From e46fa7b86c73f6502a268904ee08d49fcc445ec2 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Mon, 9 Mar 2026 09:37:49 -0700
Subject: [PATCH] rule improvements to reduce FP's

---
 .../kingfisher-rules/data/rules/alibaba.yml   | 21 ++++++++++----
 .../data/rules/azurestorage.yml               | 28 +++++++++++++------
 crates/kingfisher-rules/data/rules/jwt.yml    |  4 +--
 .../kingfisher-rules/data/rules/mongodb.yml   | 24 ++++++++++++++++
 4 files changed, 61 insertions(+), 16 deletions(-)

diff --git a/crates/kingfisher-rules/data/rules/alibaba.yml b/crates/kingfisher-rules/data/rules/alibaba.yml
index 82fdf9f..70e1658 100644
--- a/crates/kingfisher-rules/data/rules/alibaba.yml
+++ b/crates/kingfisher-rules/data/rules/alibaba.yml
@@ -23,13 +23,24 @@ rules:
   - name: Alibaba Access Key Secret
     id: kingfisher.alibabacloud.2
     pattern: |
-      (?xi)
+      (?x)
       \b
-      alibaba
-      (?:.|[\n\r]){0,32}?
-      (
-        [a-z0-9]{30}
+      (?i:alibaba|alibaba[\s_-]*cloud|aliyun)
+      (?:.|[\n\r]){0,40}?
+      (?i:access[\s_-]*key[\s_-]*secret|access[\s_-]*secret|secret|token|key)
+      (?:.|[\n\r]){0,16}?
+      (?:
+        [=:]
+        |
+        ["']\s*:\s*["']
       )
+      \s*
+      ["']?
+      (
+        [A-Za-z0-9]{30}
+      )
+      \b
+      ["']?
     min_entropy: 4.2
     confidence: medium
     examples:
diff --git a/crates/kingfisher-rules/data/rules/azurestorage.yml b/crates/kingfisher-rules/data/rules/azurestorage.yml
index 1bf3cb5..8684755 100644
--- a/crates/kingfisher-rules/data/rules/azurestorage.yml
+++ b/crates/kingfisher-rules/data/rules/azurestorage.yml
@@ -31,33 +31,43 @@ rules:
   - name: Azure Storage Account Key
     id: kingfisher.azurestorage.2
     pattern: |
-      (?xi)
+      (?x)
       \b
       (?:
-        azure(?:[_\s-]*storage)?
+        (?i:azure)(?:[_\s-]*(?i:storage))?
         (?:[_\s-]*(?:account[_\s-]*key|storage[_\s-]*key|shared[_\s-]*key|access[_\s-]*key|accountkey))
         |
-        account[_\s-]*key
+        (?i:account)[_.\s-]*(?i:key)
         |
-        storage[_\s-]*key
+        (?i:storage)[_.\s-]*(?i:key)
       )
       \b
       (?:.|[\n\r]){0,24}?
-      [ \t]*[=:][ \t]*
-      ['"]?
+      (?:
+        [=:]
+        |
+        ["']\s*:\s*["']
+      )
+      \s*
+      ["']?
       (
-        [A-Z0-9+\\/-]{86,88}(?:={1,2})?
+        [A-Za-z0-9+/]{86}==
       )
       ['"]?
     pattern_requirements:
       min_digits: 2
       min_uppercase: 2
       min_lowercase: 2
+      min_special_chars: 1
     min_entropy: 4.0
     confidence: medium
     examples:
-      - Azure AccountKey=Xy9aB8cD7eF6gH5iJ4kL3mN2oP1qR0sT9uV8wX7yZ6aB5cD4eF3gH2iJ1kL0mN9oP8qR7sT6uV5wX4yZ3aB2cD1q
-      - Azure AccountKey=Ky7aC1cD7eF6gH5iJ4kL3mN2oP1qR0sT9uV8wX7yZ6aB5cD4eF3gH2iJ1kL0mN9oP8qR7sT6uV5wX4yZ3aB2cD1g==\
+      - Azure AccountKey=oqb4TdY9T0hphvktd5fJnMiHuQqzVy1jd5sSuOpAbGkaoqTlrHl0BOJN2okcasinVLOJzfDbZo1L+ASt68RAhA==
+      - Azure AccountKey=B/1EVX2Ui47X09tqU3GI/j+Nko9r5COPm0Hea9tfzitF9MQX9lZZiNO3tYQckWnt+rtlGIWS+sCx+AStkq8ZLg==
+      - Azure AccountKey=u45diQdTiXeuSKl5r4EjgbPP72EYpuTNEzfMTi0mk+d2sTisA4gWzt4H1Ag3kqFaCykWZv2S6KQo+AStHF56RQ==
+      - Azure AccountKey=b8a/Z4wFAbhOPQTMa4PUTKr2XQhwoyWtP/3PnEto3mK86CFQnVYyTV/HSrij88h5jVYyzwUk0oTw+AStIKN/4w==
+      - Azure AccountKey=JJD1GDiHCmtTpCOKpBYkXgZKrZvi7P4mRDe3jNVGc/JL/bp51uWcWL0rkOByk5VsX2MM62A/ABkE+AStU9qMkA==
+      - Azure AccountKey=u45diQdTiXeuSKl5r4EjgbPP72EYpuTNEzfMTi0mk+d2sTisA4gWzt4H1Ag3kqFaCykWZv2S6KQo+AStHF56RQ==
     validation:
       type: AzureStorage
     references:
diff --git a/crates/kingfisher-rules/data/rules/jwt.yml b/crates/kingfisher-rules/data/rules/jwt.yml
index a5a2503..95ec817 100644
--- a/crates/kingfisher-rules/data/rules/jwt.yml
+++ b/crates/kingfisher-rules/data/rules/jwt.yml
@@ -8,9 +8,9 @@ rules:
         \.
         ey[A-Za-z0-9_-]{12,}  (?# payload )
         \.
-        [A-Za-z0-9_-]{12,}    (?# signature )
+        [A-Za-z0-9_-]{24,}    (?# signature )
       )
-      (?:[^A-Z0-9_-])
+      (?:[^A-Za-z0-9_-]|$)
     pattern_requirements:
       min_digits: 4
     min_entropy: 3.3
diff --git a/crates/kingfisher-rules/data/rules/mongodb.yml b/crates/kingfisher-rules/data/rules/mongodb.yml
index 624cfe0..a149d36 100644
--- a/crates/kingfisher-rules/data/rules/mongodb.yml
+++ b/crates/kingfisher-rules/data/rules/mongodb.yml
@@ -125,6 +125,30 @@ rules:
         - "****"
         - "xxxx"
         - "example"
+        - "<password>"
+        - "<db_password>"
+        - "<username>"
+        - "<u>:<p>"
+        - "<redacted>"
+        - "<DO_NOT_UPDATE_AUTH>"
+        - "{username}:{password}"
+        - "{password}"
+        - "${"
+        - "$("
+        - "{{"
+        - "&lt;"
+        - ":pass@"
+        - ":password@"
+        - ":secret@"
+        - ":passw0rd@"
+        - ":secretPassw0rd@"
+        - ":wrong_password@"
+        - ":fakepassword@"
+        - "@host:"
+        - "@host/"
+        - "@host1:"
+        - "@some.address"
+        - "@connectionString.com"
     min_entropy: 3
     examples:
       - client = mongoc_client_new ("mongodb+srv://someuser:hunter2@my-atlas-rd941.mongodb.net/test?retryWrites=true&w=majority");