eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
1,205 commits 5 branches 83 tags 53 MiB
Commit graph

1,205 commits

This branch
This branch
All branches
Author SHA1 Message Date
Mick Grove
1f4ccb8144 Automatically extracts and scans SQLite database contents for secrets stored in table rows 2026-02-22 23:35:18 -07:00
Mick Grove
7845cfa727 being discovered, overlapping I/O with pattern matching. 
- Performance: skip blobs smaller than 20 bytes during enumeration (too small to contain any secret).
- Performance: preserve pack-ascending blob order in the metadata path for better I/O locality when Rayon splits work.
 2026-02-22 22:59:42 -07:00
Mick Grove
8ae2ba1a1e fixed tests 2026-02-19 22:15:14 -08:00
Mick Grove
02538a6ac4 added more access-maps 2026-02-19 20:51:12 -08:00
Mick Grove
05002fe4d6 added more access-maps 2026-02-19 20:39:07 -08:00
Mick Grove
f38df8a953 added more access-maps 2026-02-19 19:36:43 -08:00
Mick Grove
a9c5d8524f added more access-maps 2026-02-19 18:19:20 -08:00
Mick Grove
17bb433227 improved GCP access mapping support 2026-02-19 14:58:10 -08:00
Mick Grove
3b1085baa6 added buildkit and harness to access-map 2026-02-17 22:58:29 -08:00
Mick Grove
32d40c0b53 added pipedrive and amplitude 2026-02-17 16:42:44 -08:00
Mick Grove
51d782a917 Fixes in response to PR review 2026-02-16 09:43:16 -08:00
Mick Grove
0ddf3fc10f Fixes in response to PR review 2026-02-16 07:34:32 -08:00
Mick Grove
8cf09936fc Kingfisher can now generate an auditor-friendly HTML report 2026-02-15 23:50:39 -08:00
Mick Grove
39a4e217e3 Kingfisher can now generate an auditor-friendly HTML report 2026-02-15 14:29:42 -08:00
Mick Grove
470120369b refactored code 2026-02-14 14:08:48 -08:00
Mick Grove
d3e659491d refactored code 2026-02-14 13:12:26 -08:00
Mick Grove
f62bfe103b tree sitter scanning improvements 2026-02-14 11:13:59 -08:00
Mick Grove
7468230f47 html report viewer improvements 2026-02-13 22:36:48 -08:00
Mick Grove
fdf85f09fc html report viewer improvements 2026-02-13 18:35:36 -08:00
Mick Grove
79102a073b html report viewer improvements 2026-02-13 18:19:18 -08:00
Mick Grove
7653acb433 wip 1.83 2026-02-13 17:37:31 -08:00
Mick Grove
816d5c40ba wip 1.83 2026-02-13 16:41:28 -08:00
Mick Grove
a36634c4b4 Fixed CI runner failure when executing tests 2026-02-13 10:04:18 -08:00
Mick Grove
09ed89eec2 Fixed CI runner failure when executing tests 2026-02-13 09:57:44 -08:00
Mick Grove
56827ae342 Fixed CI runner failure when executing tests 2026-02-13 09:39:41 -08:00
Mick Grove
409e1557de Fixed CI runner failure when executing tests 2026-02-13 09:35:04 -08:00
Mick Grove
cfc01eab68 Fixed CI runner failure when executing tests 2026-02-13 09:19:02 -08:00
Mick Grove
0ba79df1f4 Fixed CI runner failure when executing tests 2026-02-13 08:40:04 -08:00
Mick Grove
0c9ca048ea Fixed CI runner failure when executing tests 2026-02-13 07:55:17 -08:00
Mick Grove
1583df7a64 Fixed CI runner failure when executing tests 2026-02-12 21:56:07 -08:00
Mick Grove
dfa4375152 Fixed CI runner failure when executing tests 2026-02-12 21:46:17 -08:00
Mick Grove
20a05a643c Fixed CI runner failure when executing tests 2026-02-12 21:11:50 -08:00
Mick Grove
1a8651ecb0 Fixed CI runner failure when executing tests 2026-02-12 17:26:28 -08:00
Mick Grove
1503b4f661 Fixed CI runner failure when executing tests 2026-02-12 17:25:49 -08:00
Mick Grove
6a9a3b35ed Fixed CI runner failure when executing tests 2026-02-12 17:23:03 -08:00
Mick Grove
e72f40b169 Fixed CI runner failure when executing tests 2026-02-12 16:51:55 -08:00
Mick Grove
dfe6554b1c Fixed CI runner failure when executing tests 2026-02-12 16:07:55 -08:00
Mick Grove
