eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
1,206 commits 5 branches 83 tags 53 MiB
Commit graph

1,206 commits

This branch
This branch
All branches
Author SHA1 Message Date
Mick Grove
fa640e2c38 Python bytecode (.pyc) scanning: extracts string constants from compiled Python 2026-02-23 20:06:43 -07:00
Mick Grove
1f4ccb8144 Automatically extracts and scans SQLite database contents for secrets stored in table rows 2026-02-22 23:35:18 -07:00
Mick Grove
7845cfa727 being discovered, overlapping I/O with pattern matching. 
- Performance: skip blobs smaller than 20 bytes during enumeration (too small to contain any secret).
- Performance: preserve pack-ascending blob order in the metadata path for better I/O locality when Rayon splits work.
 2026-02-22 22:59:42 -07:00
Mick Grove
8ae2ba1a1e fixed tests 2026-02-19 22:15:14 -08:00
Mick Grove
02538a6ac4 added more access-maps 2026-02-19 20:51:12 -08:00
Mick Grove
05002fe4d6 added more access-maps 2026-02-19 20:39:07 -08:00
Mick Grove
f38df8a953 added more access-maps 2026-02-19 19:36:43 -08:00
Mick Grove
a9c5d8524f added more access-maps 2026-02-19 18:19:20 -08:00
Mick Grove
17bb433227 improved GCP access mapping support 2026-02-19 14:58:10 -08:00
Mick Grove
3b1085baa6 added buildkit and harness to access-map 2026-02-17 22:58:29 -08:00
Mick Grove
32d40c0b53 added pipedrive and amplitude 2026-02-17 16:42:44 -08:00
Mick Grove
51d782a917 Fixes in response to PR review 2026-02-16 09:43:16 -08:00
Mick Grove
0ddf3fc10f Fixes in response to PR review 2026-02-16 07:34:32 -08:00
Mick Grove
8cf09936fc Kingfisher can now generate an auditor-friendly HTML report 2026-02-15 23:50:39 -08:00
Mick Grove
39a4e217e3 Kingfisher can now generate an auditor-friendly HTML report 2026-02-15 14:29:42 -08:00
Mick Grove
470120369b refactored code 2026-02-14 14:08:48 -08:00
Mick Grove
d3e659491d refactored code 2026-02-14 13:12:26 -08:00
Mick Grove
f62bfe103b tree sitter scanning improvements 2026-02-14 11:13:59 -08:00
Mick Grove
7468230f47 html report viewer improvements 2026-02-13 22:36:48 -08:00
Mick Grove
fdf85f09fc html report viewer improvements 2026-02-13 18:35:36 -08:00
Mick Grove
79102a073b html report viewer improvements 2026-02-13 18:19:18 -08:00
Mick Grove
7653acb433 wip 1.83 2026-02-13 17:37:31 -08:00
Mick Grove
816d5c40ba wip 1.83 2026-02-13 16:41:28 -08:00
Mick Grove
a36634c4b4 Fixed CI runner failure when executing tests 2026-02-13 10:04:18 -08:00
Mick Grove
09ed89eec2 Fixed CI runner failure when executing tests 2026-02-13 09:57:44 -08:00
Mick Grove
56827ae342 Fixed CI runner failure when executing tests 2026-02-13 09:39:41 -08:00
Mick Grove
409e1557de Fixed CI runner failure when executing tests 2026-02-13 09:35:04 -08:00
Mick Grove
cfc01eab68 Fixed CI runner failure when executing tests 2026-02-13 09:19:02 -08:00
Mick Grove
0ba79df1f4 Fixed CI runner failure when executing tests 2026-02-13 08:40:04 -08:00
Mick Grove
0c9ca048ea Fixed CI runner failure when executing tests 2026-02-13 07:55:17 -08:00
Mick Grove
1583df7a64 Fixed CI runner failure when executing tests 2026-02-12 21:56:07 -08:00
Mick Grove
dfa4375152 Fixed CI runner failure when executing tests 2026-02-12 21:46:17 -08:00
Mick Grove
20a05a643c Fixed CI runner failure when executing tests 2026-02-12 21:11:50 -08:00
Mick Grove
1a8651ecb0 Fixed CI runner failure when executing tests 2026-02-12 17:26:28 -08:00
Mick Grove
1503b4f661 Fixed CI runner failure when executing tests 2026-02-12 17:25:49 -08:00
Mick Grove
6a9a3b35ed Fixed CI runner failure when executing tests 2026-02-12 17:23:03 -08:00
Mick Grove
e72f40b169 Fixed CI runner failure when executing tests 2026-02-12 16:51:55 -08:00
Mick Grove
dfe6554b1c Fixed CI runner failure when executing tests 2026-02-12 16:07:55 -08:00
Mick Grove
