CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

[v1.90.0]

• Added --max-validation-response-length <BYTES> for scan to control validation response storage truncation (default: 2048, 0 disables truncation).
• Updated --full-validation-response to bypass both validation storage truncation and reporter truncation, preserving complete response bodies end-to-end for parsing/reporting workflows.
• Added Testkube detection/validation coverage with kingfisher.testkube.* rules for API keys plus dependent organization/environment IDs used for live API validation.
• Improved TrueNAS rule

[v1.89.0]

• Added TOON output for scan, validate, and revoke, optimized for LLM/agent workflows; prefer --format toon when calling Kingfisher from an LLM.
• Expanded built-in revocation support with new YAML revocation flows for Cloudflare, Confluent, Doppler, Mapbox, Particle.io, Twitch, and additional Vercel token formats.
• Added revocation coverage documentation: new docs/REVOCATION_PROVIDERS.md matrix and README links highlighting supported revocation providers/rule IDs.
• Access Map: added Microsoft Teams provider. Parses Incoming Webhook URLs (legacy and workflow-based) to extract tenant and webhook identity, probes for active status, and reports channel-level blast radius. Supports standalone access-map microsoftteams (alias msteams) and automatic mapping for validated kingfisher.msteams.* and kingfisher.microsoftteamswebhook.* findings.
• Added Microsoft Teams scan target: kingfisher scan teams "QUERY" searches Teams messages via Microsoft Graph Search API and scans them for secrets, mirroring the Slack integration.
• Requires KF_TEAMS_TOKEN environment variable (Microsoft Graph access token with ChannelMessage.Read.All or Chat.Read permissions).
• Findings reference Teams message URLs in reports; see docs/USAGE.md and docs/INTEGRATIONS.md for authentication setup.

[v1.88.0]

• Tree-sitter fallback behavior changed to be strictly additive: when parser context is unavailable, findings now fall back to Hyperscan/Vectorscan matches instead of being suppressed.
• Fixed dependent-rule reporting gaps (for example Algolia API keys) by preserving regex findings when tree-sitter is unavailable, while still marking validation as skipped when dependency inputs are missing.
• Expanded parser queries for C, Go, Java, JavaScript, and TypeScript to improve assignment/literal capture coverage (including template/raw string handling in JS/TS/Go).
• Added parser query quality gates: compile-time query validation tests plus fixture-based capture-count regression tests backed by testdata/parsers/tree_sitter_capture_baseline.json.
• Added inline-ignore coverage for directives placed on the line immediately before a single-line secret match.
• Updated tree-sitter documentation wording to align with --turbo terminology.

[v1.87.0]

• Tree-sitter verification now runs for blobs from 0 bytes up to 128 KiB (previously 1 KiB to 64 KiB), while remaining a post-regex verification step applied only to context-dependent candidate matches from Hyperscan/Vectorscan.
• False-positive reduction: Hyperscan/Vectorscan still scans everything first, then tree-sitter performs a second-pass verification only on auto-classified context-dependent findings; self-identifying/token-explicit findings stay regex-first.
• Hardened Perplexity API key validation to reject auth failures (401/403) and avoid false "Active Credential" results from error payloads.
• Fixed Yelp API key validation false positives by switching to an auth-enforcing endpoint (/v3/businesses/search) and adding explicit auth error guards.
• Added 37 new provider detection + HTTP validation rules: Ably, AbstractAPI, AbuseIPDB, AviationStack, Better Stack, Brevo, Clearout, Clerk, Cloudinary, Coinlayer, Contentstack, Currencylayer, Daily, Fixer, Geoapify, Hunter.io, Mux, NewsAPI, Numverify, OneSignal, Pinecone, Pingdom, Positionstack, Railway, Render, Rollbar, Salesloft, Sanity, StatusCake, Storyblok, UptimeRobot, urlscan.io, VirusTotal, WeatherAPI, Webflow, and ZeroBounce.
• Tightened regex specificity for newly added rules by replacing broad variable-length token captures with explicit fixed formats/lengths and aligned examples to pass rules check.

