @@ -2004,6 +2228,14 @@ Of these, **521** include live validation and **46** support direct revocation. +E2B +E2B API Key +kingfisher.e2b.1 +Medium +Yes + + + Easypost EasyPost API token kingfisher.easypost.1 @@ -2040,7 +2272,7 @@ Of these, **521** include live validation and **46** support direct revocation. Elastic Cloud API Key kingfisher.elastic.1 Medium - +Yes @@ -2048,7 +2280,7 @@ Of these, **521** include live validation and **46** support direct revocation. Elasticsearch API Key with Prefix kingfisher.elastic.2 High - +Yes @@ -2144,6 +2376,14 @@ Of these, **521** include live validation and **46** support direct revocation. Facebook Access Token kingfisher.facebook.3 Medium +Yes + + + +Falai +Fal.ai API Key +kingfisher.falai.1 +Medium @@ -2268,6 +2508,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Flagsmith +Flagsmith Server-Side Environment Key +kingfisher.flagsmith.1 +Medium +Yes + + + Fleetbase Fleetbase API Key kingfisher.fleetbase.1 @@ -2412,6 +2660,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Gamma +Gamma API Key +kingfisher.gamma.1 +Medium +Yes + + + Gcnotify GC Notify API Key kingfisher.gcnotify.1 @@ -2440,7 +2696,7 @@ Of these, **521** include live validation and **46** support direct revocation. Gemfury Deploy or Push Token kingfisher.gemfury.1 High - +Yes @@ -2448,7 +2704,7 @@ Of these, **521** include live validation and **46** support direct revocation. Gemfury Full Access Token kingfisher.gemfury.2 High - +Yes @@ -2532,6 +2788,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Ghost +Ghost CMS Admin API Key +kingfisher.ghost.1 +Medium + + + + +Ghost +Ghost CMS Content API Key +kingfisher.ghost.2 +Medium + + + + Gitalk Gitalk OAuth Credentials kingfisher.gitalk.1 @@ -2664,7 +2936,7 @@ Of these, **521** include live validation and **46** support direct revocation. GitLab Session Cookie kingfisher.gitlab.15 Medium - +Yes @@ -2868,6 +3140,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Guardsquare +GuardSquare AppSweep API Key +kingfisher.guardsquare.1 +Medium + + + + Gumroad Gumroad Access Token kingfisher.gumroad.1 @@ -2876,6 +3156,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Hackclub +Hack Club AI API Key +kingfisher.hackclub.1 +Medium + + + + Harness Harness Personal Access Token (PAT) kingfisher.harness.pat.1 @@ -2992,7 +3280,7 @@ Of these, **521** include live validation and **46** support direct revocation. hCaptcha Site Verify Secret Key kingfisher.hcaptcha.1 Medium - +Yes @@ -3044,6 +3332,38 @@ Of these, **521** include live validation and **46** support direct revocation. Yes +Hetzner +Hetzner Cloud API Token +kingfisher.hetzner.1 +Medium +Yes + + + +Hex +Hex Technologies API Token +kingfisher.hex.1 +Medium +Yes + + + +Hexpm +Hex.pm Personal Token +kingfisher.hexpm.1 +Medium +Yes + + + +Hexpm +Hex.pm Workspace Token +kingfisher.hexpm.2 +Medium +Yes + + + Highnote Highnote API Key kingfisher.highnote.1 @@ -3064,7 +3384,7 @@ Of these, **521** include live validation and **46** support direct revocation. HOP Project Token kingfisher.hop.1 High - +Yes @@ -3072,7 +3392,7 @@ Of these, **521** include live validation and **46** support direct revocation. HOP Personal Access Token kingfisher.hop.2 High - +Yes @@ -3148,6 +3468,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Infisical +Infisical Service Token +kingfisher.infisical.1 +Medium + + + + Influxdb InfluxDB API Token kingfisher.influxdb.1 @@ -3172,6 +3500,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Inngest +Inngest Signing Key +kingfisher.inngest.1 +Medium + + + + +Inngest +Inngest Event Key +kingfisher.inngest.2 +Medium + + + + Instagram Instagram Graph API Access Token kingfisher.instagram.1 @@ -3561,7 +3905,7 @@ Of these, **521** include live validation and **46** support direct revocation. kingfisher.launchdarkly.1 Medium Yes - +Yes Ldap @@ -3633,6 +3977,30 @@ Of these, **521** include live validation and **46** support direct revocation. kingfisher.linode.1 Medium Yes +Yes + + +Liveblocks +Liveblocks Secret Key +kingfisher.liveblocks.1 +Medium +Yes + + + +Livekit +LiveKit API Key +kingfisher.livekit.1 +Medium + + + + +Livekit +LiveKit API Secret +kingfisher.livekit.2 +Medium + @@ -3640,7 +4008,7 @@ Of these, **521** include live validation and **46** support direct revocation. Llama Cloud API Key kingfisher.llamacloud.1 High - +Yes @@ -3700,6 +4068,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Loops +Loops Email API Key +kingfisher.loops.1 +Medium +Yes + + + Mailchimp Mailchimp API Key kingfisher.mailchimp.1 @@ -3780,6 +4156,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Mappedin +Mappedin API Key +kingfisher.mappedin.1 +Medium + + + + +Mappedin +Mappedin API Secret +kingfisher.mappedin.2 +Medium + + + + Mariadb MariaDB Credentials kingfisher.mariadb.1 @@ -3788,6 +4180,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Mastra +Mastra Memory Gateway API Key +kingfisher.mastra.1 +Medium +Yes + + + Mattermost Mattermost URL kingfisher.mattermost.1 @@ -3820,6 +4220,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Mem0 +Mem0 API Key +kingfisher.mem0.1 +Medium +Yes + + + Mercadopago Mercado Pago Access Token kingfisher.mercadopago.1 @@ -3892,6 +4300,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Minimax +MiniMax API Key +kingfisher.minimax.1 +Medium +Yes + + + +Mintlify +Mintlify API Key +kingfisher.mintlify.1 +Medium + + + + Miro Miro Access Token kingfisher.miro.1 @@ -3972,6 +4396,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Moralis +Moralis API Key +kingfisher.moralis.1 +Medium +Yes + + + Mssql MSSQL Credentials kingfisher.mssql.1 @@ -4041,7 +4473,7 @@ Of these, **521** include live validation and **46** support direct revocation. kingfisher.netlify.1 Unknown Yes - +Yes Netlify @@ -4049,6 +4481,14 @@ Of these, **521** include live validation and **46** support direct revocation. kingfisher.netlify.2 Medium Yes +Yes + + +Netlify +Netlify Personal Access Token (nfp_ prefix) +kingfisher.netlify.3 +Medium +Yes @@ -4084,6 +4524,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Nightfall +Nightfall AI API Key +kingfisher.nightfall.1 +Medium +Yes + + + Notion Notion Legacy Token kingfisher.notion.1 @@ -4356,6 +4804,30 @@ Of these, **521** include live validation and **46** support direct revocation. +Ory +Ory API Key +kingfisher.ory.1 +Medium +Yes + + + +Ory +Ory Session Token +kingfisher.ory.2 +Medium + + + + +Ory +Ory OAuth2 Token +kingfisher.ory.3 +Medium + + + + Ovh OVH Application Key kingfisher.ovh.1 @@ -4404,6 +4876,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Pandadoc +PandaDoc API Key +kingfisher.pandadoc.1 +Medium +Yes + + + Pangea Pangea Service Token kingfisher.pangea.1 @@ -4500,6 +4980,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Permitio +Permit.io API Key +kingfisher.permitio.1 +Medium +Yes + + + Perplexity Perplexity AI API Key kingfisher.perplexity.1 @@ -4524,6 +5012,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Pinata +Pinata API Key +kingfisher.pinata.1 +Medium + + + + +Pinata +Pinata API Secret +kingfisher.pinata.2 +Medium +Yes + + + Pinecone Pinecone API Key kingfisher.pinecone.1 @@ -4580,6 +5084,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Pirsch +Pirsch Analytics Access Key +kingfisher.pirsch.1 +Medium + + + + Plaid Plaid Client ID (helper) kingfisher.plaid.1 @@ -4656,6 +5168,22 @@ Of these, **521** include live validation and **46** support direct revocation. Polar Personal Access Token kingfisher.polar.1 High +Yes + + + +Pollinations +Pollinations Secret Key +kingfisher.pollinations.1 +Medium + + + + +Pollinations +Pollinations Publishable Key +kingfisher.pollinations.2 +Medium @@ -4684,6 +5212,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Portainer +Portainer API Token +kingfisher.portainer.1 +Medium + + + + Positionstack Positionstack API Key kingfisher.positionstack.1 @@ -4712,7 +5248,7 @@ Of these, **521** include live validation and **46** support direct revocation. PostHog Feature Flags Secure API Key kingfisher.posthog.3 Medium - +Yes @@ -4892,6 +5428,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Ramp +Ramp Client ID +kingfisher.ramp.1 +Medium + + + + +Ramp +Ramp Client Secret +kingfisher.ramp.2 +Medium + + + + Rapidapi RapidAPI Key kingfisher.rapidapi.1 @@ -4956,6 +5508,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Redirectpizza +redirect.pizza API Token +kingfisher.redirectpizza.1 +Medium +Yes + + + Redis Redis URI Connection String kingfisher.redis.1 @@ -5009,7 +5569,7 @@ Of these, **521** include live validation and **46** support direct revocation. kingfisher.resend.api_key.1 High Yes - +Yes Retellai @@ -5068,6 +5628,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Robinhood +Robinhood Crypto API Key +kingfisher.robinhood.1 +Medium + + + + Rollbar Rollbar Access Token kingfisher.rollbar.1 @@ -5108,6 +5676,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Saladcloud +SaladCloud API Key +kingfisher.saladcloud.1 +Medium +Yes + + + Salesforce Salesforce Access Token kingfisher.salesforce.1 @@ -5268,6 +5844,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Seam +Seam API Key +kingfisher.seam.1 +Medium +Yes + + + Segment Segment Public API Token kingfisher.segment.1 @@ -5804,6 +6388,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Supabase +Supabase Publishable Key +kingfisher.supabase.4 +Medium + + + + Surge Surge.sh Deploy Token kingfisher.surge.1 @@ -5812,6 +6404,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Svix +Svix Webhook Signing Secret +kingfisher.svix.1 +Medium + + + + Tableau Tableau Personal Access Token kingfisher.tableau.1 @@ -5944,7 +6544,7 @@ Of these, **521** include live validation and **46** support direct revocation. ThingsBoard Access Token kingfisher.thingsboard.1 Medium - +Yes @@ -5968,7 +6568,7 @@ Of these, **521** include live validation and **46** support direct revocation. Thunderstore API Token kingfisher.thunderstore.1 Medium - +Yes @@ -5980,6 +6580,30 @@ Of these, **521** include live validation and **46** support direct revocation. +Tigris +Tigris Access Key ID +kingfisher.tigris.1 +Medium + + + + +Tigris +Tigris Secret Access Key +kingfisher.tigris.2 +Medium + + + + +Tinybird +Tinybird Admin Token +kingfisher.tinybird.1 +Medium +Yes + + + Todoist Todoist API Token kingfisher.todoist.1 @@ -5996,6 +6620,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Tolgee +Tolgee Project API Key +kingfisher.tolgee.1 +Medium +Yes + + + +Tolgee +Tolgee Personal Access Token +kingfisher.tolgee.2 +Medium +Yes + + + Travisci Travis CI Token kingfisher.travisci.1 @@ -6044,6 +6684,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Triggerdev +Trigger.dev Secret Key +kingfisher.triggerdev.1 +Medium +Yes + + + +Triggerdev +Trigger.dev Personal Access Token +kingfisher.triggerdev.2 +Medium +Yes + + + Truenas TrueNAS API Key (WebSocket) kingfisher.truenas.1 @@ -6160,7 +6816,7 @@ Of these, **521** include live validation and **46** support direct revocation. Unkey API Key (key_ prefix) kingfisher.unkey.2 Medium - +Yes Yes @@ -6172,6 +6828,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Unleash +Unleash Client/Admin API Token +kingfisher.unleash.1 +Medium + + + + +Unleash +Unleash Personal Access Token +kingfisher.unleash.2 +Medium + + + + Unsplash Unsplash Access Key kingfisher.unsplash.1 @@ -6180,6 +6852,30 @@ Of these, **521** include live validation and **46** support direct revocation. +Upcloud +UpCloud API Token +kingfisher.upcloud.1 +Medium +Yes + + + +Upstash +Upstash Redis REST Token +kingfisher.upstash.1 +Medium +Yes + + + +Upstash +Upstash Redis REST URL +kingfisher.upstash.2 +Medium + + + + Uptimerobot UptimeRobot API Key kingfisher.uptimerobot.1 @@ -6208,7 +6904,7 @@ Of these, **521** include live validation and **46** support direct revocation. Val Town API Token kingfisher.valtown.1 High - +Yes @@ -6300,6 +6996,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Voiceflow +Voiceflow API Key +kingfisher.voiceflow.1 +Medium +Yes + + + Volcengine VolcEngine Access Key ID kingfisher.volcengine.1 @@ -6320,7 +7024,7 @@ Of these, **521** include live validation and **46** support direct revocation. Vonage (Nexmo) API Secret kingfisher.vonage.2 Medium - +Yes Yes @@ -6356,6 +7060,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Warpstream +WarpStream API Key Secret +kingfisher.warpstream.1 +Medium +Yes + + + Weatherapi WeatherAPI.com API Key kingfisher.weatherapi.1 @@ -6452,6 +7164,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Wistia +Wistia API Token +kingfisher.wistia.1 +Medium +Yes + + + Wiz Wiz Client ID kingfisher.wiz.1 @@ -6468,6 +7188,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Woocommerce +WooCommerce Consumer Secret +kingfisher.woocommerce.1 +Medium + + + + +Woocommerce +WooCommerce Consumer Key +kingfisher.woocommerce.2 +Medium + + + + Workato Workato API Token kingfisher.workato.1 @@ -6476,6 +7212,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Workos +WorkOS API Key +kingfisher.workos.1 +Medium +Yes + + + Wpengine WPEngine API Key kingfisher.wpengine.1 @@ -6500,6 +7244,22 @@ Of these, **521** include live validation and **46** support direct revocation. +Xata +Xata API Key +kingfisher.xata.1 +Medium +Yes + + + +Xendit +Xendit API Key +kingfisher.xendit.1 +Medium +Yes + + + Yahoo Yahoo OAuth2 Client ID kingfisher.yahoo.1 @@ -6552,7 +7312,7 @@ Of these, **521** include live validation and **46** support direct revocation. Zapier Webhook URL kingfisher.zapier.1 Medium - +Yes @@ -6588,6 +7348,14 @@ Of these, **521** include live validation and **46** support direct revocation. +Zerotier +ZeroTier API Token +kingfisher.zerotier.1 +Medium +Yes + + + Zhipu Zhipu (BigModel) API Key kingfisher.zhipu.1 diff --git a/docs-site/docs/rules/overview.md b/docs-site/docs/rules/overview.md index 43e29b7..9de8718 100644 --- a/docs-site/docs/rules/overview.md +++ b/docs-site/docs/rules/overview.md @@ -880,19 +880,23 @@ rules: ## Advanced Example -This advanced example uses the liquid-rs filters included with Kingfisher to sign a request to validate Alibaba Cloud credential pairs: +This advanced example uses the