eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
462 commits 5 branches 83 tags 53 MiB
Commit graph

36 commits

Author SHA1 Message Date
Mick Grove
12730bb609 Added checksum comparisons to pattern_requirements, new suffix, crc32, and base62 Liquid filters, and verbose logging so mismatched checksums are skipped with context rather than reported as findings. 2025-11-07 16:31:24 -08:00
Mick Grove
bc21307ed2 Fixed bug in test when run on Windows 2025-10-23 22:04:01 -07:00
Mick Grove
8aced005b8 - Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans. 
- Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs.
- Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication.
- Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so its clear that validation was intentionally skipped and why.
 2025-10-15 22:47:40 -07:00
Mick Grove
7b193f89a7 - Enabled MongoDB URI validation 
- AWS + GCP validators now respect HTTPS_PROXY and share a consistent user agent across AWS, GCP, and HTTP validation
 2025-09-09 22:35:17 -07:00
Mick Grove
611f19fd74 - Enabled MongoDB URI validation 
- AWS + GCP validators now respect HTTPS_PROXY and share a consistent user agent across AWS, GCP, and HTTP validation
 2025-09-09 16:45:02 -07:00
Mick Grove
9dd8487d54 preparing for v1.48.0 2025-09-05 09:31:52 -07:00
Mick Grove
ac34f35f61 Optimized memory usage via string interning and extensive data sharing 2025-09-02 19:54:44 -07:00
Mick Grove
2a85f66e4a fix windows x64 builds 2025-08-31 17:26:30 -07:00
Mick Grove
3bed8b36f2 Fix changes in response to code review 2025-08-30 20:07:31 -07:00
Mick Grove
aa2c3ba0cc Decode Base64 blobs and scan their contents for secrets while skipping short strings for performance. This has a small performance impact and can be disabled with --no-base64 2025-08-30 19:40:22 -07:00
Mick Grove
984231e25c Decode Base64 blobs and scan their contents for secrets while skipping short strings for performance 2025-08-30 16:44:55 -07:00
Mick Grove
b2b5791190 - Improved rules: github oauth2, diffbot, mailchimp, aws 
- Added validation to SauceLabs rule
- Added rules: shodan, bitly, flickr
 2025-08-29 17:24:26 -07:00
Mick Grove
332f2c59f9 added top level 'self-update' cli sub command to update the binary independently. Now supports updating over homebrew managed binary 2025-08-27 15:35:01 -07:00
Mick Grove
910196d11d fixed failing tests 2025-08-21 16:10:52 -07:00
Mick Grove
245fb20670 - Added '--repo-artifacts' flag to scan repository issues, gists/snippets, and wikis when cloning via '--git-url' 
- Added rules for sendbird, mattermost, langchain, notion
- JWT validation hardened to reject alg:none by default (only allowed if explicitly configured), require iss for OIDC/JWKS verification, ensuring Active Credential means cryptographically verified and time-valid, not just unexpired
- Updated the Git cloning logic to include all refs and minimize clone output, allowing Kingfisher to analyze pull request and deleted branch history
 2025-08-21 15:39:04 -07:00
Mick Grove
a912043eb9 changes in response to code review 2025-08-07 18:45:46 -07:00
Mick Grove
0bdd68c900 JWT tokens without both 'iss' and 'aud' are no longer reported as active credentials 2025-08-07 18:30:40 -07:00
Mick Grove
b71fb5e6e2 JWT tokens without both 'iss' and 'aud' are no longer reported as active credentials 2025-08-07 17:21:16 -07:00
Mick Grove
664cfd0e5c - Fixed header precedence so custom HTTP validation headers like "Accept" are preserved 
- Added new Heroku rule
 2025-08-04 19:32:19 -07:00
Mick Grove
8a74eba160 - New rules: Telegram bot token, OpenWeatherMap, Apify 
- New OpenAI detectors added (@joshlarsen)
- Fixed bug that broke validation when using unnamed group captures
 2025-08-01 16:56:04 -07:00
Mick Grove
0ef4144710 Fixed validation caching for HTTP validators to include rendered headers so inactive secrets no longer appear active, in some cases. Removed pre-commit installation hook, due to bugs 2025-08-01 09:18:29 -07:00
Mick Grove
97135c01fd Fixed validation caching for HTTP validators to include rendered headers so inactive secrets no longer appear active, in some cases 2025-08-01 09:15:24 -07:00
Mick Grove
f0a99dcfcd bug fixes in response to code review. Also added support for ed25519 coinbase cdp api keys 2025-07-31 18:29:21 -07:00
Mick Grove
51bc64339c - Fixed issue when more than 1 named capture group is used in a rule variable 
- Added 2 new liquid template filters: 'b64dec' and 'es256_sign'
- Added custom validator for Coinbase, and a Coinbase rule that uses it
 2025-07-31 16:52:50 -07:00
Mick Grove
793b9e847c Fixed Gitlab support. Added pre-commit and pre-receive installation scripts. 2025-07-23 19:57:33 -07:00
Mick Grove
8f587f62de Updating GitHub Action to generate Docker image. Added rules for Diffbot, ai21, baseten. Fixed supabase rule. Added 'alg' to JWT validation output 2025-07-18 15:26:18 -07:00
Mick Grove
572d8146e7 upgraded cargo dependencies 2025-07-17 14:31:09 -07:00
Mick Grove
352d8ff659 change that hoists the redirect-free reqwest::Client into a single, lazily-initialized static so every call to validate_jwt re-uses the same handle (and therefore the same connection-pool, DNS cache, TLS session cache, etc) 2025-07-14 17:22:51 -07:00
Mick Grove
ee6332a78d change that hoists the redirect-free reqwest::Client into a single, lazily-initialized static so every call to validate_jwt re-uses the same handle (and therefore the same connection-pool, DNS cache, TLS session cache, etc) 2025-07-14 17:22:37 -07:00
Mick Grove
93f1e3b1da JWT validation performs OpenID Connect discovery using the iss claim and verifies signatures via JWKS 2025-07-14 15:31:44 -07:00
Mick Grove
b2a4263669 Added PR review suggestions 2025-07-09 16:00:54 -07:00
Mick Grove
dcb2191fe8 Added validation for Alibaba rule 2025-07-09 15:03:07 -07:00
Mick Grove
cd4f626502 Added support for HTTP request bodies in rule validation. Added mistral and perplexity rule 2025-07-08 17:49:12 -07:00
Mick Grove
28af26b23a Introduced flag – skip files/dirs whose path resembles tests (, , , , ), reducing noise. 2025-06-28 09:16:42 -07:00
Mick Grove
87d2a83e3e Fix: HTML detection now requires both HTML content-type and html tag, fixing webhook false negatives 2025-06-27 15:28:34 -07:00
Mick Grove
fc4aee9e41 preparing for v1.12 2025-06-24 17:17:16 -07:00