From bf6c7da4a4f0c4f1cf7f89810c87c5adcd1c80ea Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Tue, 28 Apr 2026 15:28:48 -0700 Subject: [PATCH] added blog posts --- .github/dependabot.yml | 22 +++++++++++++++++-- CHANGELOG.md | 3 ++- ...8-beyond-detection-validate-map-revoke.md} | 14 +++++++----- ...2026-04-28-scan-github-org-for-secrets.md} | 2 +- docs-site/docs/changelog.md | 2 +- 5 files changed, 33 insertions(+), 10 deletions(-) rename docs-site/docs/blog/posts/{2026-04-26-beyond-detection-validate-map-revoke.md => 2026-04-28-beyond-detection-validate-map-revoke.md} (94%) rename docs-site/docs/blog/posts/{2026-04-26-scan-github-org-for-secrets.md => 2026-04-28-scan-github-org-for-secrets.md} (99%) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0c6b041..97258d5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,13 +4,31 @@ updates: directory: "/" schedule: interval: "weekly" - open-pull-requests-limit: 10 + open-pull-requests-limit: 25 + cooldown: + default-days: 7 + include: + - "*" + groups: + cargo-patch: + update-types: ["patch"] + cargo-minor: + update-types: ["minor"] - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" - open-pull-requests-limit: 10 + open-pull-requests-limit: 25 + cooldown: + default-days: 7 + include: + - "*" + groups: + actions-patch: + update-types: ["patch"] + actions-minor: + update-types: ["minor"] ignore: - dependency-name: "actions/checkout" update-types: ["version-update:semver-major"] diff --git a/CHANGELOG.md b/CHANGELOG.md index c9797e2..d4b293d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,9 @@ All notable changes to this project will be documented in this file. -## [v1.98.0] +## [unreleased v1.98.0] - Fixed [#359](https://github.com/mongodb/kingfisher/issues/359): added `kingfisher.github.9` to detect the new ~520-character stateless GitHub App installation token format (`ghs__`). The legacy 36-character `ghs_` rule (`kingfisher.github.5`) is retained for older / GHES-issued tokens that are still in circulation. +- Added provider endpoint overrides for validation and revocation via global `--endpoint PROVIDER=URL` and `--endpoint-config FILE`, with built-in support for self-hosted GitHub, GitLab, Gitea, Jira, Confluence, and Artifactory instances. ## [v1.97.0] - **Report viewer cross-tool triage:** when a Kingfisher report is loaded alongside a Gitleaks or TruffleHog report, matching imported findings are enriched with Kingfisher's validation verdict, validation response, validate command, and revoke command. Matching is keyed on `commit + file + line` with a `file + line` fallback, and enriched rows show an "Enriched by Kingfisher" callout in the detail panel plus an "Enriched" chip in the findings table. Added a **Source** column to the findings table; a new **Duplicates Removed by Tool** dashboard panel showing per-tool cards for Kingfisher / TruffleHog / Gitleaks; and an upload-time **Deduplicate findings** toggle (on by default) so users can inspect the raw rows before fingerprint dedup when needed. diff --git a/docs-site/docs/blog/posts/2026-04-26-beyond-detection-validate-map-revoke.md b/docs-site/docs/blog/posts/2026-04-28-beyond-detection-validate-map-revoke.md similarity index 94% rename from docs-site/docs/blog/posts/2026-04-26-beyond-detection-validate-map-revoke.md rename to docs-site/docs/blog/posts/2026-04-28-beyond-detection-validate-map-revoke.md index 54f2608..6b72120 100644 --- a/docs-site/docs/blog/posts/2026-04-26-beyond-detection-validate-map-revoke.md +++ b/docs-site/docs/blog/posts/2026-04-28-beyond-detection-validate-map-revoke.md @@ -1,5 +1,5 @@ --- -date: 2026-04-26 +date: 2026-04-28 title: "Beyond Detection: Live Validation, Blast Radius, and One-Command Revocation" description: > Detection alone is noise. Kingfisher answers the three questions that @@ -32,18 +32,22 @@ Kingfisher answers the three questions that actually matter: ## 1. Live validation, not just pattern matching -Out of Kingfisher's 820 standalone detectors, **484 include live validation -logic**. When a provider exposes a safe check call, Kingfisher uses that +Kingfisher can drastically reduce false positives by identifying +secrets that are still active and valid. + +When a provider exposes a safe check call, Kingfisher uses that provider's own API to report each credential as `Active`, `Inactive`, or `NotAttempted`. That changes the output from "thousands of regex matches" to a much shorter list of findings that actually authenticate today. -Validation runs automatically when you scan: +Validation runs automatically when you run a scan: ```bash -kingfisher scan github --organization my-org +kingfisher scan github --organization my-org --view-report + +kingfisher scan https://github.com/leaktk/fake-leaks.git --view-report ``` Or you can run it standalone when you've already pulled a suspicious value diff --git a/docs-site/docs/blog/posts/2026-04-26-scan-github-org-for-secrets.md b/docs-site/docs/blog/posts/2026-04-28-scan-github-org-for-secrets.md similarity index 99% rename from docs-site/docs/blog/posts/2026-04-26-scan-github-org-for-secrets.md rename to docs-site/docs/blog/posts/2026-04-28-scan-github-org-for-secrets.md index 488c9fb..d768dae 100644 --- a/docs-site/docs/blog/posts/2026-04-26-scan-github-org-for-secrets.md +++ b/docs-site/docs/blog/posts/2026-04-28-scan-github-org-for-secrets.md @@ -1,5 +1,5 @@ --- -date: 2026-04-26 +date: 2026-04-28 title: "Scanning an Entire GitHub Organization for Leaked Secrets" description: > Step-by-step guide to scanning every repository in a GitHub organization diff --git a/docs-site/docs/changelog.md b/docs-site/docs/changelog.md index 4e4c84d..a17a783 100644 --- a/docs-site/docs/changelog.md +++ b/docs-site/docs/changelog.md @@ -7,7 +7,7 @@ description: "Kingfisher release history: new features, rules, bug fixes, and im All notable changes to this project will be documented in this file. -## [v1.98.0] +## [unreleased v1.98.0] - Fixed [#359](https://github.com/mongodb/kingfisher/issues/359): added `kingfisher.github.9` to detect the new ~520-character stateless GitHub App installation token format (`ghs__`). The legacy 36-character `ghs_` rule (`kingfisher.github.5`) is retained for older / GHES-issued tokens that are still in circulation. - Added provider endpoint overrides for validation and revocation via global `--endpoint PROVIDER=URL` and `--endpoint-config FILE`, with built-in support for self-hosted GitHub, GitLab, Gitea, Jira, Confluence, and Artifactory instances.