From 6ca8665d2bc5f4998292c759ff3c9d3b787d3026 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Fri, 17 Apr 2026 16:36:30 -0700 Subject: [PATCH] performance improvements and rule improvements --- .../data/rules/cockroachlabs.yml | 30 +++++++--------- .../kingfisher-rules/data/rules/composio.yml | 34 +++++++++++++++---- 2 files changed, 39 insertions(+), 25 deletions(-) diff --git a/crates/kingfisher-rules/data/rules/cockroachlabs.yml b/crates/kingfisher-rules/data/rules/cockroachlabs.yml index a4b8d7e..8dfd461 100644 --- a/crates/kingfisher-rules/data/rules/cockroachlabs.yml +++ b/crates/kingfisher-rules/data/rules/cockroachlabs.yml @@ -1,39 +1,33 @@ rules: - - name: CockroachDB Cloud API Key + - name: CockroachDB Cloud Service Account API Key id: kingfisher.cockroachlabs.1 pattern: | (?x) \b - (?: - (?i:cockroach(?:db)?(?:cloud)?) - (?:.|[\n\r]){0,24}? - (?i:api[_\s-]*key|secret|token) - | - (?i:CC_API_KEY) - ) - (?:.|[\n\r]){0,16}? ( - [A-Z0-9_]{20,60} + CCDB1_[A-Za-z0-9]{22}_[A-Za-z0-9]{40} ) \b pattern_requirements: min_digits: 2 min_uppercase: 4 - min_entropy: 3.0 + min_lowercase: 4 + min_entropy: 3.5 confidence: medium categories: [api, key] examples: - - 'COCKROACHDB_API_KEY=B81649_8F7D11A_92BCE13_56782D_C53' + - 'CCDB1_z4m5MjGmTx3O4sK2IxvHIh_zv4Cbt3lNujc7f9TO9cZ1qGU7tyJhxrw01I0rWnZ' + - 'CCDB1_z6ju5QJ1vZf1SGhBr2yM97_vqqya4b8lKf2ZRfI3OFHZ478xfi6SbqcIbts4nyp' + - 'CCDB1_OMxzun9l3g5vjIJRqKqPP7_9HUwzxJDBGpEvtbN3HjJb7L7zirVo3qSCAi1MCct' validation: type: Http content: request: method: GET - url: https://cockroachlabs.cloud/api/v1/clusters?show_inactive=true + url: https://cockroachlabs.cloud/api/v1/clusters headers: Authorization: Bearer {{ TOKEN }} Accept: application/json - Cc-Version: "2024-09-16" response_matcher: - report_response: true - type: StatusMatch @@ -44,8 +38,8 @@ rules: words: - '"clusters"' - '"pagination"' - # Revocation not added: the public Cloud API docs describe bearer-token - # authentication for service-account secret keys, but not a documented - # self-revocation endpoint for the current secret key value. + # Revocation not added: the Cloud API exposes DELETE /api/v1/api-keys/{id}, + # but a leaked secret value does not reveal the API key ID required to revoke it. references: - - https://www.cockroachlabs.com/docs/cockroachcloud/cloud-api + - https://www.cockroachlabs.com/docs/cockroachcloud/service-accounts + - https://cockroachlabs.cloud/assets/docs/api/latest/openapi.json diff --git a/crates/kingfisher-rules/data/rules/composio.yml b/crates/kingfisher-rules/data/rules/composio.yml index 1c1d63b..b6ba0b9 100644 --- a/crates/kingfisher-rules/data/rules/composio.yml +++ b/crates/kingfisher-rules/data/rules/composio.yml @@ -2,13 +2,10 @@ rules: - name: Composio Project API Key id: kingfisher.composio.1 pattern: | - (?xi) - \b - (?:composio|COMPOSIO_API_KEY) - (?:.|[\n\r]){0,48}? + (?x) \b ( - ak_[A-Za-z0-9]{16,48} + ak_[A-Za-z0-9_-]{20} ) \b pattern_requirements: @@ -17,7 +14,7 @@ rules: min_entropy: 3.5 confidence: medium examples: - - 'COMPOSIO_API_KEY="ak_a1b2c3d4e5f6g7h8i9j0"' + - 'COMPOSIO_API_KEY="ak_LPktODfyN3W_btXn_d47"' - 'composio x-api-key: ak_0f1e2d3c4b5a69788796' references: - https://docs.composio.dev/reference/authentication @@ -36,4 +33,27 @@ rules: - type: StatusMatch status: [200] - type: JsonValid - # Current Composio API docs expose session verification, but not a same-key revocation flow. + # Current Composio API docs expose project-key authentication, but not a same-key revocation flow. + + - name: Composio Consumer API Key + id: kingfisher.composio.2 + pattern: | + (?x) + \b + ( + ck_[A-Za-z0-9_-]{20} + ) + \b + pattern_requirements: + min_digits: 1 + min_lowercase: 4 + min_entropy: 3.0 + confidence: medium + examples: + - 'COMPOSIO_CONSUMER_API_KEY="ck_A1b2C3d4E5f6G7h8I9jK"' + - '"x-consumer-api-key": "ck_k7M_Pq2RsTuVwXyZ8aBc"' + references: + - https://docs.composio.dev/docs/composio-connect + # Composio documents consumer API keys for MCP clients via the + # x-consumer-api-key header, but does not expose a stable public + # token-only validation endpoint in the docs.