eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
1,225 commits 5 branches 83 tags 53 MiB
Commit graph

126 commits

Author SHA1 Message Date
Mick Grove
51d782a917 Fixes in response to PR review 2026-02-16 09:43:16 -08:00
Mick Grove
0ddf3fc10f Fixes in response to PR review 2026-02-16 07:34:32 -08:00
Mick Grove
39a4e217e3 Kingfisher can now generate an auditor-friendly HTML report 2026-02-15 14:29:42 -08:00
Mick Grove
470120369b refactored code 2026-02-14 14:08:48 -08:00
Mick Grove
5882468177 Added optional validation rate limiting via --validation-rps (global) and repeatable --validation-rps-rule <RULE_SELECTOR=RPS> (per-rule override) for both scan and validate. Throttling now applies across built-in validator types (HTTP/gRPC plus AWS, GCP, Coinbase, MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). Rule selectors support the short form (for example, github=2 matches kingfisher.github.*) with longest-prefix precedence when multiple selectors apply. 2026-02-12 12:33:59 -08:00
Mick Grove
2866367c2e v1.80.0 2026-02-09 12:11:35 -08:00
Mick Grove
9ae6053804 more changes for v1.78.0 2026-02-03 09:37:53 -08:00
Mick Grove
5253204c2a preparing for v1.78.0 2026-02-02 23:22:08 -08:00
Mick Grove
301c656f38 Fix build issues 2026-02-02 08:17:41 -08:00
Mick Grove
8be7941333 Added 'revoke' subcommand and support for a new optional 'revocation' structure to the rules. Supporting GitHub and Slack right now 2026-01-29 12:45:32 -08:00
Mick Grove
7237a931d5 v1.73.0 2026-01-01 22:24:57 -08:00
Mick Grove
61986c469c updated ci build 2025-12-22 09:04:36 -08:00
Mick Grove
587dfc5892 - Fixed deduplication for dependency-provider rules so dependent validations run per blob 
- Updated Artifactory rule entropy and added new artifactory rule
 2025-12-21 22:07:45 -08:00
Mick Grove
2ec6aa5915 fixing test failures 2025-12-16 23:51:22 -08:00
Mick Grove
14d41d560f updated README 2025-12-16 21:13:00 -08:00
Mick Grove
c3123ecbdb fixed test 2025-12-13 13:32:38 -08:00
Mick Grove
962f3ad9ba bug fix 2025-12-12 21:30:51 -08:00
Mick Grove
195f086afc added dark mode for finding + access map viewer 2025-12-12 17:21:17 -08:00
Mick Grove
f1a77a736c Updated precommit behavior and docs 2025-12-09 12:56:55 -08:00
Mick Grove
1f9d692e9f Updated dockerfile to fix failing docker image publishing 2025-12-05 12:44:38 -08:00
Mick Grove
078fa16e6a - Reduced per-match memory usage by compacting stored source locations and interning repeated capture names. 
- Stored optional validation response bodies as boxed strings to avoid allocating empty payloads and to streamline validator caches.
- Parallelized git cloning based on the configured job count and begin scanning repositories as soon as each clone finishes to reduce end-to-end scan times.
- Combined per-repository results into a single aggregate summary after scans complete.
- Added initial access-map support and report viewer html file. Currently beta features.
 2025-12-04 22:02:30 -08:00
Mick Grove
eeafe2fe6b updated tests 2025-11-24 11:08:31 -08:00
Mick Grove
0acaaa0680 Updated Summary to include scan date, kingfisher version ran, and latest kingfisher version available 2025-11-24 10:36:58 -08:00
Mick Grove
ec1e3a3432 - Fixed deduplication to consider rule identifiers so overlapping patterns are not merged before validation 
- Moved 'URI with Username and Secret' to a low-confidence rule
 2025-11-23 11:32:27 -08:00
Mick Grove
42797b747d v1.65.0 2025-11-16 23:30:14 -08:00
Mick Grove
c6b10f0b47 - Skip reporting MongoDB and Postgres findings when their connection strings cannot be parsed, even when validation is disabled. 
- Improve MySQL detection by broadening URI coverage and adding live validation that skips clearly invalid connection strings.
 2025-11-16 23:25:42 -08:00
Mick Grove
f9d75eaadd - Skip reporting MongoDB and Postgres findings when their connection strings cannot be parsed, even when validation is disabled. 
