eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
1,507 commits 5 branches 83 tags 53 MiB
Commit graph

1,507 commits

This branch
This branch
All branches
Author SHA1 Message Date
Mick Grove
b2287c99ee --self-update (alias --update) on a scan or other command now **re-execs into the freshly installed binary** so the current invocation completes with the new code and the latest detection rules. Previously the on-disk binary was replaced but the running process kept using the old in-memory version, requiring a second invocation to pick up the changes. On Unix this is a true exec() (same PID); on Windows the new binary is spawned and the parent exits with its status code. The explicit kingfisher self-update subcommand still updates and exits without re-execing. Self-update now also covers Windows arm64 (the asset was already published; the runtime cfg map gained the missing arm). See docs/ADVANCED.md → *Update Checks*. 2026-05-01 20:14:27 -07:00
Mick Grove
1619737e2c improved access map viewer 2026-04-30 18:11:10 -07:00
Mick Grove
20e08105cf improved github organization scanning 2026-04-30 16:40:43 -07:00
Mick Grove
632bb0113d copilot fixes 2026-04-30 12:07:15 -07:00
Mick Grove
87f6bd818f copilot fixes 2026-04-30 11:40:22 -07:00
Mick Grove
b89c952043 copilot fixes 2026-04-30 11:28:45 -07:00
Mick Grove
cceab35ec1 copilot fixes 2026-04-30 10:56:35 -07:00
Mick Grove
90737f098c copilot fixes 2026-04-30 09:29:23 -07:00
Mick Grove
b7b6dfdeb2 copilot fixes 2026-04-30 09:02:49 -07:00
Mick Grove
06f72ec9f0 copilot fixes 2026-04-30 08:38:14 -07:00
Mick Grove
2c08659563 copilot fixes 2026-04-30 00:32:49 -07:00
Mick Grove
c94bd89195 copilot fixes 2026-04-29 23:42:33 -07:00
Mick Grove
327342a1bb copilot fixes 2026-04-29 23:16:21 -07:00
Mick Grove
30b9eba427 copilot fixes 2026-04-29 22:50:31 -07:00
Mick Grove
ab93d4d242 Revert msys2/setup-msys2 to v2.31.0 
v2.31.1 fails to verify MSYS2 package database PGP signatures on
GitHub-hosted Windows runners ("signature from Christoph Reiter
... is unknown trust" for clangarm64/mingw32/mingw64/ucrt64/clang64/msys),
which breaks the Windows ARM64 (and x64) jobs at the pacman -Syuu step.
Pinning back to v2.31.0 until upstream ships a fix.
 2026-04-29 12:57:56 -07:00
Mick Grove
1337588c7b Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports. 2026-04-29 11:46:17 -07:00
Mick Grove
c387ac08d2 Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports. 2026-04-29 11:09:47 -07:00
Mick Grove
8d9f5bed40 Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports. 2026-04-29 08:58:11 -07:00
Mick Grove
997480ffc7 Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports. 2026-04-29 08:12:08 -07:00
Mick Grove
0b89e4b02f added blog posts 2026-04-28 19:21:44 -07:00
Mick Grove
bf6c7da4a4 added blog posts 2026-04-28 15:28:48 -07:00
Mick Grove
cafa97f8d1 Updated rule 2026-04-27 14:26:07 -07:00
Mick Grove
19dafa42ea Added provider endpoint overrides for validation and revocation via global --endpoint PROVIDER=URL and --endpoint-config FILE, with built-in support for self-hosted GitHub, GitLab, Gitea, Jira, Confluence, and Artifactory instances. 2026-04-27 13:20:16 -07:00
Mick Grove
5465d903cf added kingfisher.github.9 to detect the new ~520-character stateless GitHub App installation token format (ghs_<APP_ID>_<JWT>). The legacy 36-character ghs_ rule 2026-04-26 16:56:44 -07:00
Mick Grove
