forked from mirrors/kingfisher
140 lines
4.1 KiB
YAML
140 lines
4.1 KiB
YAML
rules:
|
|
- name: Grafana API Token
|
|
id: kingfisher.grafana.1
|
|
pattern: |
|
|
(?x)
|
|
\b
|
|
(
|
|
eyJrIjoi
|
|
[A-Za-z0-9+/]{40,380}
|
|
={0,2}
|
|
)
|
|
\b
|
|
pattern_requirements:
|
|
min_digits: 2
|
|
min_entropy: 3.3
|
|
confidence: medium
|
|
examples:
|
|
- 'Authorization: Bearer eyJrIjoiWHZiSWd5NzdCYUZnNUtibE8obUpESmE2bzJYNDRIc1UiLCJuIjoibXlrZXkiLCJpZCI6MX0='
|
|
- 'admin_client = GrafanaClient("eyJrIjoiY21sM1JRYjB6RnVYSTNLenRWQkFEaWN2bXI2V202U2IiLCJuIjoiYWRtaW5rZXkiLCJpZCI6MX0=", host=grafana_host, port=3000, protocol="http")'
|
|
references:
|
|
- https://grafana.com/docs/grafana/latest/developer-resources/api-reference/http-api/authentication/
|
|
- https://grafana.com/docs/grafana/latest/developer-resources/api-reference/http-api/org/
|
|
depends_on_rule:
|
|
- rule_id: kingfisher.grafana.4
|
|
variable: GRAFANADOMAIN
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: GET
|
|
url: "https://{{ GRAFANADOMAIN }}/api/org"
|
|
headers:
|
|
Authorization: "Bearer {{ TOKEN }}"
|
|
Accept: application/json
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [200]
|
|
- type: JsonValid
|
|
- type: WordMatch
|
|
words: ['"id"', '"name"']
|
|
|
|
- name: Grafana Cloud API Token
|
|
id: kingfisher.grafana.2
|
|
pattern: |
|
|
(?xi)
|
|
\b
|
|
(
|
|
glc_
|
|
[a-z0-9+/]{40,150}
|
|
={0,2}
|
|
)
|
|
\b
|
|
pattern_requirements:
|
|
min_digits: 2
|
|
min_lowercase: 2
|
|
min_entropy: 3.3
|
|
confidence: medium
|
|
examples:
|
|
- ' "token": "glc_eyJrIjoiZjI0YzZkNGEwZDBmZmZjMmUzNTU3ODcxMmY0ZWZlNTQ1NTljMDFjOCIsIm6iOiJteXRva3VuIiwiaWQiOjF8"'
|
|
- 'grafana = glc_etLvNLoNMLt7MTczNNwNbN6Nm1ldGEtbW9paxRvcmlpZt14ZXN4NNwNatN6NLCxdKeH7KTUvWpNqCrHlMKE9EhLcZH7to'
|
|
references:
|
|
- https://grafana.com/docs/grafana/latest/developer-resources/api-reference/cloud-api/
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: GET
|
|
url: https://grafana.com/api/stack-regions
|
|
headers:
|
|
Authorization: "Bearer {{ TOKEN }}"
|
|
Accept: application/json
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [200]
|
|
- type: JsonValid
|
|
|
|
- name: Grafana Service Account Token
|
|
id: kingfisher.grafana.3
|
|
pattern: |
|
|
(?xi)
|
|
\b
|
|
(
|
|
glsa_[A-Z0-9]{32}_[A-F0-9]{8}
|
|
)
|
|
\b
|
|
pattern_requirements:
|
|
min_digits: 2
|
|
min_entropy: 3.3
|
|
confidence: medium
|
|
examples:
|
|
- |
|
|
curl -H "Authorization: Bearer glsa_HOruNAb7SOiCdshU7algkrq7FDsNSLAa_55e2f8be" -X GET '<grafana_url>/api/org' | jq
|
|
- |
|
|
// headers: { Authorization: `Bearer glsa_Sof0HKi3agxrQP9qm5r2G98VacBNwV5P_9b638c45` }
|
|
references:
|
|
- https://grafana.com/blog/new-in-grafana-9-1-service-accounts-are-now-ga/
|
|
- https://grafana.com/docs/grafana/latest/administration/service-accounts/
|
|
- https://grafana.com/docs/grafana/latest/developer-resources/api-reference/http-api/org/
|
|
depends_on_rule:
|
|
- rule_id: kingfisher.grafana.4
|
|
variable: GRAFANADOMAIN
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: GET
|
|
url: "https://{{ GRAFANADOMAIN }}/api/org"
|
|
headers:
|
|
Authorization: "Bearer {{ TOKEN }}"
|
|
Accept: application/json
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [200]
|
|
- type: JsonValid
|
|
- type: WordMatch
|
|
words: ['"id"', '"name"']
|
|
|
|
- name: Grafana Domain
|
|
id: kingfisher.grafana.4
|
|
pattern: |
|
|
(?xi)
|
|
(?:https?://)?
|
|
\b
|
|
(
|
|
(?:[a-z0-9-]+\.){0,16}
|
|
grafana\.[a-z0-9.-]{2,64}
|
|
(?::\d{2,5})?
|
|
)
|
|
\b
|
|
min_entropy: 3.0
|
|
visible: false
|
|
confidence: medium
|
|
examples:
|
|
- grafana.example.com
|
|
- grafana.prod.eu-west.mycorp.internal:3000
|
|
- api.team1.grafana.services.cluster.local
|
|
- grafana.dev.foo-bar.co.uk
|