diff --git a/CHANGELOG.md b/CHANGELOG.md index 6526ee6..aec63c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ All notable changes to this project will be documented in this file. +## [1.41.0] +- Added rules for: Vercel + ## [1.40.0] - Dropped the “prevalidated” flag from rule definitions and validation logic so every finding now flows through the standard active/inactive/unknown pipeline, simplifying rule configuration and preventing special‑case bypasses - Improved Tailscale api key detectors diff --git a/Cargo.toml b/Cargo.toml index 15ad49a..db985c4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -10,7 +10,7 @@ publish = false [package] name = "kingfisher" -version = "1.40.0" +version = "1.41.0" description = "MongoDB's blazingly fast secret scanning and validation tool" edition.workspace = true rust-version.workspace = true diff --git a/data/rules/airbrake.yml b/data/rules/airbrake.yml index 9d55e24..d54d261 100644 --- a/data/rules/airbrake.yml +++ b/data/rules/airbrake.yml @@ -5,9 +5,7 @@ rules: (?xi) \b airbrake - (?:.|[\n\r]){0,16}? - (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) - (?:.|[\n\r]){0,16}? + (?:.|[\n\r]){0,32}? ( [A-Z0-9-]{40} ) diff --git a/data/rules/aiven.yml b/data/rules/aiven.yml index 0f4c727..19f449a 100644 --- a/data/rules/aiven.yml +++ b/data/rules/aiven.yml @@ -2,11 +2,10 @@ rules: - name: Aiven API Key id: kingfisher.aiven.1 pattern: | - (?xi) + (?xi) + \b aiven (?:.|[\n\r]){0,32}? - (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) - (?:.|[\n\r]){0,32}? \b ( [a-z0-9/+=]{372} diff --git a/data/rules/asana.yml b/data/rules/asana.yml index 0824711..85e30c5 100644 --- a/data/rules/asana.yml +++ b/data/rules/asana.yml @@ -6,8 +6,6 @@ rules: \b asana (?:.|[\n\r]){0,32}? - (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) - (?:.|[\n\r]){0,32}? \b ( [0-9]{16} diff --git a/data/rules/atlassian.yml b/data/rules/atlassian.yml index 6d4ac9c..32dccb2 100644 --- a/data/rules/atlassian.yml +++ b/data/rules/atlassian.yml @@ -6,8 +6,6 @@ rules: \b atlassian (?:.|[\n\r]){0,32}? - (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) - (?:.|[\n\r]){0,32}? \b ( [a-z0-9]{24} diff --git a/data/rules/baremetrics.yml b/data/rules/baremetrics.yml index 415731e..2036d18 100644 --- a/data/rules/baremetrics.yml +++ b/data/rules/baremetrics.yml @@ -6,8 +6,6 @@ rules: \b baremetrics (?:.|[\n\r]){0,32}? - (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) - (?:.|[\n\r]){0,32}? \b ( [a-z0-9_-]{25} diff --git a/data/rules/fastly.yml b/data/rules/fastly.yml index c5d4fcb..77618a6 100644 --- a/data/rules/fastly.yml +++ b/data/rules/fastly.yml @@ -9,7 +9,9 @@ rules: (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) (?:.|[\n\r]){0,32}? \b - ([a-z0-9_-]{32}) + ( + [a-z0-9_-]{32} + ) \b min_entropy: 3.5 confidence: medium diff --git a/data/rules/heroku.yml b/data/rules/heroku.yml index 3686e7a..b06d58e 100644 --- a/data/rules/heroku.yml +++ b/data/rules/heroku.yml @@ -2,10 +2,9 @@ rules: - name: Heroku API Key id: kingfisher.heroku.1 pattern: | - (?xi) + (?xi) + \b heroku - (?:.|[\n\r]){0,32}? - (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) (?:.|[\n\r]){0,32}? \b ( diff --git a/data/rules/vercel.yml b/data/rules/vercel.yml new file mode 100644 index 0000000..d649b00 --- /dev/null +++ b/data/rules/vercel.yml @@ -0,0 +1,39 @@ +rules: + - name: Vercel API Token + id: kingfisher.vercel.1 + pattern: | + (?xi) + \b + vercel + (?:.|[\n\r]){0,32}? + \b + ( + [a-zA-Z0-9]{24} + ) + \b + confidence: medium + min_entropy: 3.5 + validation: + type: Http + content: + request: + method: GET + url: https://api.vercel.com/v2/user + headers: + Authorization: "Bearer {{TOKEN}}" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: + - '"user":' + - '"email":' + match_all_words: true + references: + - https://vercel.com/docs/rest-api#authentication + examples: + - "vercel-key = DdZV6ZDZW6Vpl7n7JqtrCE5i" + - "vercel_token = zyMBA1qVEMAf4UNNZtCAbg6u" + - "vercel_api_key = MTg0AW799OY1HmyDdn84or3C" + - "vercel_secret = A7n9Xfp3tBz7D0XpOTMWpiOM"