Merge pull request #328 from mongodb/development

Author: mickgmdb

.github/workflows/docs.yml

@@ -27,7 +27,7 @@ jobs:
 
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
 
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.12'
 
@@ -46,7 +46,7 @@ jobs:
           CI: true
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
         with:
           path: docs-site/site
 
@@ -59,4 +59,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

.github/workflows/release.yml

@@ -411,36 +411,16 @@ jobs:
 
   provenance:
     name: Generate SLSA provenance
-    needs: [hash]
+    needs: [hash, release]
     permissions:
       actions: read
       id-token: write
       contents: write
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
     with:
       base64-subjects: "${{ needs.hash.outputs.hashes }}"
-      upload-assets: false
-
-  upload-provenance:
-    name: Upload provenance to release
-    needs: [provenance, release]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: Download provenance artifact
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: ${{ needs.provenance.outputs.provenance-name }}
-      - name: Upload to release
-        env:
-          GH_TOKEN: ${{ github.token }}
-          TAG: ${{ needs.release.outputs.tag }}
-          PROVENANCE_FILE: ${{ needs.provenance.outputs.provenance-name }}
-        run: |
-          gh release upload "${TAG}" "${PROVENANCE_FILE}" \
-            --repo "${{ github.repository }}" \
-            --clobber
+      upload-assets: true
+      upload-tag-name: "${{ needs.release.outputs.tag }}"
 
   # ──────────────── Publish Docker image ────────────────
   publish-docker:

.gitignore

@@ -7,6 +7,8 @@
 *.json
 !webserver/static/sample-report.json
 !docs/access-map-viewer/sample-report.json
+!testdata/parsers/context_verifier_golden.json
+!testdata/parsers/scan_findings_baseline.json
 !testdata/parsers/tree_sitter_capture_baseline.json
 *.jsonl
 *.bson
@@ -17,7 +19,10 @@ logs/*
 *.orig
 *.rej
 *.html
+!testdata/html_vulnerable.html
+!testdata/html_embedded_vulnerable.html
 !docs/access-map-viewer/index.html
+!docs-site/overrides/*.html
 *.dot
 fuzz/*
 !fuzz/Cargo.toml

AGENTS.md

@@ -22,16 +22,16 @@ Key capabilities:
 ## Repository Structure
 - `src/`: main binary source
 - `src/cli/commands/`: CLI command implementations
-- `src/validation/`: provider-specific credential validators
 - `src/matcher/`: pattern matching engine
 - `src/scanner/`: core scanning logic
-- `src/parser/`: language-aware parsing (`tree-sitter`)
+- `src/parser/`: language-aware context verification (lightweight lexers, `tl` for HTML, `cssparser` for CSS)
 - `src/reporter/`: TOON/JSON/SARIF/HTML report generation
 - `src/access_map/`: access mapping analysis
 - `crates/kingfisher-core/`: shared types and core logic
 - `crates/kingfisher-rules/`: rule loading and rule data
 - `crates/kingfisher-rules/data/rules/`: YAML detection rules
 - `crates/kingfisher-scanner/`: embeddable high-level scanning API
+- `crates/kingfisher-scanner/src/validation/`: shared typed and raw credential validators
 - `tests/`: integration/e2e tests
 - `testdata/`: test fixtures
 - `docs/`: user and developer docs
@@ -81,18 +81,21 @@ Key capabilities:
   - `use-mimalloc` (default)
   - `use-jemalloc`
   - `system-alloc`
-- Validation modules live in `crates/kingfisher-scanner/src/validation/`; optional validation feature sets are defined in `crates/kingfisher-scanner/Cargo.toml` (e.g., `validation-aws`, `validation-gcp`, `validation-database`, `validation-all`).
+- Validation modules live in `crates/kingfisher-scanner/src/validation/`; optional validation feature sets are defined in `crates/kingfisher-scanner/Cargo.toml` (e.g., `validation-raw`, `validation-aws`, `validation-gcp`, `validation-database`, `validation-all`).
 
