eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
1,572 commits 5 branches 83 tags 53 MiB
Commit graph

52 commits

Author SHA1 Message Date
Mick Grove
816a75e3e4 add docker --archive support 2026-05-28 13:54:59 -07:00
Mick Grove
f6e05f0211 preparing for v1.99.0 2026-05-04 13:26:11 -07:00
Mick Grove
30b9eba427 copilot fixes 2026-04-29 22:50:31 -07:00
Mick Grove
997480ffc7 Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports. 2026-04-29 08:12:08 -07:00
Mick Grove
0b89e4b02f added blog posts 2026-04-28 19:21:44 -07:00
Mick Grove
e4cd6dd164 performance improvements and rule improvements 2026-04-17 16:53:21 -07:00
Mick Grove
411aeefa92 updated in response to ossf scorecard 2026-03-27 17:22:21 -07:00
Mick Grove
1c7341f3ac updated in response to ossf scorecard 2026-03-27 15:04:14 -07:00
Mick Grove
f0a3bee587 added --max-validation-response-length <BYTES> 2026-03-16 22:25:32 -07:00
Mick Grove
60931c11a9 added Teams support 2026-03-13 17:39:34 -07:00
Mick Grove
3220ed3a80 Merge branch 'codex/pr-244-mergeable' into development 
* codex/pr-244-mergeable:
  Add Jira comment and changelog scanning
 2026-02-28 11:14:19 -07:00
Mick Grove
719b91301d Add Jira comment and changelog scanning 2026-02-28 11:13:00 -07:00
Mick Grove
0ae4e8445c Updated kingfisher scan to accept Git repository URLs as positional targets (for example kingfisher scan github.com/org/repo or kingfisher scan https://gitlab.com/group/project.git) without requiring --git-url. 2026-02-26 23:14:18 -07:00
Mick Grove
92f43d2e29 added --turbo mode 2026-02-24 12:25:12 -07:00
Mick Grove
aa29ee0e99 added '--fast' mode which sets maximum scan speed. Omits git commit context and will not base64 decode 2026-02-23 22:34:23 -07:00
Mick Grove
5882468177 Added optional validation rate limiting via --validation-rps (global) and repeatable --validation-rps-rule <RULE_SELECTOR=RPS> (per-rule override) for both scan and validate. Throttling now applies across built-in validator types (HTTP/gRPC plus AWS, GCP, Coinbase, MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). Rule selectors support the short form (for example, github=2 matches kingfisher.github.*) with longest-prefix precedence when multiple selectors apply. 2026-02-12 12:33:59 -08:00
Mick Grove
2866367c2e v1.80.0 2026-02-09 12:11:35 -08:00
Mick Grove
5253204c2a preparing for v1.78.0 2026-02-02 23:22:08 -08:00
Mick Grove
7237a931d5 v1.73.0 2026-01-01 22:24:57 -08:00
Mick Grove
195f086afc added dark mode for finding + access map viewer 2025-12-12 17:21:17 -08:00
Mick Grove
f1a77a736c Updated precommit behavior and docs 2025-12-09 12:56:55 -08:00
Mick Grove
078fa16e6a - Reduced per-match memory usage by compacting stored source locations and interning repeated capture names. 
- Stored optional validation response bodies as boxed strings to avoid allocating empty payloads and to streamline validator caches.
- Parallelized git cloning based on the configured job count and begin scanning repositories as soon as each clone finishes to reduce end-to-end scan times.
- Combined per-repository results into a single aggregate summary after scans complete.
- Added initial access-map support and report viewer html file. Currently beta features.
 2025-12-04 22:02:30 -08:00
Mick Grove
eeafe2fe6b updated tests 2025-11-24 11:08:31 -08:00
Mick Grove
f606f59f93 Added an optional exclude_words list to PatternRequirements so matches containing case-insensitive placeholder words are filtered out, with accompanying tests to cover the new behavior. 2025-11-05 17:19:11 -08:00
Mick Grove
7d9d3be132 - Fixed local filesystem scans to keep open_path_as_is enabled when opening Git repositories and only disable it for diff-based scans. 
- Created Linux and Windows specific installer script
- Updated diff-focused scanning so --branch-root-commit can be provided alongside --branch, letting you diff from a chosen commit while targeting a specific branch tip (still defaulting back to the --branch ref when the commit is omitted).
 2025-10-25 17:12:51 -07:00
Mick Grove
03d7364888 - Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans. 
- Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs.
- Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication.
- Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so its clear that validation was intentionally skipped and why.
