updated docs

docs/ADVANCED.md

@@ -297,7 +297,7 @@ kingfisher scan ./my-project \
 
 ## Custom Rules
 
-Kingfisher currently ships with 825 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs.
+Kingfisher currently ships with 921 built-in rules, but you may want to add your own custom rules or modify existing detection to better suit your needs.
 
 First, review [RULES.md](RULES.md) to learn how to create custom Kingfisher rules.
 

docs/LIBRARY.md

@@ -265,7 +265,7 @@ flowchart TD
 
 ### Loading Builtin Rules
 
-Kingfisher currently ships with 825 built-in rules for common secret types:
+Kingfisher currently ships with 921 built-in rules for common secret types:
 
 ```rust
 use kingfisher_rules::{get_builtin_rules, Confidence};

docs/REVOCATION_PROVIDERS.md

@@ -3,8 +3,8 @@
 Kingfisher supports direct secret revocation through rule-level `revocation:` blocks.
 
 Current coverage in built-in rules:
-- `28` provider families
-- `46` revocation-enabled rules
+- `34` provider families
+- `53` revocation-enabled rules
 
 Use `kingfisher revoke --rule <rule-id> <secret>` to invoke these flows. See [USAGE.md](USAGE.md#direct-secret-revocation-with-kingfisher-revoke) for command details.
 
@@ -19,6 +19,8 @@ Use `kingfisher revoke --rule <rule-id> <secret>` to invoke these flows. See [US
 | `confluent` | 2 | `kingfisher.confluent.2`, `kingfisher.confluent.3` |
 | `cratesio` | 1 | `kingfisher.cratesio.1` |
 | `deviantart` | 1 | `kingfisher.deviantart.1` |
+| `digitalocean` | 1 | `kingfisher.digitalocean.1` |
+| `discord` | 1 | `kingfisher.discord.1` |
 | `doppler` | 6 | `kingfisher.doppler.1`, `kingfisher.doppler.2`, `kingfisher.doppler.3`, `kingfisher.doppler.4`, `kingfisher.doppler.5`, `kingfisher.doppler.6` |
 | `gcp` | 1 | `kingfisher.gcp.1` |
 | `github` | 3 | `kingfisher.github.1`, `kingfisher.github.2`, `kingfisher.github.5` |
@@ -26,10 +28,14 @@ Use `kingfisher revoke --rule <rule-id> <secret>` to invoke these flows. See [US
 | `google` | 2 | `kingfisher.google.4`, `kingfisher.google.oauth2.1` |
 | `harness` | 1 | `kingfisher.harness.pat.1` |
 | `heroku` | 2 | `kingfisher.heroku.1`, `kingfisher.heroku.2` |
+| `launchdarkly` | 1 | `kingfisher.launchdarkly.1` |
+| `linode` | 1 | `kingfisher.linode.1` |
 | `mapbox` | 1 | `kingfisher.mapbox.2` |
 | `mongodb` | 1 | `kingfisher.mongodb.1` |
+| `netlify` | 2 | `kingfisher.netlify.1`, `kingfisher.netlify.2` |
 | `npm` | 2 | `kingfisher.npm.1`, `kingfisher.npm.2` |
 | `particle.io` | 2 | `kingfisher.particleio.1`, `kingfisher.particleio.2` |
+| `resend` | 1 | `kingfisher.resend.api_key.1` |
 | `sendgrid` | 1 | `kingfisher.sendgrid.1` |
 | `slack` | 2 | `kingfisher.slack.1`, `kingfisher.slack.2` |
 | `sumologic` | 1 | `kingfisher.sumologic.2` |

docs/RULES.md

@@ -875,19 +875,23 @@ rules:
 
 ## Advanced Example
 
-This advanced example uses the liquid-rs filters included with Kingfisher to sign a request to validate Alibaba Cloud credential pairs:
+This advanced example uses the liquid-rs filters included with Kingfisher to sign requests that validate Alibaba Cloud long-lived and STS temporary credential pairs:
 
