Add rule: Kagi API Key (#255)

CHANGELOG.md

@@ -14,6 +14,7 @@ Note that the use of semantic versioning applies to the command-line interface a
 
     - `Auth0 Application Credentials` ([#254](https://github.com/praetorian-inc/noseyparker/pull/254))
     - `Credentials in Connect-VIServer Invocation` ([#251](https://github.com/praetorian-inc/noseyparker/pull/251))
+    - `Kagi API Key` ([#255](https://github.com/praetorian-inc/noseyparker/pull/255))
     - `Sourcegraph Access Token` ([#252](https://github.com/praetorian-inc/noseyparker/pull/252))
     - `Tavily API Key` ([#253](https://github.com/praetorian-inc/noseyparker/pull/253))
 

README.md

@@ -10,7 +10,7 @@ It has found secrets in hundreds of offensive security engagements at [Praetoria
 
 **Key features:**
 - **Flexiblity:** It natively scans files, directories, GitHub, and Git history, and has an extensible input enumeration mechanism
-- **Field-tested rules:** It uses regular expressions with [174 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high precision based on feedback from security engineers
+- **Field-tested rules:** It uses regular expressions with [175 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high precision based on feedback from security engineers
 - **Signal-to-noise:** It deduplicates matches that share the same secret, reducing review burden by 10-1000x or more
 - **Speed & scalability:** it can scan at GB/s on a multicore system, and has scanned inputs as large as 20TB during security engagements
 

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap

@@ -2,4 +2,4 @@
 source: crates/noseyparker-cli/tests/rules/mod.rs
 expression: stdout
 ---
-174 rules and 3 rulesets: no issues detected
+175 rules and 3 rulesets: no issues detected

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap

@@ -2306,6 +2306,34 @@ expression: stdout
         ]
       }
     },
+    {
+      "id": "np.kagi.1",
+      "structural_id": "6f6ec59aa63cc565f772cf22de0c5bf223368763",
+      "name": "Kagi API Key",
+      "syntax": {
+        "name": "Kagi API Key",
+        "id": "np.kagi.1",
+        "pattern": "(?x)(?s)\n\\b\n(?: kagi | KAGI )\n.{0,100}\n\\b\n( [a-zA-Z0-9_-]{11}\\.[a-zA-Z0-9_-]{43} )\n(?: $ | [^a-zA-Z0-9_-] )\n",
+        "description": "A Kagi API Key was found. Kagi is an internet search company. An attacker may be able to use this API key to consume limited paid resources or access account information and settings.\n",
+        "examples": [
+          "KAGI_API_KEY='AQAAUPJ-iQc.yLFDzC5RRHzPNDThhulREdoG0Bn3PiZMwJ6yqC6uJLE'",
+          "https://kagi.com/search?token=uwHBLWXZpgY.STzubkAbVXqpfV39Q6TOfzp43KulJeYWK6-963uz1-o"
+        ],
+        "negative_examples": [
+          "AQAAUPJ-iQc.yLFDzC5RRHzPNDThhulREdoG0Bn3PiZMwJ6yqC6uJLE",
+          "BwCASYSBiQc.RyTxij9nKwqG08jnmzAn45p0RLUEHCii_vojyPh-6ZA",
+          "CQCAbaKBiQc.hcyqFSgvar58Fg8AXOdxnXSyEVC6Ldt-axCKSxf8Gxk"
+        ],
+        "references": [
+          "https://help.kagi.com/kagi/api/overview.html"
+        ],
+        "categories": [
+          "api",
+          "fuzzy",
+          "secret"
+        ]
+      }
+    },
     {
       "id": "np.krb5.asrep.23.1",
       "structural_id": "0026c7bd3577be46d947892edab1bde4e1c320a0",
@@ -4370,7 +4398,7 @@ expression: stdout
     {
       "id": "default",
       "name": "Nosey Parker default rules",
-      "num_rules": 153
+      "num_rules": 154
     },
     {
       "id": "np.assets",

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap

@@ -97,6 +97,7 @@ expression: stdout
  np.jwt.1             JSON Web Token (base64url-encoded)                            api 
  np.jwt.2             JSON Web Token Secret                                         fuzzy, secret 
  np.jwt.3             JSON Web Token Secret                                         fuzzy, secret 
+ np.kagi.1            Kagi API Key                                                  api, fuzzy, secret 
  np.krb5.asrep.23.1   Password Hash (Kerberos 5, etype 23, AS-REP)                  hashed, secret 
  np.kubernetes.1      Kubernetes Bootstrap Token                                    api, fuzzy, secret 
  np.kubernetes.2      Kubernetes Bootstrap Token                                    api, secret 
@@ -181,6 +182,6 @@ expression: stdout
 
  Ruleset ID   Ruleset Name                         Rules 
 ─────────────────────────────────────────────────────────
- default      Nosey Parker default rules             153 
+ default      Nosey Parker default rules             154 
  np.assets    Nosey Parker asset detection rules      15 
  np.hashes    Nosey Parker password hash rules         6

crates/noseyparker/data/default/builtin/rules/kagi.yml

@@ -0,0 +1,34 @@
+rules:
+
+- name: Kagi API Key
+  id: np.kagi.1
+
+  pattern: |
+    (?x)(?s)
+    \b
+    (?: kagi | KAGI )
+    .{0,100}
+    \b
+    ( [a-zA-Z0-9_-]{11}\.[a-zA-Z0-9_-]{43} )
+    (?: $ | [^a-zA-Z0-9_-] )
+
+  categories: [api, fuzzy, secret]
+
+  description: >
+    A Kagi API Key was found.
+    Kagi is an internet search company.
+    An attacker may be able to use this API key to consume limited paid resources or access account information and settings.
+
+
+  references:
+  - https://help.kagi.com/kagi/api/overview.html
+
+  examples:
+  - "KAGI_API_KEY='AQAAUPJ-iQc.yLFDzC5RRHzPNDThhulREdoG0Bn3PiZMwJ6yqC6uJLE'"
+  - 'https://kagi.com/search?token=uwHBLWXZpgY.STzubkAbVXqpfV39Q6TOfzp43KulJeYWK6-963uz1-o'
+
+  # These lack the necessary leading context
+  negative_examples:
+  - 'AQAAUPJ-iQc.yLFDzC5RRHzPNDThhulREdoG0Bn3PiZMwJ6yqC6uJLE'
+  - 'BwCASYSBiQc.RyTxij9nKwqG08jnmzAn45p0RLUEHCii_vojyPh-6ZA'
+  - 'CQCAbaKBiQc.hcyqFSgvar58Fg8AXOdxnXSyEVC6Ldt-axCKSxf8Gxk'

crates/noseyparker/data/default/builtin/rulesets/default.yml

@@ -97,6 +97,7 @@ rulesets:
   - np.jwt.1          # JSON Web Token (base64url-encoded)
   - np.jwt.2          # JSON Web Token Secret
   - np.jwt.3          # JSON Web Token Secret
+  - np.kagi.1         # Kagi API Key
   - np.kubernetes.1   # Kubernetes Bootstrap Token
   - np.kubernetes.2   # Kubernetes Bootstrap Token
   - np.linkedin.2     # LinkedIn Secret Key