eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
1,531 commits 5 branches 83 tags 53 MiB
Commit graph

152 commits

Author SHA1 Message Date
Mick Grove
b58eed2696 preparing for v1.100.0 2026-05-18 15:19:11 -07:00
Mick Grove
514832b533 preparing for v1.100.0 2026-05-18 14:13:30 -07:00
Mick Grove
54d9fc7ecd preparing for v1.100.0 2026-05-18 13:03:16 -07:00
Mick Grove
31663b03b5 Release binary trimmed from 34 MB to 26 MB (~24% smaller). Switched jsonwebtoken to its rust_crypto backend (eliminates our scanner's pull on aws-lc-rs), bumped workspace hmac 0.12→0.13, sha1 0.10→0.11, sha2 0.10→0.11 to deduplicate our internal crypto code with the AWS sigv4 side, and migrated affected call sites in kingfisher-core, kingfisher-rules, and kingfisher-scanner to the digest-0.11 API (hex::encode for hex digests, explicit KeyInit import for HMAC). 2026-05-07 13:46:17 -07:00
Mick Grove
34b5c48888 - Archive scanning now reaches inside Android/iOS app packages: added apk, aab, and ipa to the recognized ZIP-based archive formats so secrets embedded in APK/AAB/IPA contents (e.g. classes*.dex, res/values/strings.xml) are extracted and matched. -- 
- Git repository scans now extract archive blobs encountered in the object database, not just on the filesystem. Previously a .zip/.jar/.apk/.tar.gz committed to a repo was scanned as raw compressed bytes, so secrets inside it were invisible. The git enumerator fans each archive entry out as a synthetic blob with the original commit metadata. Honors --no-extract-archives for opt-out.
- Performance: ZIP-based git blobs ≤ 64 MB extract entirely in memory (no temp-file round trip), beating the v1.99.0 baseline by ~15% on a 80 GiB monorepo despite scanning ~300K additional archive-content blobs. Larger archives auto-fall-back to a disk-streaming extractor.
- Memory safety: hard caps on archive extraction — 64 MB compressed pre-flight, 256 MB aggregate decompressed per archive (in-memory and disk paths), 512 MB per entry, plus a PK\x03\x04 magic-byte gate. Worst-case footprint is bounded at ~num_jobs * 320 MB.
 2026-05-06 17:50:35 -07:00
Mick Grove
20e08105cf improved github organization scanning 2026-04-30 16:40:43 -07:00
Mick Grove
c387ac08d2 Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports. 2026-04-29 11:09:47 -07:00
Mick Grove
5465d903cf added kingfisher.github.9 to detect the new ~520-character stateless GitHub App installation token format (ghs_<APP_ID>_<JWT>). The legacy 36-character ghs_ rule 2026-04-26 16:56:44 -07:00
Mick Grove
79139e49b8 - Fixed the HTML access-map viewer dark mode so charts redraw correctly on theme changes and follow the system color scheme until manually overridden. 
- Fixed [#344](https://github.com/mongodb/kingfisher/issues/344): baseline fingerprints no longer have to be hexadecimal. The fingerprint value emitted by scan output (JSON, JSONL, pretty, SARIF) can now be copied directly into a baseline file and will match on the next scan. --manage-baseline now writes fingerprints in decimal to match scan output, and legacy 16-char hex (and 0x-prefixed hex) entries continue to be accepted, so existing baseline files keep working unchanged.
 2026-04-20 17:54:51 -07:00
Mick Grove
ab162741e8 performance improvements and rule improvements 2026-04-20 09:55:27 -07:00
Mick Grove
f22b7768e9 fix(github): address PR review feedback 
- Update X-GitHub-Api-Version to 2026-03-10 for /credentials/revoke
  endpoint (the endpoint is only documented under this API version).
- Clarify sha256_b32 filter description: note that the optional `len`
  parameter may produce output that is not valid RFC 4648 Base32.
- Move base32 to [workspace.dependencies] and reference it via
  .workspace = true from both the root crate and kingfisher-rules
  to avoid version skew.
