diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8cf2a45..5f625a6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -80,6 +80,8 @@ jobs: - name: Build Darwin x64 run: make darwin-x64 + - name: Run tests + run: make tests - name: Move artifacts to dist shell: bash @@ -109,6 +111,8 @@ jobs: - name: Build Darwin arm64 run: make darwin-arm64 + - name: Run tests + run: make tests - name: Move artifacts to dist shell: bash diff --git a/data/rules/adafruitio.yml b/data/rules/adafruitio.yml index ee622f9..17b271f 100644 --- a/data/rules/adafruitio.yml +++ b/data/rules/adafruitio.yml @@ -28,4 +28,4 @@ rules: type: StatusMatch - type: WordMatch words: - - '"username":"kingfishermdb"' \ No newline at end of file + - '"username"' \ No newline at end of file diff --git a/data/rules/azuresearchquery.yml b/data/rules/azuresearchquery.yml index 6cfdbf7..87272fb 100644 --- a/data/rules/azuresearchquery.yml +++ b/data/rules/azuresearchquery.yml @@ -9,7 +9,7 @@ rules: (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) (?:.|[\n\r]){0,32}? ( - [0-9a-zA-Z]{52} + [0-9A-Z]{52} ) \b min_entropy: 3.3 diff --git a/data/rules/gradle.yml b/data/rules/gradle.yml new file mode 100644 index 0000000..42d27ea --- /dev/null +++ b/data/rules/gradle.yml @@ -0,0 +1,33 @@ +rules: + - name: Hardcoded Gradle Credentials + id: kingfisher.gradle.1 + pattern: | + (?xi) + credentials \s* \{ + (?:\s*//.*)* + \s* (?:username|password) \s ['"]([^'"]{1,60})['"] + (?:\s*//.*)* + \s* (?:username|password) \s ['"]([^'"]{1,60})['"] + min_entropy: 3.3 + confidence: medium + examples: + - | + credentials { + username 'user' + password 'password' + } + - | + publishing { + repositories { + maven { + url "http://us01cmsysart01.example.com:8081/artifactory/Mobile-Libs-Internal" + credentials { + // your password here + + username "SOME_USERNAME" + password "SOME_PASSWORD" + } + } + } + - "credentials {\n username 'user'\n password 'password'\n}" + - "credentials {\n username \"user\"\n password \"password\"\n}" \ No newline at end of file diff --git a/data/rules/grafana.yml b/data/rules/grafana.yml new file mode 100644 index 0000000..354d530 --- /dev/null +++ b/data/rules/grafana.yml @@ -0,0 +1,114 @@ +rules: + - name: Grafana API Token + id: kingfisher.grafana.1 + pattern: | + (?xi) + \b + ( + eyJrIjoi[a-z0-9]{60,100} + ) + \b + min_entropy: 3.3 + confidence: medium + examples: + - 'Authorization: Bearer eyJrIjoiWHZiSWd5NzdCYUZnNUtibE8obUpESmE2bzJYNDRIc1UiLCJuIjoibXlrZXkiLCJpZCI7MX1' + - 'admin_client = GrafanaClient("eyJrIjoiY21sM1JRYjB6RnVYSTNLenRWQkFEaWN2bXI2V202U2IiLCJuIjoiYWRtaW5rZXkiLCJpZCI6MX0=", host=grafana_host, port=3000, protocol="http")' + references: + - https://grafana.com/docs/grafana/latest/developers/http_api/auth/ + + - name: Grafana Cloud API Token + id: kingfisher.grafana.2 + pattern: | + (?xi) + \b + ( + glc_ + [a-z0-9+/]{40,150} + ={0,2} + ) + min_entropy: 3.3 + confidence: medium + examples: + - ' "token": "glc_eyJrIjoiZjI0YzZkNGEwZDBmZmZjMmUzNTU3ODcxMmY0ZWZlNTQ1NTljMDFjOCIsIm6iOiJteXRva3VuIiwiaWQiOjF8"' + - 'grafana = glc_etLvNLoNMLt7MTczNNwNbN6Nm1ldGEtbW9paxRvcmlpZt14ZXN4NNwNatN6NLCxdKeH7KTUvWpNqCrHlMKE9EhLcZH7to' + references: + - https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/#regions + validation: + type: Http + content: + request: + headers: + Authorization: Bearer {{ TOKEN }} + method: GET + response_matcher: + - report_response: true + - status: + - 200 + type: StatusMatch + url: https://grafana.com/api/stack-regions + + - name: Grafana Service Account Token + id: kingfisher.grafana.3 + pattern: | + (?x) + \b + (glsa_[a-zA-Z0-9]{32}_[a-fA-F0-9]{8}) + \b + min_entropy: 3.3 + confidence: medium + examples: + - | + curl -H "Authorization: Bearer glsa_HOruNAb7SOiCdshU7algkrq7FDsNSLAa_55e2f8be" -X GET '/api/access-control/user/permissions' | jq + - | + // getData() + // { + // let url="http://localhost:4200/api/search" + // const headers = new HttpHeaders({ + // 'Content-Type': 'application/json', + // 'Authorization': `Bearer glsa_Sof0HKi3agxrQP9qm5r2G98VacBNwV5P_9b638c45` + // }) + // return this.http.get(url, {headers: headers}); + // } + references: + - https://grafana.com/docs/grafana/latest/administration/service-accounts/ + validation: + type: Http + content: + request: + method: GET + headers: + Authorization: Bearer {{ TOKEN }} + response_matcher: + - report_response: true + - status: + - 200 + type: StatusMatch + url: "{{ GRAFANADOMAIN }}/api/access-control/me" + depends_on_rule: + - rule_id: kingfisher.grafana.4 + variable: GRAFANADOMAIN + + - name: Grafana Domain + id: kingfisher.grafana.4 + pattern: | + (?xi) + \b + ( + (?:https?://)? + (?: + (?:[A-Za-z0-9-]+\.)* + grafana + (?:\.[A-Za-z0-9-]+)+ + ) + (?:\:\d{2,5})? + (?:[/?#][^\s]*)? + ) + \b + min_entropy: 3.0 + visible: false + confidence: medium + examples: + - https://grafana.example.com + - http://grafana.prod.eu-west.mycorp.internal:3000/login + - https://api.team1.grafana.services.cluster.local/health + - grafana.dev.foo-bar.co.uk