60c72292c7 Added optional validation rate limiting via --validation-rps (global) and repeatable --validation-rps-rule <RULE_SELECTOR=RPS> (per-rule override) for both scan and validate. Throttling now applies across built-in validator types (HTTP/gRPC plus AWS, GCP, Coinbase, MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). Rule selectors support the short form (for example, github=2 matches kingfisher.github.*) with longest-prefix precedence when multiple selectors apply. 2026-02-12 13:15:51 -08:00
Mick Grove
5882468177 Added optional validation rate limiting via --validation-rps (global) and repeatable --validation-rps-rule <RULE_SELECTOR=RPS> (per-rule override) for both scan and validate. Throttling now applies across built-in validator types (HTTP/gRPC plus AWS, GCP, Coinbase, MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). Rule selectors support the short form (for example, github=2 matches kingfisher.github.*) with longest-prefix precedence when multiple selectors apply. 2026-02-12 12:33:59 -08:00
Mick Grove
2d6abb95c9 fixes in response to pr review 2026-02-11 23:44:09 -08:00
Mick Grove
57845eebcd - Added kingfisher.temporal.1 rule for Temporal Cloud API keys (namespace-scoped and user-scoped JWT formats) with Temporal-specific pattern matching. 
- Added Temporal Cloud active credential validation via GET https://saas-api.tmprl.cloud/cloud/current-identity using bearer auth, so Temporal keys validate against provider APIs instead of generic OIDC discovery.
- Fixed JWT issuer normalization to treat bare host issuers (e.g. iss: temporal.io) as HTTPS URLs during discovery, avoiding low-level URL builder failures.
- Added crates/kingfisher-rules/build.rs to ensure embedded rule assets rebuild when files under crates/kingfisher-rules/data change.
 2026-02-11 23:33:35 -08:00
Mick Grove
ec44d9b60b - Added kingfisher.temporal.1 rule for Temporal Cloud API keys (namespace-scoped and user-scoped JWT formats) with Temporal-specific pattern matching. 
- Added Temporal Cloud active credential validation via GET https://saas-api.tmprl.cloud/cloud/current-identity using bearer auth, so Temporal keys validate against provider APIs instead of generic OIDC discovery.
- Fixed JWT issuer normalization to treat bare host issuers (e.g. iss: temporal.io) as HTTPS URLs during discovery, avoiding low-level URL builder failures.
- Added crates/kingfisher-rules/build.rs to ensure embedded rule assets rebuild when files under crates/kingfisher-rules/data change.
 2026-02-11 23:27:05 -08:00
Mick Grove
7dc0955635 - Added Vercel credential rules for new token formats introduced February 2026: vcp_ (personal access), vci_ (integration), vca_ (app access), vcr_ (app refresh), vck_ (AI Gateway API key). All use CRC32/Base62 checksum validation. Legacy 24-char format retained as kingfisher.vercel.1. 
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
 2026-02-11 16:56:47 -08:00
Mick Grove
4ab5932d57 - Added Vercel credential rules for new token formats introduced February 2026: vcp_ (personal access), vci_ (integration), vca_ (app access), vcr_ (app refresh), vck_ (AI Gateway API key). All use CRC32/Base62 checksum validation. Legacy 24-char format retained as kingfisher.vercel.1. 
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
 2026-02-11 13:56:17 -08:00
Mick Grove
265e569c60 - Fixed validation flakiness under service rate limiting by retrying HTTP validations on 429/408 in addition to transient 5xx failures. 
- Prevented transient HTTP validation failures (429/5xx) from being cached, avoiding cache poisoning that could suppress later successful validations in the same scan.
 2026-02-11 11:38:24 -08:00
Mick Grove
9a2c742e77 remove __pycache__ dir and updated gitignore 2026-02-11 07:37:57 -08:00
Mick Grove
1779e9e356 remove __pycache__ dir and updated gitignore 2026-02-11 07:37:40 -08:00
Mick Grove
fca2b93a21 remove __pycache__ dir and updated gitignore 2026-02-11 07:32:44 -08:00
Mick Grove
eb493bdef9 remove __pycache__ dir and updated gitignore 2026-02-11 07:32:02 -08:00