liquid-rs filters included with Kingfisher to sign requests that validate Alibaba Cloud long-lived and STS temporary credential pairs: ```yaml rules: - name: Alibaba Access Key ID id: kingfisher.alibabacloud.1 pattern: | - (?xi) + (?x) \b ( - LTAI[a-z0-9]{17,21} + LTAI[A-Za-z0-9]{17,21} ) \b + pattern_requirements: + min_digits: 2 + min_uppercase: 1 + min_lowercase: 1 min_entropy: 4.0 confidence: medium visible: false @@ -902,20 +906,34 @@ rules: - name: Alibaba Access Key Secret id: kingfisher.alibabacloud.2 pattern: | - (?xi) - \b - alibaba - (?:.|[\n\r]){0,32}? + (?x) \b + (?: + (?i:alibaba|alibaba[\s_-]*cloud|aliyun) + | + LTAI[A-Za-z0-9]{17,21} + ) + (?:.|[\n\r]){0,80}? + (?i:access[\s_-]*key[\s_-]*secret|access[\s_-]*secret|secret|token|key) + (?:.|[\n\r]){0,16}? + (?: + [=:] + | + ["']\s*:\s*["'] + ) + \s* + ["']? ( - [a-z0-9]{30} + [A-Za-z0-9]{30} ) \b + ["']? min_entropy: 4.2 confidence: medium examples: - alibaba_secret = 7jkWdTjKLnSlGddwPR5gBn65PHcZG6 - alibaba-token = aJHKLnSlGddwPR5g7jkWdTBn65PHc5 + - AccessKeyId=LTAI8x2NiGqfyJGx7eLDhp12 AccessKeySecret=7jkWdTjKLnSlGddwPR5gBn65PHcZG6 validation: type: Http content: @@ -949,4 +967,108 @@ rules: depends_on_rule: - rule_id: kingfisher.alibabacloud.1 variable: AKID + - name: Alibaba STS Access Key ID + id: kingfisher.alibabacloud.3 + pattern: | + (?x) + \b + ( + STS\.[A-Za-z0-9]{16,64} + ) + \b + min_entropy: 3.0 + confidence: medium + visible: false + examples: + - STS.NTKaenSkmLhG4HpM576UV + - STS.FJ6EMcS1JLZgAcBJSTDG1Z4CE + - name: Alibaba STS Security Token + id: kingfisher.alibabacloud.4 + pattern: | + (?xi) + \b + (?:security[\s_-]*token|sts[\s_-]*token|x[\s_-]*oss[\s_-]*security[\s_-]*token|alibaba[\s_-]*cloud[\s_-]*security[\s_-]*token|aliyun[\s_-]*security[\s_-]*token) + (?:.|[\n\r]){0,16}? + (?: + [=:] + | + ["']\s*:\s*["'] + ) + \s* + ["']? + ( + CAIS[A-Za-z0-9+/_=-]{20,1024} + ) + (?:["'\s,;}&\]]|$) + min_entropy: 4.0 + confidence: medium + visible: false + examples: + - securityToken = "CAISuwJ1q6Ft5B2yu9Kiaa5E0VnVJ8q2o3P4r5S6t7U8v9W0xYz" + - ALIBABA_CLOUD_SECURITY_TOKEN=CAIS/gF1q6Ft5B2yfSjIr5eDA9xjJCcl57eKC7A3ThnJA + - name: Alibaba STS Access Key Secret + id: kingfisher.alibabacloud.5 + pattern: | + (?x) + \b + (?: + (?i:alibaba|alibaba[\s_-]*cloud|aliyun|sts) + | + STS\.[A-Za-z0-9]{16,64} + ) + (?:.|[\n\r]){0,120}? + (?i:access[\s_-]*key[\s_-]*secret|access[\s_-]*secret) + (?:.|[\n\r]){0,16}? + (?: + [=:] + | + ["']\s*:\s*["'] + ) + \s* + ["']? + ( + [A-Za-z0-9]{30,64} + ) + \b + ["']? + min_entropy: 4.2 + confidence: medium + examples: + - STS.NTKaenSkmLhG4HpM576UV AccessKeySecret=wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK + - "aliyun sts access_key_secret: 6itECZnhbG2RU6ktTSBSd6JxeLHKPWyBtSS62" + validation: + type: Http + content: + request: + method: GET + url: > + {%- assign nonce = "" | uuid | upcase -%} + {%- assign raw_timestamp = "" | iso_timestamp_no_frac -%} + {%- assign timestamp = raw_timestamp | replace: ":", "%3A" -%} + + {%- capture params -%} + AccessKeyId={{ STS_AKID | url_encode }}&Action=GetCallerIdentity&Format=JSON&SecurityToken={{ SECURITY_TOKEN | url_encode }}&SignatureMethod=HMAC-SHA1&SignatureNonce={{ nonce }}&SignatureVersion=1.0&Timestamp={{ timestamp }}&Version=2015-04-01 + {%- endcapture -%} + {%- assign encoded_params = params | replace: "+", "%20" | replace: "*", "%2A" | replace: "%7E", "~" -%} + {%- assign query_string = encoded_params | url_encode | replace: "%2D", "-" | replace: "%2E", "." -%} + + {%- assign signature_base_string = "GET&%2F&" | append: query_string -%} + {%- assign token_amp = TOKEN | append: "&" -%} + + {%- assign hmacsignature = signature_base_string | hmac_sha1: token_amp | url_encode -%} + + https://sts.aliyuncs.com/?