- Improve MySQL detection by broadening URI coverage and adding live validation that skips clearly invalid connection strings.
 2025-11-15 08:11:25 -08:00
Mick Grove
debf3beb8e Fixed broken tests 2025-11-13 15:22:48 -08:00
Mick Grove
2ed94f75d7 added jdbc rule and validator 2025-11-12 22:25:33 -08:00
Mick Grove
d6c1dfc9d0 updated allocator 2025-11-11 13:24:06 -08:00
Mick Grove
dca955a95c v1.63.0 2025-11-10 18:47:51 -08:00
Mick Grove
4efdcc35e1 updated confluent rule with a checksum. Added zuplo rule with a checksum 2025-11-09 08:42:16 -08:00
Mick Grove
8aac161603 fixing rules 2025-11-08 10:48:00 -08:00
Mick Grove
f606f59f93 Added an optional exclude_words list to PatternRequirements so matches containing case-insensitive placeholder words are filtered out, with accompanying tests to cover the new behavior. 2025-11-05 17:19:11 -08:00
Mick Grove
6a5a62a5b5 Added an optional exclude_words list to PatternRequirements so matches containing case-insensitive placeholder words are filtered out, with accompanying tests to cover the new behavior. 2025-11-04 13:07:24 -08:00
Mick Grove
a3e426e6ee Automatically set --no-dedup whenever --manage-baseline is supplied so baseline management retains every occurrence of a finding 2025-11-04 14:06:35 -05:00
Mick Grove
0f953f59a5 pattern_requirements for rules — Post-regex character-class gating to cut false positives without lookarounds. Authors can now require minimum counts of digits, uppercase, lowercase, and special characters, with an optional custom special-char set. 
Why: Hyperscan doesn’t support lookaheads/behinds, so many “must contain X and Y” checks had to be baked into the regex (hurting readability) or were impossible. pattern_requirements applies lightweight, in-memory checks after a match is found, keeping patterns fast and clean.
 2025-11-04 13:55:31 -05:00
Mick Grove
ca3f175427 updated for v1.61.0 2025-10-30 22:50:41 -07:00
Mick Grove
36a06c5a5c updated smoke_branch tests 2025-10-26 00:13:40 -07:00
Mick Grove
bd83568644 updated smoke_branch tests 2025-10-26 00:13:31 -07:00
Mick Grove
2e5fcf1c15 - Fixed local filesystem scans to keep open_path_as_is enabled when opening Git repositories and only disable it for diff-based scans. 
- Created Linux and Windows specific installer script
- Updated diff-focused scanning so --branch-root-commit can be provided alongside --branch, letting you diff from a chosen commit while targeting a specific branch tip (still defaulting back to the --branch ref when the commit is omitted).
 2025-10-25 17:25:29 -07:00
Mick Grove
7d9d3be132 - Fixed local filesystem scans to keep open_path_as_is enabled when opening Git repositories and only disable it for diff-based scans. 
- Created Linux and Windows specific installer script
- Updated diff-focused scanning so --branch-root-commit can be provided alongside --branch, letting you diff from a chosen commit while targeting a specific branch tip (still defaulting back to the --branch ref when the commit is omitted).
 2025-10-25 17:12:51 -07:00
Mick Grove
ea1bd2a022 Fixed bug in test when run on Windows 2025-10-23 21:28:37 -07:00
Mick Grove
8fda3eaa3b Fixed bug in test when run on Windows 2025-10-23 21:04:26 -07:00
Mick Grove
b50ef4172c added tests for --branch and --since-commit feature 2025-10-23 17:37:40 -07:00
Mick Grove
0ec8ebd59b added tests for --branch and --since-commit feature 2025-10-23 17:27:40 -07:00
Mick Grove
88bc02c91a added tests for --branch and --since-commit feature 2025-10-23 17:02:51 -07:00
Mick Grove
9f91cbdab6 added tests for --branch and --since-commit feature 2025-10-23 17:02:31 -07:00
Mick Grove
98333a4bda updated anthropic rule 2025-10-23 15:02:30 -07:00
Mick Grove
03d7364888 - Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans. 
- Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs.
- Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication.
- Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so its clear that validation was intentionally skipped and why.
 2025-10-15 22:47:40 -07:00