Merge pull request #131 from mongodb/development

v1.60.0

Author: mickgmdb

CHANGELOG.md

@@ -2,7 +2,16 @@
 
 All notable changes to this project will be documented in this file.
 
+## [v1.60.0]
+- Removed the `--bitbucket-username`, `--bitbucket-token`, and `--bitbucket-oauth-token` flags in favour of `KF_BITBUCKET_*` environment variables when authenticating to Bitbucket.
+- Added provider-specific `kingfisher scan` subcommands (for example `kingfisher scan github …`) that translate into the legacy flags under the hood. The new layout keeps backwards compatibility while removing the wall of provider options from `kingfisher scan --help`.
+- Updated the README so every provider example (GitHub, GitLab, Bitbucket, Azure Repos, Gitea, Hugging Face, Slack, Jira, Confluence, S3, GCS, Docker) uses the new subcommand style.
+- Legacy provider flags (for example `--github-user`, `--gitlab-group`, `--bitbucket-workspace`, `--s3-bucket`) still work but now emit a deprecation warning to encourage migration to the new `kingfisher scan <provider>` flow.
+- Kept the direct `kingfisher scan /path/to/dir` flow for local filesystem / local git repo scans while adding a `--list-only` switch to each provider subcommand so repository enumeration no longer requires the standalone `github repos`, `gitlab repos`, etc. commands.
+- Removed the legacy top-level provider commands (`kingfisher github`, `kingfisher gitlab`, `kingfisher gitea`, `kingfisher bitbucket`, `kingfisher azure`, `kingfisher huggingface`) now that enumeration lives under `kingfisher scan <provider> --list-only`.
+
 ## [v1.59.0]
+- Fixed `kingfisher scan github …` (and other provider-specific subcommands) so they no longer demand placeholder path arguments before the CLI accepts the request.
 - Fixed `kingfisher scan` so that providing `--branch` without `--since-commit` now diffs the branch against the empty tree and scans every commit reachable from that branch.
 - Added rules for meraki, duffel, finnhub, frameio, freshbooks, gitter, infracost, launchdarkly, lob, maxmind, messagebird, nytimes, prefect, scalingo, sendinblue, sentry, shippo, twitch, typeform
 

Cargo.toml

@@ -10,7 +10,7 @@ publish = false
 
 [package]
 name = "kingfisher"
-version = "1.59.0"
+version = "1.60.0"
 description = "MongoDB's blazingly fast and accurate secret scanning and validation tool"
 edition.workspace = true
 rust-version.workspace = true

README.md

@@ -124,7 +124,9 @@ cargo build --release --target x86_64-pc-windows-msvc || (
 
 echo Generating CHECKSUM.txt...
 powershell -Command ^
-  "Get-FileHash .\target\x86_64-pc-windows-msvc\release\%PROJECT_NAME%.exe -Algorithm SHA256 | Out-File .\target\x86_64-pc-windows-msvc\release\CHECKSUM.txt"
+  "$hash = Get-FileHash '.\target\x86_64-pc-windows-msvc\release\%PROJECT_NAME%.exe' -Algorithm SHA256;" ^
+  "$line = '{0}  {1}' -f $hash.Hash, (Split-Path -Leaf $hash.Path);" ^
+  "Set-Content -Path '.\target\x86_64-pc-windows-msvc\release\CHECKSUM.txt' -Value $line"
 
 if not exist "target\release" mkdir "target\release"
 copy /Y "target\x86_64-pc-windows-msvc\release\%PROJECT_NAME%.exe" "target\release\" >nul
@@ -137,7 +139,10 @@ powershell -Command "Compress-Archive -Path '%PROJECT_NAME%.exe','CHECKSUM-windo
 
 if exist "%PROJECT_NAME%-windows-x64.zip" (
     REM -- append the ZIP’s SHA-256 to the existing checksum file ----
-    certutil -hashfile "%PROJECT_NAME%-windows-x64.zip" SHA256 >> "CHECKSUM-windows-x64.txt"
+    powershell -Command ^
+      "$hash = Get-FileHash '.\%PROJECT_NAME%-windows-x64.zip' -Algorithm SHA256;" ^
+      "$line = '{0}  {1}' -f $hash.Hash, (Split-Path -Leaf $hash.Path);" ^
+      "Add-Content -Path '.\CHECKSUM-windows-x64.txt' -Value $line"
     echo Created: %PROJECT_NAME%-windows-x64.zip
 ) else (
     echo ERROR: Archive not created.