{{ params }}&Signature={{ hmacsignature }} + headers: + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: ['"Arn"'] + depends_on_rule: + - rule_id: kingfisher.alibabacloud.3 + variable: STS_AKID + - rule_id: kingfisher.alibabacloud.4 + variable: SECURITY_TOKEN ``` diff --git a/docs-site/docs/usage/advanced.md b/docs-site/docs/usage/advanced.md index 4b74950..0743796 100644 --- a/docs-site/docs/usage/advanced.md +++ b/docs-site/docs/usage/advanced.md @@ -300,7 +300,7 @@ kingfisher scan ./my-project \ ## Custom Rules -Kingfisher currently ships with 825 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs. +Kingfisher currently ships with 921 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs. First, review [RULES.md](../rules/overview.md) to learn how to create custom Kingfisher rules. diff --git a/docs-site/mkdocs.yml b/docs-site/mkdocs.yml index 5100bbd..12da3ee 100644 --- a/docs-site/mkdocs.yml +++ b/docs-site/mkdocs.yml @@ -1,7 +1,7 @@ site_name: Kingfisher site_url: https://mongodb.github.io/kingfisher site_description: >- - Open source secret scanner with live validation. 825 detection rules, + Open source secret scanner with live validation. 921 detection rules, blast radius mapping, and credential revocation. Built in Rust by MongoDB. site_author: MongoDB repo_url: https://github.com/mongodb/kingfisher diff --git a/docs-site/overrides/home.html b/docs-site/overrides/home.html index a216bfb..b2e5fcb 100644 --- a/docs-site/overrides/home.html +++ b/docs-site/overrides/home.html @@ -36,7 +36,7 @@
- 825 + 921 Detection Rules
@@ -48,7 +48,7 @@ Scan Targets
- 28 + 34 Revocation Providers
diff --git a/docs-site/overrides/main.html b/docs-site/overrides/main.html index 131fcbe..8075164 100644 --- a/docs-site/overrides/main.html +++ b/docs-site/overrides/main.html @@ -7,7 +7,7 @@ "@context": "https://schema.org", "@type": "SoftwareApplication", "name": "Kingfisher", - "description": "Open source secret scanner with live validation. 825 detection rules, blast radius mapping, and credential revocation.", + "description": "Open source secret scanner with live validation. 921 detection rules, blast radius mapping, and credential revocation.", "applicationCategory": "DeveloperApplication", "operatingSystem": "Linux, macOS, Windows", "license": "https://opensource.org/licenses/Apache-2.0", diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md index f35fb2f..26a2692 100644 --- a/docs/ADVANCED.md +++ b/docs/ADVANCED.md @@ -297,7 +297,7 @@ kingfisher scan ./my-project \ ## Custom Rules -Kingfisher currently ships with 825 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs. +Kingfisher currently ships with 921 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs. First, review [RULES.md](RULES.md) to learn how to create custom Kingfisher rules. diff --git a/docs/LIBRARY.md b/docs/LIBRARY.md index 0d23945..f3ec288 100644 --- a/docs/LIBRARY.md +++ b/docs/LIBRARY.md @@ -265,7 +265,7 @@ flowchart TD ### Loading Builtin Rules -Kingfisher currently ships with 825 built-in rules for common secret types: +Kingfisher currently ships with 921 built-in rules for common secret types: ```rust use kingfisher_rules::{get_builtin_rules, Confidence}; diff --git a/docs/REVOCATION_PROVIDERS.md b/docs/REVOCATION_PROVIDERS.md index 536234d..29febd6 100644 --- a/docs/REVOCATION_PROVIDERS.md +++ b/docs/REVOCATION_PROVIDERS.md @@ -3,8 +3,8 @@ Kingfisher supports direct secret revocation through rule-level `revocation:` blocks. Current coverage in built-in rules: -- `28` provider families -- `46` revocation-enabled rules +- `34` provider families +- `53` revocation-enabled rules Use `kingfisher revoke --rule ` to invoke these flows. See [USAGE.md](USAGE.md#direct-secret-revocation-with-kingfisher-revoke) for command details. @@ -19,6 +19,8 @@ Use `kingfisher revoke --rule ` to invoke these flows. See [US | `confluent` | 2 | `kingfisher.confluent.2`, `kingfisher.confluent.3` | | `cratesio` | 1 | `kingfisher.cratesio.1` | | `deviantart` | 1 | `kingfisher.deviantart.1` | +| `digitalocean` | 1 | `kingfisher.digitalocean.1` | +| `discord` | 1 | `kingfisher.discord.1` | | `doppler` | 6 | `kingfisher.doppler.1`, `kingfisher.doppler.2`, `kingfisher.doppler.3`, `kingfisher.doppler.4`, `kingfisher.doppler.5`, `kingfisher.doppler.6` | | `gcp` | 1 | `kingfisher.gcp.1` | | `github` | 3 | `kingfisher.github.1`, `kingfisher.github.2`, `kingfisher.github.5` | @@ -26,10 +28,14 @@ Use `kingfisher revoke --rule ` to invoke these flows. See [US | `google` | 2 | `kingfisher.google.4`, `kingfisher.google.oauth2.1` | | `harness` | 1 | `kingfisher.harness.pat.1` | | `heroku` | 2 | `kingfisher.heroku.1`, `kingfisher.heroku.2` | +| `launchdarkly` | 1 | `kingfisher.launchdarkly.1` | +| `linode` | 1 | `kingfisher.linode.1` | | `mapbox` | 1 | `kingfisher.mapbox.2` | | `mongodb` | 1 | `kingfisher.mongodb.1` | +| `netlify` | 2 | `kingfisher.netlify.1`, `kingfisher.netlify.2` | | `npm` | 2 | `kingfisher.npm.1`, `kingfisher.npm.2` | | `particle.io` | 2 | `kingfisher.particleio.1`, `kingfisher.particleio.2` | +| `resend` | 1 | `kingfisher.resend.api_key.1` | | `sendgrid` | 1 | `kingfisher.sendgrid.1` | | `slack` | 2 | `kingfisher.slack.1`, `kingfisher.slack.2` | | `sumologic` | 1 | `kingfisher.sumologic.2` | diff --git a/docs/RULES.md b/docs/RULES.md index 9fca4a8..39982d5 100644 --- a/docs/RULES.md +++ b/docs/RULES.md @@ -875,19 +875,23 @@ rules: ## Advanced Example -This advanced example uses the liquid-rs filters included with Kingfisher to sign a request to validate Alibaba Cloud credential pairs: +This advanced example uses the liquid-rs filters included with Kingfisher to sign requests that validate Alibaba Cloud long-lived and STS temporary credential pairs: ```yaml rules: - name: Alibaba Access Key ID id: kingfisher.alibabacloud.1 pattern: | - (?xi) + (?x) \b ( - LTAI[a-z0-9]{17,21} + LTAI[A-Za-z0-9]{17,21} ) \b + pattern_requirements: + min_digits: 2 + min_uppercase: 1 + min_lowercase: 1 min_entropy: 4.0 confidence: medium visible: false @@ -897,20 +901,34 @@ rules: - name: Alibaba Access Key Secret id: kingfisher.alibabacloud.2 pattern: | - (?xi) - \b - alibaba - (?:.|[\n\r]){0,32}? + (?x) \b + (?: + (?i:alibaba|alibaba[\s_-]*cloud|aliyun) + | + LTAI[A-Za-z0-9]{17,21} + ) + (?:.|[\n\r]){0,80}? + (?i:access[\s_-]*key[\s_-]*secret|access[\s_-]*secret|secret|token|key) + (?:.|[\n\r]){0,16}? + (?: + [=:] + | + ["']\s*:\s*["'] + ) + \s* + ["']? ( - [a-z0-9]{30} + [A-Za-z0-9]{30} ) \b + ["']? min_entropy: 4.2 confidence: medium examples: - alibaba_secret = 7jkWdTjKLnSlGddwPR5gBn65PHcZG6 - alibaba-token = aJHKLnSlGddwPR5g7jkWdTBn65PHc5 + - AccessKeyId=LTAI8x2NiGqfyJGx7eLDhp12 AccessKeySecret=7jkWdTjKLnSlGddwPR5gBn65PHcZG6 validation: type: Http content: @@ -944,4 +962,108 @@ rules: depends_on_rule: - rule_id: kingfisher.alibabacloud.1 variable: AKID + - name: Alibaba STS Access Key ID + id: kingfisher.alibabacloud.3 + pattern: | + (?x) + \b + ( + STS\.