From bc65ce9d5b50f13d5f24ce8ce4fbe72bcb40c623 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Tue, 21 Apr 2026 14:32:32 -0700 Subject: [PATCH] performance improvements and rule improvements --- .../kingfisher-rules/data/rules/highnote.yml | 2 +- crates/kingfisher-rules/data/rules/stripe.yml | 34 +++------ .../kingfisher-rules/data/rules/upstash.yml | 75 +++++++++++++++++++ crates/kingfisher-rules/data/rules/workos.yml | 5 +- 4 files changed, 92 insertions(+), 24 deletions(-) diff --git a/crates/kingfisher-rules/data/rules/highnote.yml b/crates/kingfisher-rules/data/rules/highnote.yml index c8ddf35..846ac99 100644 --- a/crates/kingfisher-rules/data/rules/highnote.yml +++ b/crates/kingfisher-rules/data/rules/highnote.yml @@ -8,7 +8,7 @@ rules: (?:.|[\n\r]){0,24}? \b ( - (?:sk|rk)_(?:live|test)_[a-zA-Z0-9]{20,60} + sk_live_a2V5Xz[A-Za-z0-9+/]{69} ) \b pattern_requirements: diff --git a/crates/kingfisher-rules/data/rules/stripe.yml b/crates/kingfisher-rules/data/rules/stripe.yml index 9d223ae..c9fafc7 100644 --- a/crates/kingfisher-rules/data/rules/stripe.yml +++ b/crates/kingfisher-rules/data/rules/stripe.yml @@ -1,26 +1,22 @@ rules: - name: Stripe Publishable Key id: kingfisher.stripe.1 - pattern: | - (?xi) - (?:stripe|strp) - (?:.|[\n\r]){0,16}? - (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) - (?:.|[\n\r]){0,16}? - ( - pk_live_ - (?:[0-9A-Z]{6}){4,30} + (?x) + \b + ( + pk_live_[A-Za-z0-9]{24,128} ) + \b pattern_requirements: min_digits: 2 min_uppercase: 1 min_lowercase: 1 min_entropy: 3.3 confidence: medium - categories: [api, key] examples: - stripe_pub_key = pk_live_HQS0j4H75XpthOW87eY1sXa2BYz3Ab + - stripe_pub_key = pk_live_51O4GlNLQpd8Ph8H3or6Sv8fhuSPIQncX0dY318y8Hc9SYRyS4aeyrTN19ztOmAsuVZSTKNfI7RZoSOwNkLa0cwm010oLA68VFA references: - https://stripe.com/docs/api/authentication @@ -28,25 +24,20 @@ rules: id: kingfisher.stripe.2 pattern: | - (?xi) - (?:stripe|strp) - (?:.|[\n\r]){0,16}? - (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) - (?:.|[\n\r]){0,16}? + (?x) + \b ( - (?: - sk|rk - )_live_ - (?:[0-9A-Z]{8}){3,25} + (?:sk|rk)_(?:test|live)_[A-Za-z0-9]{24,128} ) + \b pattern_requirements: min_digits: 2 min_entropy: 3.3 confidence: medium examples: - stripe_secret_key = sk_live_f01c79xuuug7yodgzj5ws0h1x2kyvho3 + - stripe_secret_key = pk_live_51O4GlNLQpd8Ph8H3or6Sv8fhuSPIQncX0dY318y8Hc9SYRyS4aeyrTN19ztOmAsuVZSTKNfI7RZoSOwNkLa0cwm010oLA68VFA - "strp_sec_key: rk_live_4haG9YwGkL2hXqTj5pSzo8FzB3uCwE7n" - validation: type: Http content: @@ -61,7 +52,6 @@ rules: - type: StatusMatch status: [200] - type: WordMatch - match_all_words: true - words: ['"object":"account"'] + words: ['"object":"account"','"id":'] references: - https://stripe.com/docs/api/authentication diff --git a/crates/kingfisher-rules/data/rules/upstash.yml b/crates/kingfisher-rules/data/rules/upstash.yml index 27d44b2..260f03b 100644 --- a/crates/kingfisher-rules/data/rules/upstash.yml +++ b/crates/kingfisher-rules/data/rules/upstash.yml @@ -74,3 +74,78 @@ rules: - 'upstash_url=https://sharp-raven-67890.upstash.io' references: - https://upstash.com/docs/redis/features/restapi + + - name: Upstash Account Email + id: kingfisher.upstash.3 + pattern: | + (?xi) + \b + (?: + UPSTASH_EMAIL + | + upstash + (?:.|[\n\r]){0,40}? + email + ) + (?:.|[\n\r]){0,12}? + ( + [A-Za-z0-9._%+\-]+ + @ + [A-Za-z0-9.\-]+\.[A-Za-z]{2,} + ) + \b + min_entropy: 2.0 + confidence: medium + visible: false + examples: + - UPSTASH_EMAIL=agent@example.com + - 'upstash email: "ops.bot@example.org"' + references: + - https://upstash.com/docs/devops/cli/overview + + - name: Upstash Management API Key + id: kingfisher.upstash.4 + pattern: | + (?xi) + \b + (?i:upstash) + (?:.|[\n\r]){0,24}? + \b + ( + [0-9a-f]{8} + - + [0-9a-f]{4} + - + 4[0-9a-f]{3} + - + [89ab][0-9a-f]{3} + - + [0-9a-f]{12} + ) + \b + min_entropy: 3.0 + confidence: medium + examples: + - UPSTASH_API_KEY=7e6fbb80-71d8-4f97-9b38-62c17a3de154 + - 'upstash management api key: "9d13b4f2-2d43-4378-8f32-4fca3d6be861"' + references: + - https://upstash.com/docs/devops/developer-api/authentication + - https://upstash.com/docs/devops/cli/overview + depends_on_rule: + - rule_id: kingfisher.upstash.3 + variable: UPSTASH_EMAIL + validation: + type: Http + content: + request: + method: GET + url: https://api.upstash.com/v2/redis/databases + headers: + Accept: application/json + Authorization: "Basic {{ UPSTASH_EMAIL | append: ':' | append: TOKEN | b64enc }}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid + # Upstash Management API keys are created and deleted in the Upstash console; no self-revocation API is documented. diff --git a/crates/kingfisher-rules/data/rules/workos.yml b/crates/kingfisher-rules/data/rules/workos.yml index 1753a70..0d89127 100644 --- a/crates/kingfisher-rules/data/rules/workos.yml +++ b/crates/kingfisher-rules/data/rules/workos.yml @@ -4,8 +4,11 @@ rules: pattern: | (?x) \b + (?i:workos) + (?:.|[\n\r]){0,24}? + \b ( - sk_(?:live|test)_a2V5Xz[A-Za-z0-9+/]{69} + sk_live_a2V5Xz[A-Za-z0-9+/]{69} ) \b pattern_requirements: