eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
1,205 commits 5 branches 83 tags 53 MiB
Commit graph

284 commits

Author SHA1 Message Date
Mick Grove
1f4ccb8144 Automatically extracts and scans SQLite database contents for secrets stored in table rows 2026-02-22 23:35:18 -07:00
Mick Grove
7845cfa727 being discovered, overlapping I/O with pattern matching. 
- Performance: skip blobs smaller than 20 bytes during enumeration (too small to contain any secret).
- Performance: preserve pack-ascending blob order in the metadata path for better I/O locality when Rayon splits work.
 2026-02-22 22:59:42 -07:00
Mick Grove
02538a6ac4 added more access-maps 2026-02-19 20:51:12 -08:00
Mick Grove
05002fe4d6 added more access-maps 2026-02-19 20:39:07 -08:00
Mick Grove
f38df8a953 added more access-maps 2026-02-19 19:36:43 -08:00
Mick Grove
a9c5d8524f added more access-maps 2026-02-19 18:19:20 -08:00
Mick Grove
17bb433227 improved GCP access mapping support 2026-02-19 14:58:10 -08:00
Mick Grove
3b1085baa6 added buildkit and harness to access-map 2026-02-17 22:58:29 -08:00
Mick Grove
39a4e217e3 Kingfisher can now generate an auditor-friendly HTML report 2026-02-15 14:29:42 -08:00
Mick Grove
d3e659491d refactored code 2026-02-14 13:12:26 -08:00
Mick Grove
f62bfe103b tree sitter scanning improvements 2026-02-14 11:13:59 -08:00
Mick Grove
816d5c40ba wip 1.83 2026-02-13 16:41:28 -08:00
Mick Grove
e72f40b169 Fixed CI runner failure when executing tests 2026-02-12 16:51:55 -08:00
Mick Grove
5882468177 Added optional validation rate limiting via --validation-rps (global) and repeatable --validation-rps-rule <RULE_SELECTOR=RPS> (per-rule override) for both scan and validate. Throttling now applies across built-in validator types (HTTP/gRPC plus AWS, GCP, Coinbase, MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). Rule selectors support the short form (for example, github=2 matches kingfisher.github.*) with longest-prefix precedence when multiple selectors apply. 2026-02-12 12:33:59 -08:00
Mick Grove
2d6abb95c9 fixes in response to pr review 2026-02-11 23:44:09 -08:00
Mick Grove
7dc0955635 - Added Vercel credential rules for new token formats introduced February 2026: vcp_ (personal access), vci_ (integration), vca_ (app access), vcr_ (app refresh), vck_ (AI Gateway API key). All use CRC32/Base62 checksum validation. Legacy 24-char format retained as kingfisher.vercel.1. 
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
 2026-02-11 16:56:47 -08:00
Mick Grove
4ab5932d57 - Added Vercel credential rules for new token formats introduced February 2026: vcp_ (personal access), vci_ (integration), vca_ (app access), vcr_ (app refresh), vck_ (AI Gateway API key). All use CRC32/Base62 checksum validation. Legacy 24-char format retained as kingfisher.vercel.1. 
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
 2026-02-11 13:56:17 -08:00
Mick Grove
265e569c60 - Fixed validation flakiness under service rate limiting by retrying HTTP validations on 429/408 in addition to transient 5xx failures. 
- Prevented transient HTTP validation failures (429/5xx) from being cached, avoiding cache poisoning that could suppress later successful validations in the same scan.
 2026-02-11 11:38:24 -08:00
Mick Grove
4a74e95756 v1.81.0 2026-02-10 19:43:34 -08:00
Mick Grove
e518fb30f2 v1.81.0 2026-02-10 19:24:19 -08:00
Mick Grove
2a8bb9c361 v1.80.0 2026-02-09 12:27:03 -08:00
Mick Grove
2866367c2e v1.80.0 2026-02-09 12:11:35 -08:00
Mick Grove
ec8761c451 Fix NPM token validation and improve revocation reliability 
- Switch validation endpoint from /-/npm/v1/user to /-/whoami which
  works for all token types regardless of scope/permissions
- Fix revocation token matching: use Regex extractor with Liquid-rendered
  prefix ({{ TOKEN | prefix: 8 }}) to locate the correct token in the
  list response instead of blindly taking objects[0]
- Add Liquid template rendering support in multi-step revocation
  extraction patterns (render_extractor) for dynamic matching
- Add debug logging of HTTP response status and body during revocation
  so -v flag shows full API responses for troubleshooting
- Include response body in extraction failure error messages

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-08 15:14:04 -08:00
Mick Grove
77d951da1a Fixed issues in response to code review 2026-02-06 21:09:51 -08:00
Mick Grove
d3dbb16d66 Fixed issues in response to code review 2026-02-06 21:02:58 -08:00
Mick Grove
1a40fb3bfd Fixed AWS access key validation to support temporary/session keys (ASIA prefix) in addition to long-lived keys (AKIA prefix). 2026-02-06 17:05:32 -08:00
Mick Grove
363b2ce77d added multi-step revocation support. Added revocation support for SendGrid, Netlify, Tailscale, ElevenLabs, Sourcegraph, MongoDB Atlas, Twilio, and NPM using multi-step (lookup ID then delete) pattern. 2026-02-04 22:26:57 -08:00
Mick Grove
65251b7213 more changes for v1.78.0 2026-02-03 09:32:06 -08:00
Mick Grove
5253204c2a preparing for v1.78.0 2026-02-02 23:22:08 -08:00
Mick Grove
63f1d515ae preparing for v1.78.0 2026-02-02 18:39:24 -08:00
Mick Grove
32be18bef0 updated alibaba rule 2026-02-01 22:32:00 -08:00
Mick Grove
52f71c4462 updated changelog 2026-01-31 23:14:06 -08:00
Mick Grove
4fd0b74d7d updated changelog 2026-01-31 23:08:30 -08:00
Mick Grove
c40226e939 added revoke command in output for validated credentials. Exposed in the html findings viewer as well 2026-01-31 22:58:53 -08:00
Mick Grove
a5d9dae9b3 added revoke command in output for validated credentials. Exposed in the html findings viewer as well 2026-01-31 22:52:57 -08:00
Mick Grove
5eb743711b updated changelog 2026-01-30 08:07:12 -08:00
Mick Grove
aee1050620 ensured more CLI arguments are global 2026-01-30 08:04:15 -08:00
Mick Grove
8be7941333 Added 'revoke' subcommand and support for a new optional 'revocation' structure to the rules. Supporting GitHub and Slack right now 2026-01-29 12:45:32 -08:00
Mick Grove
1c45efde3e Refactored into multiple crates. Added the 'validate' subcommand 2026-01-28 22:24:35 -08:00
Mick Grove
bd4cd4c2c2 Refactored into multiple crates. Added the 'validate' subcommand 2026-01-28 10:57:45 -08:00
Mick Grove
76be1df60c Refactored into multiple crates. Added the 'validate' subcommand 2026-01-28 10:27:24 -08:00
Mick Grove
38a0dd9e26 Switched compression dependencies to pure-Rust bzip2/lzma implementations and pared zip features to avoid C-based codecs for bz2/xz handling. 2026-01-23 10:45:08 -08:00
Mick Grove
216fc1dbdc Switched compression dependencies to pure-Rust bzip2/lzma implementations and pared zip features to avoid C-based codecs for bz2/xz handling. 2026-01-23 09:52:11 -08:00
Mick Grove
bf4f825c72 Switched compression dependencies to pure-Rust bzip2/lzma implementations and pared zip features to avoid C-based codecs for bz2/xz handling. 2026-01-22 22:02:08 -08:00
Mick Grove
b4feb86f47 - Fixed validation deduplication for rules with nested unnamed captures (e.g. (?<REGEX>...(ABC|DEF)...)) to use the primary capture for grouping, ensuring each unique match triggers a separate validation request. 
- Added trace-level (-vv) logging for internal validation dedup keys and grouping to aid debugging.
 2026-01-21 13:13:43 -08:00
Mick Grove
049294af3d Skipped per-repository report writes when an output file is specified and emit a single aggregated report after multi-repository scans to preserve full output content in files. 2026-01-16 12:39:44 -08:00
Mick Grove
caaa31562c Skipped per-repository report writes when an output file is specified and emit a single aggregated report after multi-repository scans to preserve full output content in files. 2026-01-16 10:03:59 -08:00
Mick Grove
8c07fb3f3c - Enhanced Access Map View: added fingerprint display, enabled searching by fingerprint, and implemented bidirectional navigation between Findings and Access Map nodes. 
- Added Slack Access Map support with granular permissions in the tree view.
 2026-01-14 21:45:55 -08:00
Mick Grove
96f585ffa3
 		Merge pull request #182 from mongodb/main 
sync with main
 2026-01-14 17:20:19 -08:00
Mick Grove
26f41fcf7a - Enhanced Access Map View: added fingerprint display, enabled searching by fingerprint, and implemented bidirectional navigation between Findings and Access Map nodes. 
- Added Slack Access Map support with granular permissions in the tree view.
 2026-01-14 17:19:02 -08:00