kingfisher/crates/kingfisher-rules/data/rules/dryrunsecurity.yml

rules:
  - name: DryRun Security API Key
    id: kingfisher.dryrunsecurity.1
    pattern: |
      (?x)
      \b
      (
        dryrunsec_[A-Za-z0-9]{32}
      )
      \b
    pattern_requirements:
      min_digits: 1
      min_uppercase: 1
      min_lowercase: 1
    min_entropy: 3.2
    confidence: medium
    examples:
      - 'DRYRUN_API_KEY="dryrunsec_XRO3RsNlZm4M3VyZoPb02PzTv7yaEWoF"'
      - 'Authorization: Bearer dryrunsec_hdKJINE3Bbe4SI3MsP4RoeCp5oY31MLZ'
      - "dryrun_token=dryrunsec_1lTU5w3SuCqJ59aqmri3rhLVJtabQ0BM"
    references:
      - https://docs.dryrun.security/
      - https://simple-api.dryrun.security/api-docs/index.html
    validation:
      type: Http
      content:
        request:
          method: GET
          url: https://simple-api.dryrun.security/v1/accounts
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: JsonValid
            - type: WordMatch
              words:
                - '"account_id"'
              match_all_words: true
    # Revocation not added: the published DryRun Simple API OpenAPI spec documents
    # bearer-authenticated read/write account resources, but does not expose an
    # access-key delete, revoke, or "current token" endpoint that can safely
    # invalidate the presented key.