kingfisher/crates/kingfisher-rules/data/rules/grafana.yml

rules:
  - name: Grafana API Token
    id: kingfisher.grafana.1
    pattern: |
      (?x)
      \b
      (
        eyJrIjoi
        [A-Za-z0-9+/]{40,380}
        ={0,2}
      )
      \b
    pattern_requirements:
      min_digits: 2
    min_entropy: 3.3
    confidence: medium
    examples:
      - 'Authorization: Bearer eyJrIjoiWHZiSWd5NzdCYUZnNUtibE8obUpESmE2bzJYNDRIc1UiLCJuIjoibXlrZXkiLCJpZCI6MX0='
      - 'admin_client = GrafanaClient("eyJrIjoiY21sM1JRYjB6RnVYSTNLenRWQkFEaWN2bXI2V202U2IiLCJuIjoiYWRtaW5rZXkiLCJpZCI6MX0=", host=grafana_host, port=3000, protocol="http")'
    references:
      - https://grafana.com/docs/grafana/latest/developer-resources/api-reference/http-api/authentication/
      - https://grafana.com/docs/grafana/latest/developer-resources/api-reference/http-api/org/
    depends_on_rule:
      - rule_id: kingfisher.grafana.4
        variable: GRAFANADOMAIN
    validation:
      type: Http
      content:
        request:
          method: GET
          url: "https://{{ GRAFANADOMAIN }}/api/org"
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: JsonValid
            - type: WordMatch
              words: ['"id"', '"name"']

  - name: Grafana Cloud API Token
    id: kingfisher.grafana.2
    pattern: |
      (?xi)
      \b
      (
        glc_
        [a-z0-9+/]{40,150}
        ={0,2}
      )
      \b
    pattern_requirements:
      min_digits: 2
      min_lowercase: 2
    min_entropy: 3.3
    confidence: medium
    examples:
      - '  "token": "glc_eyJrIjoiZjI0YzZkNGEwZDBmZmZjMmUzNTU3ODcxMmY0ZWZlNTQ1NTljMDFjOCIsIm6iOiJteXRva3VuIiwiaWQiOjF8"'
      - 'grafana = glc_etLvNLoNMLt7MTczNNwNbN6Nm1ldGEtbW9paxRvcmlpZt14ZXN4NNwNatN6NLCxdKeH7KTUvWpNqCrHlMKE9EhLcZH7to'
    references:
      - https://grafana.com/docs/grafana/latest/developer-resources/api-reference/cloud-api/
    validation:
      type: Http
      content:
        request:
          method: GET
          url: https://grafana.com/api/stack-regions
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: JsonValid

  - name: Grafana Service Account Token
    id: kingfisher.grafana.3
    pattern: |
      (?xi)
      \b
      (
        glsa_[A-Z0-9]{32}_[A-F0-9]{8}
      )
      \b
    pattern_requirements:
      min_digits: 2
    min_entropy: 3.3
    confidence: medium
    examples:
      - |
        curl -H "Authorization: Bearer glsa_HOruNAb7SOiCdshU7algkrq7FDsNSLAa_55e2f8be" -X GET '<grafana_url>/api/org' | jq
      - |
        // headers: { Authorization: `Bearer glsa_Sof0HKi3agxrQP9qm5r2G98VacBNwV5P_9b638c45` }
    references:
      - https://grafana.com/blog/new-in-grafana-9-1-service-accounts-are-now-ga/
      - https://grafana.com/docs/grafana/latest/administration/service-accounts/
      - https://grafana.com/docs/grafana/latest/developer-resources/api-reference/http-api/org/
    depends_on_rule:
      - rule_id: kingfisher.grafana.4
        variable: GRAFANADOMAIN
    validation:
      type: Http
      content:
        request:
          method: GET
          url: "https://{{ GRAFANADOMAIN }}/api/org"
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: JsonValid
            - type: WordMatch
              words: ['"id"', '"name"']

  - name: Grafana Domain
    id: kingfisher.grafana.4
    pattern: |
      (?xi)
      (?:https?://)?
      \b
      (
        (?:[a-z0-9-]+\.){0,16}
        grafana\.[a-z0-9.-]{2,64}
        (?::\d{2,5})?
      )
      \b
    min_entropy: 3.0
    visible: false
    confidence: medium
    examples:
      - grafana.example.com
      - grafana.prod.eu-west.mycorp.internal:3000
      - api.team1.grafana.services.cluster.local
      - grafana.dev.foo-bar.co.uk