diff --git a/AGENTS.md b/AGENTS.md index 686fb80..7ed5815 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -7,7 +7,7 @@ Guidance for coding agents working in this repository. Kingfisher is an open-source secret scanner and live secret validator written in Rust by MongoDB. It detects, validates, and helps remediate leaked API keys, tokens, and credentials across code repositories, git history, and integrated platforms. Key capabilities: -- Secret detection with 500+ built-in rules (YAML-based, SIMD-accelerated via Hyperscan/vectorscan) +- Secret detection with 942 built-in rules (820 standalone detectors + 122 dependent rules; 484 standalone detectors include live validation as of 2026-04-24) - Live credential validation against provider APIs - Direct secret revocation from CLI - Blast radius mapping (AWS, GCP, Azure, GitHub, GitLab, Slack) @@ -18,7 +18,6 @@ Key capabilities: - Applies to the entire repository rooted at this file. - If a deeper `AGENTS.md` exists in a subdirectory, that file takes precedence for its subtree. - ## Repository Structure - `src/`: main binary source - `src/cli/commands/`: CLI command implementations @@ -35,6 +34,8 @@ Key capabilities: - `tests/`: integration/e2e tests - `testdata/`: test fixtures - `docs/`: user and developer docs +- `docs/viewer/`: static hosted/local report viewer assets +- `docs-site/`: MkDocs documentation sources, overrides, and generated site output - `vendor/vectorscan-rs/`: vendored vectorscan bindings ## Toolchain and Environment @@ -96,6 +97,7 @@ Key capabilities: - Add a detection rule: follow the workflow below and validate with relevant tests. - Add a CLI command: implement under `src/cli/commands/` and register in the CLI command wiring. - Add a validator (rare exception path): implement it in `crates/kingfisher-scanner/src/validation/`, prefer `raw.rs` for one-off provider flows, and wire the narrowest feature/dependencies in `crates/kingfisher-scanner/Cargo.toml` only when YAML validation cannot express the required logic. +- Update docs-site rule counts: use `uv run '/Users/mickg/src/kingfisher/data/default/rule_cleanup/count_rules.py'` and update `docs-site/overrides/` plus `docs-site/mkdocs.yml` to match the reported totals before rebuilding the docs site. ## Rule Authoring Workflow Use this when creating or updating rules in `crates/kingfisher-rules/data/rules/`. @@ -135,6 +137,7 @@ Use this when creating or updating rules in `crates/kingfisher-rules/data/rules/ - If validation commands cannot be run, report exactly what was skipped and why. - Prefer `kingfisher scan --format toon` when invoking Kingfisher from an LLM or agent workflow; keep `pretty` for interactive human CLI use unless the task explicitly calls for a different format. - After markdown/doc changes, verify local documentation links when practical. +- After `docs-site/` source changes, rebuild with `docs-site/.venv/bin/mkdocs build -f docs-site/mkdocs.yml` when practical so checked-in generated output stays in sync. ## Documentation Pointers - `docs/USAGE.md` diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..1d0da65 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1 @@ +IMPORTANT: Read and follow all instructions in AGENTS.md before starting any task. \ No newline at end of file diff --git a/docs-site/mkdocs.yml b/docs-site/mkdocs.yml index 12fd251..18ff245 100644 --- a/docs-site/mkdocs.yml +++ b/docs-site/mkdocs.yml @@ -1,7 +1,7 @@ site_name: Kingfisher site_url: https://mongodb.github.io/kingfisher site_description: >- - Open source secret scanner with live validation. 938 detection rules, + Open source secret scanner with live validation. 942 detection rules, blast radius mapping, credential revocation, and a browser-based report viewer that also imports Gitleaks and TruffleHog output. Built in Rust by MongoDB. diff --git a/docs-site/overrides/home.html b/docs-site/overrides/home.html index 39f7cb5..897eaac 100644 --- a/docs-site/overrides/home.html +++ b/docs-site/overrides/home.html @@ -36,7 +36,7 @@
- 934 + 942 Detection Rules
diff --git a/docs-site/overrides/main.html b/docs-site/overrides/main.html index e46e75e..1753e8c 100644 --- a/docs-site/overrides/main.html +++ b/docs-site/overrides/main.html @@ -7,7 +7,7 @@ "@context": "https://schema.org", "@type": "SoftwareApplication", "name": "Kingfisher", - "description": "Open source secret scanner with live validation. 934 detection rules, blast radius mapping, and credential revocation.", + "description": "Open source secret scanner with live validation. 942 detection rules, blast radius mapping, and credential revocation.", "applicationCategory": "DeveloperApplication", "operatingSystem": "Linux, macOS, Windows", "license": "https://opensource.org/licenses/Apache-2.0", diff --git a/tests/library_crates_external_project.rs b/tests/library_crates_external_project.rs index b2f3ba3..aeca440 100644 --- a/tests/library_crates_external_project.rs +++ b/tests/library_crates_external_project.rs @@ -17,6 +17,7 @@ fn library_crates_work_from_external_project() -> anyhow::Result<()> { let temp = tempfile::tempdir()?; let project_dir = temp.path().join("external-kingfisher-consumer"); fs::create_dir_all(project_dir.join("src"))?; + fs::copy(repo_root.join("Cargo.lock"), project_dir.join("Cargo.lock"))?; fs::write( project_dir.join("Cargo.toml"), @@ -74,8 +75,24 @@ fn main() -> Result<(), Box> { "#, )?; - let output = - Command::new("cargo").arg("run").arg("--quiet").current_dir(&project_dir).output()?; + let lock_output = Command::new("cargo") + .arg("generate-lockfile") + .arg("--offline") + .current_dir(&project_dir) + .output()?; + let lock_stdout = String::from_utf8_lossy(&lock_output.stdout); + let lock_stderr = String::from_utf8_lossy(&lock_output.stderr); + assert!( + lock_output.status.success(), + "external project lockfile generation failed\nstdout:\n{lock_stdout}\nstderr:\n{lock_stderr}" + ); + + let output = Command::new("cargo") + .arg("run") + .arg("--quiet") + .arg("--frozen") + .current_dir(&project_dir) + .output()?; let stdout = String::from_utf8_lossy(&output.stdout); let stderr = String::from_utf8_lossy(&output.stderr);