 2025-10-15 22:47:40 -07:00
Mick Grove
3647d759a3 - Added a --no-ignore CLI flag to disable inline directives when you need every potential secret reported 
- Added: repeatable --ignore-comment <TOKEN> flag to reuse inline directives from other scanners (for example NOSONAR,
  kics-scan ignore, gitleaks:allow, etc)
 2025-10-10 16:23:41 -07:00
Mick Grove
92de1ba63d - Added kingfisher:ignore (or kingfisher:allow) to silence a finding inline within a file 
- Added: to reuse existing inline directives from other scanners, pass --compat-ignore-comments to also accept NOSONAR, kics-scan ignore,  gitleaks:allow and trufflehog:ignore
 2025-10-09 20:53:17 -07:00
Mick Grove
1f5b96c8d3 Merge branch 'development' into inline-ignore 
Signed-off-by: Mick Grove <mick.grove@mongodb.com>
 2025-10-09 20:19:02 -07:00
Mick Grove
a003b732fa - Added kingfisher:ignore (or kingfisher:allow) to silence a finding inline within a file 
- Added: to reuse existing inline directives from other scanners, pass --compat-ignore-comments to also accept NOSONAR, kics-scan ignore,  gitleaks:allow and trufflehog:ignore
 2025-10-09 20:11:31 -07:00
Mick Grove
caf766b731 - Added kingfisher:ignore (or kingfisher:allow) to silence a finding inline within a file 
- Added: to reuse existing inline directives from other scanners, pass --compat-ignore-comments to also accept NOSONAR, kics-scan ignore,  gitleaks:allow and trufflehog:ignore
 2025-10-09 17:59:10 -07:00
Mick Grove
ec1d640b74 Added first-class Azure Repos support, including CLI commands, enumeration, and documentation updates 2025-10-04 23:12:28 -07:00
Mick Grove
6a974907ee Added support for Gitea 2025-09-23 13:07:45 -07:00
Mick Grove
5c70fdc8e5 Added support for BitBucket 2025-09-22 18:21:03 -07:00
Mick Grove
19cca00c2b Removed the unused --rlimit-nofile flag 2025-09-18 17:02:56 -07:00
Mick Grove
866bf63202 Added diff-only Git scanning via --since-commit and --branch, including remote-aware ref resolution so CI jobs can pair --git-url clones with pull request branches 2025-09-16 14:20:43 -07:00
Mick Grove
563fa66d46 Added --github-exclude and --gitlab-exclude options to skip specific repositories when scanning or listing GitHub and GitLab sources, including support for gitignore-style glob patterns 2025-09-15 21:26:51 -07:00
Mick Grove
5638a6cb45 Decode Base64 blobs and scan their contents for secrets while skipping short strings for performance. This has a small performance impact and can be disabled with --no-base64 2025-08-30 19:40:11 -07:00
Mick Grove
6e4c94ddc3 - Added '--repo-artifacts' flag to scan repository issues, gists/snippets, and wikis when cloning via '--git-url' 2025-08-20 20:41:11 -07:00
Mick Grove
d3bf941c5f Added '--skip-regex' and '--skip-word' flags to ignore secrets matching custom patterns or skipwords 2025-08-19 19:18:25 -07:00
Mick Grove
14fccc9cc6 - Added support for scanning gitlab subgroups, with 'kingfisher scan --gitlab-group my-group --gitlab-include-subgroups' 2025-08-14 09:25:18 -07:00
Mick Grove
22c5594b53 Added support for scanning Confluence pages 2025-08-10 21:51:31 -07:00
Mick Grove
706723e384 removed unused cli argument, snippet-length 2025-08-10 17:25:32 -07:00
Mick Grove
40e760ea2c -Added support for scanning AWS S3 buckets via --s3-bucket and optional --s3-prefix 
- Added --role-arn and --aws-local-profile flags for S3 authentication alongside KF_AWS_KEY/KF_AWS_SECRET
 2025-08-02 20:40:16 -07:00
Mick Grove
bcf2b60e0b Added support for Slack 2025-07-29 19:00:49 -07:00
Mick Grove
627ef98881 WIP: Adding support for scanning Docker images 2025-07-27 12:20:20 -07:00
Mick Grove
63a757fba8 Added support for scanning issues returned from a JQL search using --jira-url and --jql 2025-07-25 17:23:18 -07:00
Mick Grove
533fc49c54 Removed --ignore-tests argument, because the --exclude flag provides more granular functionality 2025-07-14 16:55:19 -07:00
Mick Grove
3520c5fba5 Added baseline feature with --baseline-file and --manage-baseline flags. Introduced --exclude option for skipping paths 2025-07-14 13:18:24 -07:00
Mick Grove
28af26b23a Introduced flag – skip files/dirs whose path resembles tests (, , , , ), reducing noise. 2025-06-28 09:16:42 -07:00