eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
1,163 commits 5 branches 83 tags 53 MiB
Commit graph

1,163 commits

This branch
This branch
All branches
Author SHA1 Message Date
Mick Grove
7dc0955635 - Added Vercel credential rules for new token formats introduced February 2026: vcp_ (personal access), vci_ (integration), vca_ (app access), vcr_ (app refresh), vck_ (AI Gateway API key). All use CRC32/Base62 checksum validation. Legacy 24-char format retained as kingfisher.vercel.1. 
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
 2026-02-11 16:56:47 -08:00
Mick Grove
4ab5932d57 - Added Vercel credential rules for new token formats introduced February 2026: vcp_ (personal access), vci_ (integration), vca_ (app access), vcr_ (app refresh), vck_ (AI Gateway API key). All use CRC32/Base62 checksum validation. Legacy 24-char format retained as kingfisher.vercel.1. 
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
 2026-02-11 13:56:17 -08:00
Mick Grove
265e569c60 - Fixed validation flakiness under service rate limiting by retrying HTTP validations on 429/408 in addition to transient 5xx failures. 
- Prevented transient HTTP validation failures (429/5xx) from being cached, avoiding cache poisoning that could suppress later successful validations in the same scan.
 2026-02-11 11:38:24 -08:00
Mick Grove
9a2c742e77 remove __pycache__ dir and updated gitignore 2026-02-11 07:37:57 -08:00
Mick Grove
1779e9e356 remove __pycache__ dir and updated gitignore 2026-02-11 07:37:40 -08:00
Mick Grove
fca2b93a21 remove __pycache__ dir and updated gitignore 2026-02-11 07:32:44 -08:00
Mick Grove
eb493bdef9 remove __pycache__ dir and updated gitignore 2026-02-11 07:32:02 -08:00
Mick Grove
7736100f3a remove __pycache__ dir and updated gitignore 2026-02-11 07:31:44 -08:00
Mick Grove
78a92eb56e remove __pycache__ dir and updated gitignore 2026-02-11 07:29:18 -08:00
Mick Grove
4a74e95756 v1.81.0 2026-02-10 19:43:34 -08:00
Mick Grove
e9fa5911a2 v1.81.0 2026-02-10 19:24:59 -08:00
Mick Grove
e518fb30f2 v1.81.0 2026-02-10 19:24:19 -08:00
Mick Grove
2a8bb9c361 v1.80.0 2026-02-09 12:27:03 -08:00
Mick Grove
a24f38fdfd v1.80.0 2026-02-09 12:19:11 -08:00
Mick Grove
209f7611ef v1.80.0 2026-02-09 12:14:50 -08:00
Mick Grove
2866367c2e v1.80.0 2026-02-09 12:11:35 -08:00
Mick Grove
ec8761c451 Fix NPM token validation and improve revocation reliability 
- Switch validation endpoint from /-/npm/v1/user to /-/whoami which
  works for all token types regardless of scope/permissions
- Fix revocation token matching: use Regex extractor with Liquid-rendered
  prefix ({{ TOKEN | prefix: 8 }}) to locate the correct token in the
  list response instead of blindly taking objects[0]
- Add Liquid template rendering support in multi-step revocation
  extraction patterns (render_extractor) for dynamic matching
- Add debug logging of HTTP response status and body during revocation
  so -v flag shows full API responses for troubleshooting
- Include response body in extraction failure error messages