 ## Validation and Revocation Policy
-- Default rule: define validation logic in rule YAML (`validation:` block), not Rust code.
-- Code-based validation in `crates/kingfisher-scanner/src/validation/` is an exception path for cases that cannot be expressed reliably in YAML alone (for example AWS, GCP, Coinbase, MongoDB, and similar complex/provider-specific flows).
+- Default rule: define validation logic in rule YAML (`validation:` block), especially `Http` or `Grpc`, not Rust code.
+- Typed validators are first-class schema variants (`AWS`, `AzureStorage`, `Coinbase`, `GCP`, `MongoDB`, `MySQL`, `Postgres`, `Jdbc`, `JWT`) for stable, reusable validation families.
+- Raw validators use `validation: { type: Raw, content: <name> }` and are the ad-hoc exception path for provider-specific or protocol-specific validation that cannot be expressed reliably in YAML alone. Implement them in `crates/kingfisher-scanner/src/validation/raw.rs`.
 - Treat Rust validation additions as rare; prefer extending YAML-based validation first.
+- If a Rust exception path is required, prefer adding a raw validator before introducing a new typed validator. Add a new typed validator only when it represents a reusable schema-level validation family.
+- Do not convert existing typed validators to `Raw` just for consistency.
 - For rules that include validation, add a `revocation:` section whenever the third-party API safely supports revocation.
 
 ## Common Development Tasks
 - Add a detection rule: follow the workflow below and validate with relevant tests.
 - Add a CLI command: implement under `src/cli/commands/` and register in the CLI command wiring.
-- Add a validator (rare exception path): implement in `crates/kingfisher-scanner/src/validation/` and wire feature flags/dependencies in `crates/kingfisher-scanner/Cargo.toml` only when YAML validation cannot express the required logic.
+- Add a validator (rare exception path): implement it in `crates/kingfisher-scanner/src/validation/`, prefer `raw.rs` for one-off provider flows, and wire the narrowest feature/dependencies in `crates/kingfisher-scanner/Cargo.toml` only when YAML validation cannot express the required logic.
 
 ## Rule Authoring Workflow
 Use this when creating or updating rules in `crates/kingfisher-rules/data/rules/`.
@@ -105,7 +108,7 @@ Use this when creating or updating rules in `crates/kingfisher-rules/data/rules/
    - `pattern_requirements` (e.g., `min_digits`, `min_uppercase`, `min_lowercase`, `min_special_chars`, `ignore_if_contains`) when format constraints are known.
    - `pattern_requirements.checksum` when provider formats include check digits/signatures.
 5. Add `validation` only when a reliable provider/API check exists.
-6. Put validation in YAML by default; only use Rust validator logic for rare, justified exceptions.
+6. Put validation in YAML by default. If YAML cannot express the check, use an existing typed validator or `type: Raw` exception path; add new Rust validator logic only for rare, justified cases.
 7. Add `revocation` when the provider API supports safe revocation and the flow is well understood.
 8. If a rule needs context from another match (for example ID + secret pair), use `depends_on_rule` and consider `visible: false` on the helper rule.
 9. Verify locally:

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## [v1.95.0]
+- Added 80+ built-in rules, bringing the bundled ruleset to 820 total. New coverage includes Amazon OAuth, Asaas, multiple Azure credential families, Bitrise, Canva, CockroachDB, eBay, Elastic, hCaptcha, Highnote, Lichess, MailerSend, Onfido, Paddle, Pangea, Persona, Pinterest, Proof, Rootly, Runpod, Telnyx, Thunderstore, Valtown, Volcengine, and more.
+- Replaced tree-sitter with a lighter parser-based context verifier built from handwritten lexers plus `tl`/`cssparser`, preserving context-dependent matching while cutting about 19 MB from the release binary.
+- Added a `validation: type: Raw` exception path for provider-specific checks, with new raw validators for Azure Batch, FTP, Kraken, LDAP, RabbitMQ, and Redis. Also added stable request-scoped template values plus new Liquid filters for HMAC-SHA384 hex output and timestamp generation.
+- Expanded live validation coverage for several built-in rules, including Agora, Bitfinex, DocuSign, Dwolla, GitLab, KuCoin, RingCentral, Snowflake, Tableau, Trello, and Webex. Also tightened newly added helper regex to avoid high-match scan regressions, and made preflight-blocked raw validations report as skipped/not attempted instead of failed.
+
 ## [v1.94.0]
 - Updated vendored `vectorscan-rs` from v0.0.5 (Vectorscan 5.4.11) to v0.0.6 (Vectorscan 5.4.12). The upstream crate now ships pre-extracted sources instead of a tarball+patch, and fixes the `cpu_native` feature flag. Local Windows and musl build patches have been re-applied.
 - Added more built-in rules