[A-Za-z0-9]{16,64} + ) + \b + min_entropy: 3.0 + confidence: medium + visible: false + examples: + - STS.NTKaenSkmLhG4HpM576UV + - STS.FJ6EMcS1JLZgAcBJSTDG1Z4CE + - name: Alibaba STS Security Token + id: kingfisher.alibabacloud.4 + pattern: | + (?xi) + \b + (?:security[\s_-]*token|sts[\s_-]*token|x[\s_-]*oss[\s_-]*security[\s_-]*token|alibaba[\s_-]*cloud[\s_-]*security[\s_-]*token|aliyun[\s_-]*security[\s_-]*token) + (?:.|[\n\r]){0,16}? + (?: + [=:] + | + ["']\s*:\s*["'] + ) + \s* + ["']? + ( + CAIS[A-Za-z0-9+/_=-]{20,1024} + ) + (?:["'\s,;}&\]]|$) + min_entropy: 4.0 + confidence: medium + visible: false + examples: + - securityToken = "CAISuwJ1q6Ft5B2yu9Kiaa5E0VnVJ8q2o3P4r5S6t7U8v9W0xYz" + - ALIBABA_CLOUD_SECURITY_TOKEN=CAIS/gF1q6Ft5B2yfSjIr5eDA9xjJCcl57eKC7A3ThnJA + - name: Alibaba STS Access Key Secret + id: kingfisher.alibabacloud.5 + pattern: | + (?x) + \b + (?: + (?i:alibaba|alibaba[\s_-]*cloud|aliyun|sts) + | + STS\.[A-Za-z0-9]{16,64} + ) + (?:.|[\n\r]){0,120}? + (?i:access[\s_-]*key[\s_-]*secret|access[\s_-]*secret) + (?:.|[\n\r]){0,16}? + (?: + [=:] + | + ["']\s*:\s*["'] + ) + \s* + ["']? + ( + [A-Za-z0-9]{30,64} + ) + \b + ["']? + min_entropy: 4.2 + confidence: medium + examples: + - STS.NTKaenSkmLhG4HpM576UV AccessKeySecret=wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK + - "aliyun sts access_key_secret: 6itECZnhbG2RU6ktTSBSd6JxeLHKPWyBtSS62" + validation: + type: Http + content: + request: + method: GET + url: > + {%- assign nonce = "" | uuid | upcase -%} + {%- assign raw_timestamp = "" | iso_timestamp_no_frac -%} + {%- assign timestamp = raw_timestamp | replace: ":", "%3A" -%} + + {%- capture params -%} + AccessKeyId={{ STS_AKID | url_encode }}&Action=GetCallerIdentity&Format=JSON&SecurityToken={{ SECURITY_TOKEN | url_encode }}&SignatureMethod=HMAC-SHA1&SignatureNonce={{ nonce }}&SignatureVersion=1.0&Timestamp={{ timestamp }}&Version=2015-04-01 + {%- endcapture -%} + {%- assign encoded_params = params | replace: "+", "%20" | replace: "*", "%2A" | replace: "%7E", "~" -%} + {%- assign query_string = encoded_params | url_encode | replace: "%2D", "-" | replace: "%2E", "." -%} + + {%- assign signature_base_string = "GET&%2F&" | append: query_string -%} + {%- assign token_amp = TOKEN | append: "&" -%} + + {%- assign hmacsignature = signature_base_string | hmac_sha1: token_amp | url_encode -%} + + https://sts.aliyuncs.com/?{{ params }}&Signature={{ hmacsignature }} + headers: + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: ['"Arn"'] + depends_on_rule: + - rule_id: kingfisher.alibabacloud.3 + variable: STS_AKID + - rule_id: kingfisher.alibabacloud.4 + variable: SECURITY_TOKEN ``` diff --git a/json b/json new file mode 100644 index 0000000..772455c --- /dev/null +++ b/json @@ -0,0 +1,12 @@ +DEEPSEEK API KEY => [KINGFISHER.DEEPSEEK.1] + |Finding.......: sk-a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 + |Fingerprint...: 2802934700551494254 + |Confidence....: medium + |Entropy.......: 4.13 + |Validation....: Inactive Credential + |__Response....: {"error":{"message":"Authentication Fails, Your api key: ****c5d6 is invalid","type":"authentication_error","param":null,"code":"invalid_request_error"}} + |Validate Cmd..: kingfisher validate --rule kingfisher.deepseek.1 'sk-a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6' + |Language......: Plain Text + |Line Num......: 4 + |Path..........: /tmp/test_alibaba.txt +