60c72292c7 Added optional validation rate limiting via --validation-rps (global) and repeatable --validation-rps-rule <RULE_SELECTOR=RPS> (per-rule override) for both scan and validate. Throttling now applies across built-in validator types (HTTP/gRPC plus AWS, GCP, Coinbase, MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). Rule selectors support the short form (for example, github=2 matches kingfisher.github.*) with longest-prefix precedence when multiple selectors apply. 2026-02-12 13:15:51 -08:00
Mick Grove
5882468177 Added optional validation rate limiting via --validation-rps (global) and repeatable --validation-rps-rule <RULE_SELECTOR=RPS> (per-rule override) for both scan and validate. Throttling now applies across built-in validator types (HTTP/gRPC plus AWS, GCP, Coinbase, MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). Rule selectors support the short form (for example, github=2 matches kingfisher.github.*) with longest-prefix precedence when multiple selectors apply. 2026-02-12 12:33:59 -08:00
Mick Grove
2d6abb95c9 fixes in response to pr review 2026-02-11 23:44:09 -08:00
Mick Grove
57845eebcd - Added kingfisher.temporal.1 rule for Temporal Cloud API keys (namespace-scoped and user-scoped JWT formats) with Temporal-specific pattern matching. 
- Added Temporal Cloud active credential validation via GET https://saas-api.tmprl.cloud/cloud/current-identity using bearer auth, so Temporal keys validate against provider APIs instead of generic OIDC discovery.
- Fixed JWT issuer normalization to treat bare host issuers (e.g. iss: temporal.io) as HTTPS URLs during discovery, avoiding low-level URL builder failures.
- Added crates/kingfisher-rules/build.rs to ensure embedded rule assets rebuild when files under crates/kingfisher-rules/data change.
 2026-02-11 23:33:35 -08:00
Mick Grove
ec44d9b60b - Added kingfisher.temporal.1 rule for Temporal Cloud API keys (namespace-scoped and user-scoped JWT formats) with Temporal-specific pattern matching. 
- Added Temporal Cloud active credential validation via GET https://saas-api.tmprl.cloud/cloud/current-identity using bearer auth, so Temporal keys validate against provider APIs instead of generic OIDC discovery.
- Fixed JWT issuer normalization to treat bare host issuers (e.g. iss: temporal.io) as HTTPS URLs during discovery, avoiding low-level URL builder failures.
- Added crates/kingfisher-rules/build.rs to ensure embedded rule assets rebuild when files under crates/kingfisher-rules/data change.
 2026-02-11 23:27:05 -08:00
Mick Grove
7dc0955635 - Added Vercel credential rules for new token formats introduced February 2026: vcp_ (personal access), vci_ (integration), vca_ (app access), vcr_ (app refresh), vck_ (AI Gateway API key). All use CRC32/Base62 checksum validation. Legacy 24-char format retained as kingfisher.vercel.1. 
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
 2026-02-11 16:56:47 -08:00
Mick Grove
4ab5932d57 - Added Vercel credential rules for new token formats introduced February 2026: vcp_ (personal access), vci_ (integration), vca_ (app access), vcr_ (app refresh), vck_ (AI Gateway API key). All use CRC32/Base62 checksum validation. Legacy 24-char format retained as kingfisher.vercel.1. 
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
 2026-02-11 13:56:17 -08:00
Mick Grove
265e569c60 - Fixed validation flakiness under service rate limiting by retrying HTTP validations on 429/408 in addition to transient 5xx failures. 
- Prevented transient HTTP validation failures (429/5xx) from being cached, avoiding cache poisoning that could suppress later successful validations in the same scan.
 2026-02-11 11:38:24 -08:00
Mick Grove
9a2c742e77 remove __pycache__ dir and updated gitignore 2026-02-11 07:37:57 -08:00
Mick Grove
1779e9e356 remove __pycache__ dir and updated gitignore 2026-02-11 07:37:40 -08:00
Mick Grove
fca2b93a21 remove __pycache__ dir and updated gitignore 2026-02-11 07:32:44 -08:00
Mick Grove
eb493bdef9 remove __pycache__ dir and updated gitignore 2026-02-11 07:32:02 -08:00
Mick Grove
7736100f3a remove __pycache__ dir and updated gitignore 2026-02-11 07:31:44 -08:00