buildwin.bat

@@ -46,5 +46,5 @@ rules:
             - report_response: true
             - type: WordMatch
               words:
-                - '"type":"invalid_request_error"'
+                - '"type":"message"'
           url: https://api.anthropic.com/v1/messages

data/rules/anthropic.yml

@@ -15,16 +15,44 @@ rules:
       - license_key="ZXCVBN_0987654321abcdef1234567890abc_mmk"
     references:
       - https://dev.maxmind.com/geoip/docs/web-services
+    depends_on_rule:
+      - rule_id: kingfisher.maxmind.2
+        variable: ACCOUNT_ID
     validation:
       type: Http
       content:
         request:
           method: GET
-          url: https://geoip.maxmind.com/geoip/v2.1/city/me?license_key={{ TOKEN }}
+          url: https://geoip.maxmind.com/geoip/v2.1/city/me
           headers:
+            Authorization: "Basic {{ ACCOUNT_ID | append: ':' | append: TOKEN | b64enc }}"
             Accept: application/json
           response_matcher:
             - report_response: true
             - type: StatusMatch
               status:
                 - 200
+  - name: MaxMind Account ID
+    id: kingfisher.maxmind.2
+    pattern: |
+      (?xi)
+      (?:maxmind|geoip|geolite)
+      (?:.|[\n\r]){0,40}?
+      (?:account|user)
+      (?:.|[\n\r]){0,10}?
+      (?:id|number)
+      (?:.|[\n\r]){0,16}?
+      \b
+      (
+        \d{4,8}
+      )
+      \b
+    min_entropy: 2.0
+    confidence: medium
+    visible: false
+    examples:
+      - MAXMIND_ACCOUNT_ID=123456
+      - '"maxmind": {"account_id": "654321", "license_key": "..."}'
+      - 'geoip_account_number: 456789'
+    references:
+      - https://dev.maxmind.com/geoip/docs/web-services

data/rules/maxmind.yml

@@ -22,15 +22,14 @@ rules:
       type: Http
       content:
         request:
-          body: |
-            {'text':''}
+          body: '{"text":""}'
           headers:
             Content-Type: application/json
           method: POST
           response_matcher:
             - type: StatusMatch
               status:
-                - 200
+                - 400
             - report_response: true
               type: WordMatch
               words:

data/rules/microsoftteamswebhook.yml

@@ -20,7 +20,7 @@ rules:
       content:
         request:
           method: GET
-          url: https://api.prefect.cloud/api/me
+          url: https://api.prefect.cloud/api/me/workspaces
           headers:
             Authorization: 'Bearer {{ TOKEN }}'
             Accept: application/json

data/rules/prefect.yml

@@ -55,6 +55,10 @@ impl AuthConfig {
         Self { username, password, bearer_token }
     }
 
+    pub fn from_env() -> Self {
+        Self::from_options(None, None, None)
+    }
+
     fn apply(&self, request: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
         if let Some(token) = &self.bearer_token {
             request.bearer_auth(token)

src/bitbucket.rs

@@ -47,7 +47,7 @@ pub struct AzureRepoSpecifiers {
     pub project: Vec<String>,
 
     /// Include repositories from all projects within the specified organizations
-    #[arg(long = "azure-all-projects", alias = "all-azure-projects")]
+    #[arg(long = "all-projects", alias = "azure-all-projects")]
     pub all_projects: bool,
 
     /// Skip repositories when enumerating Azure sources (format: ORGANIZATION/PROJECT/REPOSITORY)
@@ -59,7 +59,7 @@ pub struct AzureRepoSpecifiers {
     pub exclude_repos: Vec<String>,
 
     /// Filter by repository type
-    #[arg(long = "azure-repo-type", default_value_t = AzureRepoType::Source)]
+    #[arg(long = "repo-type", alias = "azure-repo-type", default_value_t = AzureRepoType::Source)]
     pub repo_type: AzureRepoType,
 }