2320a7ff72 performance improvements and rule improvements 2026-04-24 13:51:23 -07:00
Mick Grove
c73a44fbf9 performance improvements and rule improvements 2026-04-24 12:02:27 -07:00
Mick Grove
ceff3ab1c5 performance improvements and rule improvements 2026-04-24 00:23:50 -07:00
Mick Grove
a4e8117c8e performance improvements and rule improvements 2026-04-24 00:14:56 -07:00
Mick Grove
cb4951c62c performance improvements and rule improvements 2026-04-23 17:25:07 -07:00
Mick Grove
6cb404bdcd cargo update 2026-04-23 17:13:18 -07:00
Mick Grove
69fb4352f7 cargo update 2026-04-23 16:57:51 -07:00
Mick Grove
eb339505f6 performance improvements and rule improvements 2026-04-23 16:54:21 -07:00
Mick Grove
ea19a827a0 performance improvements and rule improvements 2026-04-23 14:45:35 -07:00
Mick Grove
d8e0a41fe8 performance improvements and rule improvements 2026-04-23 14:42:10 -07:00
Mick Grove
7ee1fd5163 performance improvements and rule improvements 2026-04-22 23:39:19 -07:00
Mick Grove
30fcc49d92 performance improvements and rule improvements 2026-04-22 21:44:09 -07:00
Mick Grove
88e8604dc5 performance improvements and rule improvements 2026-04-22 20:41:44 -07:00
Mick Grove
2ef065abf9 performance improvements and rule improvements 2026-04-21 16:54:01 -07:00
Mick Grove
3645db2214 performance improvements and rule improvements 2026-04-21 16:44:49 -07:00
Mick Grove
d19893dd6f performance improvements and rule improvements 2026-04-21 16:08:14 -07:00
Mick Grove
0afd39416c performance improvements and rule improvements 2026-04-21 14:52:03 -07:00
Mick Grove
bc65ce9d5b performance improvements and rule improvements 2026-04-21 14:32:32 -07:00
Mick Grove
b213e706c1 performance improvements and rule improvements 2026-04-21 14:08:50 -07:00
Mick Grove
79139e49b8 - Fixed the HTML access-map viewer dark mode so charts redraw correctly on theme changes and follow the system color scheme until manually overridden. 
- Fixed [#344](https://github.com/mongodb/kingfisher/issues/344): baseline fingerprints no longer have to be hexadecimal. The fingerprint value emitted by scan output (JSON, JSONL, pretty, SARIF) can now be copied directly into a baseline file and will match on the next scan. --manage-baseline now writes fingerprints in decimal to match scan output, and legacy 16-char hex (and 0x-prefixed hex) entries continue to be accepted, so existing baseline files keep working unchanged.
 2026-04-20 17:54:51 -07:00
Mick Grove
ab162741e8 performance improvements and rule improvements 2026-04-20 09:55:27 -07:00
Mick Grove
756baee053
 		Merge pull request #342 from bored-engineer/patch-23 2026-04-20 09:49:19 -07:00
Mick Grove
f22b7768e9 fix(github): address PR review feedback 
- Update X-GitHub-Api-Version to 2026-03-10 for /credentials/revoke
  endpoint (the endpoint is only documented under this API version).
- Clarify sha256_b32 filter description: note that the optional `len`
  parameter may produce output that is not valid RFC 4648 Base32.
- Move base32 to [workspace.dependencies] and reference it via
  .workspace = true from both the root crate and kingfisher-rules
  to avoid version skew.
 2026-04-20 08:44:41 -07:00
Mick Grove
9d7e31980c performance improvements and rule improvements 2026-04-19 22:38:39 -07:00
Mick Grove
745b32011d performance improvements and rule improvements 2026-04-19 22:04:10 -07:00
Mick Grove
2ca40c1ad8 performance improvements and rule improvements 2026-04-19 20:04:28 -07:00