eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions

Added checksum comparisons to pattern_requirements, new suffix, crc32, and base62 Liquid filters, and verbose logging so mismatched checksums are skipped with context rather than reported as findings.

Browse source
This commit is contained in:
Mick Grove 2025-11-07 16:31:24 -08:00
commit ccbbbad5bc
16 changed files with 2355 additions and 122 deletions
Download patch file Download diff file Expand all files Collapse all files

28
data/rules/github.yml
View file

@ -40,13 +40,18 @@ rules:
pattern: |
(?xi)
\b
(
ghp_
[A-Z0-9]{36}
(
ghp_(?P<body>[A-Z0-9]{30})(?P<checksum>[A-Z0-9]{6})
)
pattern_requirements:
min_digits: 2
min_lowercase: 2
checksum:
actual:
template: "{{ MATCH | suffix: 6 }}"
requires_capture: checksum
expected: "{{ BODY | crc32 | base62: 6 }}"
skip_if_missing: true
min_entropy: 3.5
examples:
- "GITHUB_KEY=ghp_XIxB7KMNdAr3zqWtQqhE94qglHqOzn1D1stg"
@ -82,11 +87,16 @@ rules:
(?xi)
\b
(
gho_
[A-Z0-9]{36}
gho_(?P<body>[A-Z0-9]{30})(?P<checksum>[A-Z0-9]{6})
)
pattern_requirements:
min_digits: 2
min_digits: 2
checksum:
actual:
template: "{{ MATCH | suffix: 6 }}"
requires_capture: checksum
expected: "{{ BODY | crc32 | base62: 6 }}"
skip_if_missing: true
min_entropy: 3.5
confidence: medium
examples:
@ -119,7 +129,7 @@ rules:
pattern: |
(?xi)
(
ghu_[A-Z0-9]{36}
ghu_(?P<body>[A-Z0-9]{30})(?P<checksum>[A-Z0-9]{6})
)
examples:
- ' "token": "ghu_16C7e42F292c69C2E7C10c838347Ae178B4a",'
@ -153,7 +163,7 @@ rules:
pattern: |
(?xi)
(
ghs_[A-Z0-9]{36}
ghs_(?P<body>[A-Z0-9]{30})(?P<checksum>[A-Z0-9]{6})
)
examples:
- ' "token": "ghs_16C7e42F292c69C2E7C10c838347Ae178B4a",'
@ -187,7 +197,7 @@ rules:
pattern: |
(?xi)
(
ghr_[A-Z0-9]{76}
ghr_(?P<body>[A-Z0-9]{30})(?P<checksum>[A-Z0-9]{6})
)
examples:
- ' "refresh_token": "ghr_1B4a2e77838347a7E420ce178F2E7c6912E169246c3CE1ccbF66C46812d16D5B1A9Dc86A1498",'