 ```yaml
 rules:
   - name: Alibaba Access Key ID
     id: kingfisher.alibabacloud.1
     pattern: |
-      (?xi)
+      (?x)
       \b
       (
-        LTAI[a-z0-9]{17,21}
+        LTAI[A-Za-z0-9]{17,21}
       )
       \b
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 1
+      min_lowercase: 1
     min_entropy: 4.0
     confidence: medium
     visible: false
@@ -897,20 +901,34 @@ rules:
   - name: Alibaba Access Key Secret
     id: kingfisher.alibabacloud.2
     pattern: |
-      (?xi)
-      \b
-      alibaba
-      (?:.|[\n\r]){0,32}?
+      (?x)
       \b
+      (?:
+        (?i:alibaba|alibaba[\s_-]*cloud|aliyun)
+        |
+        LTAI[A-Za-z0-9]{17,21}
+      )
+      (?:.|[\n\r]){0,80}?
+      (?i:access[\s_-]*key[\s_-]*secret|access[\s_-]*secret|secret|token|key)
+      (?:.|[\n\r]){0,16}?
+      (?:
+        [=:]
+        |
+        ["']\s*:\s*["']
+      )
+      \s*
+      ["']?
       (
-        [a-z0-9]{30}
+        [A-Za-z0-9]{30}
       )
       \b
+      ["']?
     min_entropy: 4.2
     confidence: medium
     examples:
       - alibaba_secret = 7jkWdTjKLnSlGddwPR5gBn65PHcZG6
       - alibaba-token = aJHKLnSlGddwPR5g7jkWdTBn65PHc5
+      - AccessKeyId=LTAI8x2NiGqfyJGx7eLDhp12 AccessKeySecret=7jkWdTjKLnSlGddwPR5gBn65PHcZG6
     validation:
       type: Http
       content:
@@ -944,4 +962,108 @@ rules:
     depends_on_rule:
       - rule_id: kingfisher.alibabacloud.1
         variable: AKID
+  - name: Alibaba STS Access Key ID
+    id: kingfisher.alibabacloud.3
+    pattern: |
+      (?x)
+      \b
+      (
+        STS\.[A-Za-z0-9]{16,64}
+      )
+      \b
+    min_entropy: 3.0
+    confidence: medium
+    visible: false
+    examples:
+      - STS.NTKaenSkmLhG4HpM576UV
+      - STS.FJ6EMcS1JLZgAcBJSTDG1Z4CE
+  - name: Alibaba STS Security Token
+    id: kingfisher.alibabacloud.4
+    pattern: |
+      (?xi)
+      \b
+      (?:security[\s_-]*token|sts[\s_-]*token|x[\s_-]*oss[\s_-]*security[\s_-]*token|alibaba[\s_-]*cloud[\s_-]*security[\s_-]*token|aliyun[\s_-]*security[\s_-]*token)
+      (?:.|[\n\r]){0,16}?
+      (?:
+        [=:]
+        |
+        ["']\s*:\s*["']
+      )
+      \s*
+      ["']?
+      (
+        CAIS[A-Za-z0-9+/_=-]{20,1024}
+      )
+      (?:["'\s,;}&\]]|$)
+    min_entropy: 4.0
+    confidence: medium
+    visible: false
+    examples:
+      - securityToken = "CAISuwJ1q6Ft5B2yu9Kiaa5E0VnVJ8q2o3P4r5S6t7U8v9W0xYz"
+      - ALIBABA_CLOUD_SECURITY_TOKEN=CAIS/gF1q6Ft5B2yfSjIr5eDA9xjJCcl57eKC7A3ThnJA
+  - name: Alibaba STS Access Key Secret
+    id: kingfisher.alibabacloud.5
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:alibaba|alibaba[\s_-]*cloud|aliyun|sts)
+        |
+        STS\.[A-Za-z0-9]{16,64}
+      )
+      (?:.|[\n\r]){0,120}?
+      (?i:access[\s_-]*key[\s_-]*secret|access[\s_-]*secret)
+      (?:.|[\n\r]){0,16}?
+      (?:
+        [=:]
+        |
+        ["']\s*:\s*["']
+      )
+      \s*
+      ["']?
+      (
+        [A-Za-z0-9]{30,64}
+      )
+      \b
+      ["']?
+    min_entropy: 4.2
+    confidence: medium
+    examples:
+      - STS.NTKaenSkmLhG4HpM576UV AccessKeySecret=wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK
+      - "aliyun sts access_key_secret: 6itECZnhbG2RU6ktTSBSd6JxeLHKPWyBtSS62"
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: >
+            {%- assign nonce = "" | uuid | upcase -%}
+            {%- assign raw_timestamp = "" | iso_timestamp_no_frac -%}
+            {%- assign timestamp = raw_timestamp | replace: ":", "%3A" -%}
+
+            {%- capture params -%}
+            AccessKeyId={{ STS_AKID | url_encode }}&Action=GetCallerIdentity&Format=JSON&SecurityToken={{ SECURITY_TOKEN | url_encode }}&SignatureMethod=HMAC-SHA1&SignatureNonce={{ nonce }}&SignatureVersion=1.0&Timestamp={{ timestamp }}&Version=2015-04-01
+            {%- endcapture -%}
+            {%- assign encoded_params = params | replace: "+", "%20" | replace: "*", "%2A" | replace: "%7E", "~" -%}
+            {%- assign query_string = encoded_params | url_encode | replace: "%2D", "-" | replace: "%2E", "." -%}
+
+            {%- assign signature_base_string = "GET&%2F&" | append: query_string -%}
+            {%- assign token_amp = TOKEN | append: "&" -%}
+
+            {%- assign hmacsignature = signature_base_string | hmac_sha1: token_amp | url_encode -%}
+
+            https://sts.aliyuncs.com/?{{ params }}&Signature={{ hmacsignature }}
+          headers:
+            Accept: application/json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: WordMatch
+              words: ['"Arn"']
+    depends_on_rule:
+      - rule_id: kingfisher.alibabacloud.3
+        variable: STS_AKID
+      - rule_id: kingfisher.alibabacloud.4
+        variable: SECURITY_TOKEN
 ```