 2026-04-20 08:44:41 -07:00
Mick Grove
a13b175fc5 performance improvements and rule improvements 2026-04-19 14:50:11 -07:00
Mick Grove
74cad26aed performance improvements and rule improvements 2026-04-17 11:01:46 -07:00
Mick Grove
c89e527053 bug fix 2026-04-16 06:44:12 -07:00
Mick Grove
5411a52211 updated to rust 1.94 2026-04-14 14:20:28 -07:00
Mick Grove
d2008dc3b7 cleaned up dependency tree 2026-04-13 20:43:09 -07:00
Mick Grove
0cb854872b Replaced tree-sitter with a lighter parser-based context verifier built from handwritten lexers plus tl/cssparser, preserving context-dependent matching while cutting about 19 MB from the release binary. 2026-04-07 23:20:17 -07:00
Mick Grove
413798e27d Apply open Dependabot updates 2026-04-06 23:58:55 -07:00
Mick Grove
f72d0c0622 Bump jsonwebtoken to 10.3.0 2026-04-06 22:48:20 -07:00
Mick Grove
45a565fa6e added more rules 2026-04-06 22:18:58 -07:00
Mick Grove
2444d83e5d more rules 2026-04-03 23:43:49 -07:00
Mick Grove
e1e61f5374 updated dependencies 2026-04-02 23:26:36 -07:00
Mick Grove
c171704884 updated vectorscan 2026-04-02 19:35:30 -07:00
Mick Grove
e2664e33ed updated dependencies 2026-04-01 17:25:19 -07:00
Mick Grove
d42620919f updated dependencies 2026-04-01 14:58:08 -07:00
Mick Grove
13bad3f172 added more access-maps 2026-04-01 13:39:24 -07:00
Mick Grove
19fe52a9bf added more access-maps 2026-04-01 10:20:52 -07:00
Mick Grove
b9da8e2829 added more rules 2026-03-29 08:19:34 -07:00
Mick Grove
d609900d56 updated dependencies 2026-03-24 08:55:34 -07:00
Mick Grove
5fa4ce59b7 openssf scorecard suggested improvements 
Made-with: Cursor
 2026-03-19 23:39:36 -07:00
Mick Grove
f0a3bee587 added --max-validation-response-length <BYTES> 2026-03-16 22:25:32 -07:00
Mick Grove
349b8165aa Added TOON output support, to optimize usage of kingfisher from LLM/agent workflows 2026-03-15 15:00:59 -07:00
Mick Grove
1339f03e9d fixed version number 2026-03-15 14:00:43 -07:00
Mick Grove
bc1093ca4a v1.90.0 2026-03-15 13:59:07 -07:00
Mick Grove
60931c11a9 added Teams support 2026-03-13 17:39:34 -07:00
Mick Grove
b99cbf9f50 v1.88.0 2026-03-11 20:59:44 -07:00
Mick Grove
0983581b76 improved yelp and perplexity rules 2026-03-07 07:40:26 -08:00
Mick Grove
fcac8cf1b7 rules updated 2026-03-03 16:47:59 -08:00
Mick Grove
1f4ccb8144 Automatically extracts and scans SQLite database contents for secrets stored in table rows 2026-02-22 23:35:18 -07:00
Mick Grove
32d40c0b53 added pipedrive and amplitude 2026-02-17 16:42:44 -08:00
Mick Grove
f62bfe103b tree sitter scanning improvements 2026-02-14 11:13:59 -08:00
Mick Grove
816d5c40ba wip 1.83 2026-02-13 16:41:28 -08:00
Mick Grove
60c72292c7 Added optional validation rate limiting via --validation-rps (global) and repeatable --validation-rps-rule <RULE_SELECTOR=RPS> (per-rule override) for both scan and validate. Throttling now applies across built-in validator types (HTTP/gRPC plus AWS, GCP, Coinbase, MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). Rule selectors support the short form (for example, github=2 matches kingfisher.github.*) with longest-prefix precedence when multiple selectors apply. 2026-02-12 13:15:51 -08:00
Mick Grove
265e569c60 - Fixed validation flakiness under service rate limiting by retrying HTTP validations on 429/408 in addition to transient 5xx failures. 
- Prevented transient HTTP validation failures (429/5xx) from being cached, avoiding cache poisoning that could suppress later successful validations in the same scan.
 2026-02-11 11:38:24 -08:00
Mick Grove
e518fb30f2 v1.81.0 2026-02-10 19:24:19 -08:00
Mick Grove
2866367c2e v1.80.0 2026-02-09 12:11:35 -08:00
Mick Grove
1a40fb3bfd Fixed AWS access key validation to support temporary/session keys (ASIA prefix) in addition to long-lived keys (AKIA prefix). 2026-02-06 17:05:32 -08:00
Mick Grove
363b2ce77d added multi-step revocation support. Added revocation support for SendGrid, Netlify, Tailscale, ElevenLabs, Sourcegraph, MongoDB Atlas, Twilio, and NPM using multi-step (lookup ID then delete) pattern. 2026-02-04 22:26:57 -08:00
Mick Grove
63f1d515ae preparing for v1.78.0 2026-02-02 18:39:24 -08:00
Mick Grove
8be7941333 Added 'revoke' subcommand and support for a new optional 'revocation' structure to the rules. Supporting GitHub and Slack right now 2026-01-29 12:45:32 -08:00