diff --git a/crates/kingfisher-rules/data/rules/dryrunsecurity.yml b/crates/kingfisher-rules/data/rules/dryrunsecurity.yml new file mode 100644 index 0000000..edae964 --- /dev/null +++ b/crates/kingfisher-rules/data/rules/dryrunsecurity.yml @@ -0,0 +1,45 @@ +rules: + - name: DryRun Security API Key + id: kingfisher.dryrunsecurity.1 + pattern: | + (?x) + \b + ( + dryrunsec_[A-Za-z0-9]{32} + ) + \b + pattern_requirements: + min_digits: 1 + min_uppercase: 1 + min_lowercase: 1 + min_entropy: 3.2 + confidence: medium + examples: + - 'DRYRUN_API_KEY="dryrunsec_XRO3RsNlZm4M3VyZoPb02PzTv7yaEWoF"' + - 'Authorization: Bearer dryrunsec_hdKJINE3Bbe4SI3MsP4RoeCp5oY31MLZ' + - "dryrun_token=dryrunsec_1lTU5w3SuCqJ59aqmri3rhLVJtabQ0BM" + references: + - https://docs.dryrun.security/ + - https://simple-api.dryrun.security/api-docs/index.html + validation: + type: Http + content: + request: + method: GET + url: https://simple-api.dryrun.security/v1/accounts + headers: + Authorization: "Bearer {{ TOKEN }}" + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid + - type: WordMatch + words: + - '"account_id"' + match_all_words: true + # Revocation not added: the published DryRun Simple API OpenAPI spec documents + # bearer-authenticated read/write account resources, but does not expose an + # access-key delete, revoke, or "current token" endpoint that can safely + # invalidate the presented key. diff --git a/crates/kingfisher-rules/data/rules/upcloud.yml b/crates/kingfisher-rules/data/rules/upcloud.yml index 113f9a8..9963fef 100644 --- a/crates/kingfisher-rules/data/rules/upcloud.yml +++ b/crates/kingfisher-rules/data/rules/upcloud.yml @@ -14,7 +14,7 @@ rules: min_entropy: 3.5 confidence: medium examples: - - 'UPCLOUD_API_TOKEN=ucat_01DQE3AJDEBFEKECFM558TGH2F' + - 'UPCLOUD_API_TOKEN=ucat_01KPW6N68RKV5WV44Y2C5CKTZY' - 'upcloud_token: "ucat_01J9K4BNZM3RGXW7VDQFTHY5PC"' references: - https://upcloud.com/docs/guides/managing-api-tokens/