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-08 15:14:04 -08:00
Mick Grove
95e9407700 Fixed readme 2026-02-07 09:21:41 -08:00
Mick Grove
ede6e62019 Fixed PyPi github action 2026-02-07 09:12:50 -08:00
Mick Grove
4c89ee59da Fixed PyPi github action 2026-02-07 09:03:57 -08:00
Mick Grove
124b3eb014 Fixed PyPi github action 2026-02-07 08:58:06 -08:00
Mick Grove
77d951da1a Fixed issues in response to code review 2026-02-06 21:09:51 -08:00
Mick Grove
d3dbb16d66 Fixed issues in response to code review 2026-02-06 21:02:58 -08:00
Mick Grove
1a40fb3bfd Fixed AWS access key validation to support temporary/session keys (ASIA prefix) in addition to long-lived keys (AKIA prefix). 2026-02-06 17:05:32 -08:00
Mick Grove
3f0fa7afde added multi-step revocation support. Added revocation support for SendGrid, Netlify, Tailscale, ElevenLabs, Sourcegraph, MongoDB Atlas, Twilio, and NPM using multi-step (lookup ID then delete) pattern. 2026-02-05 17:16:49 -08:00
Mick Grove
065641d299 added multi-step revocation support. Added revocation support for SendGrid, Netlify, Tailscale, ElevenLabs, Sourcegraph, MongoDB Atlas, Twilio, and NPM using multi-step (lookup ID then delete) pattern. 2026-02-04 22:59:21 -08:00
Mick Grove
ce9825429e added multi-step revocation support. Added revocation support for SendGrid, Netlify, Tailscale, ElevenLabs, Sourcegraph, MongoDB Atlas, Twilio, and NPM using multi-step (lookup ID then delete) pattern. 2026-02-04 22:58:46 -08:00
Mick Grove
2391c01c36 added multi-step revocation support. Added revocation support for SendGrid, Netlify, Tailscale, ElevenLabs, Sourcegraph, MongoDB Atlas, Twilio, and NPM using multi-step (lookup ID then delete) pattern. 2026-02-04 22:57:56 -08:00
Mick Grove
363b2ce77d added multi-step revocation support. Added revocation support for SendGrid, Netlify, Tailscale, ElevenLabs, Sourcegraph, MongoDB Atlas, Twilio, and NPM using multi-step (lookup ID then delete) pattern. 2026-02-04 22:26:57 -08:00
Mick Grove
1c3ea6cb22 initial support for distribution via pypi wheels 2026-02-04 12:43:13 -08:00
Mick Grove
3294b2baf7 initial support for distribution via pypi wheels 2026-02-04 12:43:13 -08:00
Mick Grove
54775f0f43
 		Merge branch 'main' into development 
Signed-off-by: Mick Grove <mick.grove@mongodb.com>
 2026-02-03 09:44:40 -08:00
Mick Grove
9f18e1ead3 more changes for v1.78.0 2026-02-03 09:39:34 -08:00
Mick Grove
9ae6053804 more changes for v1.78.0 2026-02-03 09:37:53 -08:00
Mick Grove
65251b7213 more changes for v1.78.0 2026-02-03 09:32:06 -08:00
Mick Grove
605ff11eee
 		Merge pull request #214 from bored-engineer/patch-22 
fix(dockerhub): use username for OAT validation
 2026-02-03 08:49:49 -08:00
Mick Grove
f2d2e19ec5
 		Merge pull request #215 from mongodb/development 
v1.78.0
 2026-02-03 08:49:18 -08:00
Mick Grove
5253204c2a preparing for v1.78.0 2026-02-02 23:22:08 -08:00
Mick Grove
63f1d515ae preparing for v1.78.0 2026-02-02 18:39:24 -08:00
Luke Young
9091a520c8
 		fix(dockerhub): use username for OAT validation 
Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com>
 2026-02-02 16:22:18 -08:00
Mick Grove
2f41d159e2
 		Merge pull request #213 from mongodb/development v1.77.0 
v1.77.0
 2026-02-02 10:39:34 -08:00
Mick Grove
301c656f38 Fix build issues 2026-02-02 08:17:41 -08:00
Mick Grove
773ec70a35 Merge main into development (resolve conflicts) 2026-02-01 23:13:38 -08:00
Mick Grove
5ceab9662d fixes in response to pr review 2026-02-01 22:59:01 -08:00
Mick Grove
91c48ff7f8 fixes in response to pr review 2026-02-01 22:58:01 -08:00
Mick Grove
32be18bef0 updated alibaba rule 2026-02-01 22:32:00 -08:00
Mick Grove
92ca07739a updated alibaba rule 2026-02-01 22:31:52 -08:00
Mick Grove
52f71c4462 updated changelog 2026-01-31 23:14:06 -08:00
Mick Grove
4fd0b74d7d updated changelog 2026-01-31 23:08:30 -08:00
Mick Grove
c40226e939 added revoke command in output for validated credentials. Exposed in the html findings viewer as well 2026-01-31 22:58:53 -08:00