[v1.86.0]

• GitLab scanning: honor OS-trusted internal CAs without requiring SSL_CERT_FILE, and preserve custom GitLab API ports in repository enumeration and artifact fetching.
• Added detection/validation rules for App Center, Branch.io, BrowserStack, Calendly, Cypress, Delighted, DeviantArt, Instagram, Iterable, Keen.io, Lokalise, Pendo, Razorpay, Spotify, WakaTime, WPEngine.
• Added revocation support for DeviantArt access tokens via the OAuth revoke endpoint and BrowserStack access keys via the key recycle endpoint.
• Windows builds: replaced buildwin.bat flow with Makefile-driven MinGW targets for windows-x64 and windows-arm64, producing static kingfisher.exe artifacts packaged as kingfisher-windows-*.zip with checksums.
• GitHub Actions (ci.yml, release.yml): Windows jobs now build and test both x64 and arm64 via a matrix using make windows-x64 / make windows-arm64.

[v1.85.0]

• Report viewer: added --view-report-port and --view-report-address to kingfisher scan --view-report, and --address to kingfisher view, so the embedded report server can bind to 0.0.0.0 and be reached from the host when running in Docker. Use --view-report-address 0.0.0.0 with -p 7890:7890 (or --view-report-port 7891 with -p 7891:7891) to view the HTML report at http://localhost:7890 from your host.
• Updated kingfisher scan to accept Git repository URLs as positional targets (for example kingfisher scan github.com/org/repo or kingfisher scan https://gitlab.com/group/project.git) without requiring --git-url.
• Deprecated --git-url while preserving backward compatibility; using the flag now emits a migration warning to prefer positional URL targets.
• Updated README/integration/usage/install/demo examples and CLI tests to use positional Git URL scanning syntax.
• Jira scanning: added kingfisher scan jira --include-comments and --include-changelog to scan per-issue comments and changelog entries, with paginated Jira comment fetching and ADF text normalization preserved for issue/comment content.
• Added --turbo mode: sets --commit-metadata=false, --no-base64, disables language detection, and disables tree-sitter parsing...for maximum scan speed. Findings will omit Git commit context (author, date, commit hash) and will not include Base64-decoded secrets.
• SQLite database scanning: kingfisher now detects and extracts SQLite files (.db, .sqlite, .sqlite3, etc.), dumping each table as SQL text with named columns so secrets stored in database rows are scannable. Extraction is enabled by default and can be disabled with --no-extract-archives.
• Python bytecode (.pyc) scanning: extracts string constants from compiled Python (.pyc, .pyo) files via marshal parsing so secrets embedded in bytecode are scannable. Extraction is enabled by default and can be disabled with --no-extract-archives.
• Performance: pipelined ODB enumeration — scanning now begins while blob OIDs are still being discovered, overlapping I/O with pattern matching.
• Performance: skip blobs smaller than 20 bytes during enumeration (too small to contain any secret).
• Performance: preserve pack-ascending blob order in the metadata path for better I/O locality when Rayon splits work.
• Performance: defer Git committer metadata materialization until commits actually introduce scannable blobs, reducing unnecessary string/time parsing work.
• Performance: push --exclude filtering into Git tree traversal so excluded paths/subtrees are pruned before blob-introduction bookkeeping.
• Performance: make Git repository object indexing single-pass (removed the extra ODB scan in RepositoryIndex::new).

[v1.84.0]

• Added/updated pipedrive and amplitude rules
• Access Map: added Buildkite provider. Enumerates token scopes, user identity, organizations, and pipelines with severity classification based on scope risk.
• Access Map: added Harness provider. Uses x-api-key authentication to enumerate organizations/projects when permitted (best-effort).
• Access Map: added OpenAI provider. Supports standalone access-map openai and automatic mapping for validated kingfisher.openai.* findings. Enumerates organizations (from /v1/me), projects, and API key permission scopes by probing endpoints for restricted key detection.
• Access Map: added Anthropic provider. Supports standalone access-map anthropic and automatic mapping for validated kingfisher.anthropic.* findings.
• Access Map: added Salesforce provider. Supports standalone access-map salesforce (token + instance) and automatic mapping for validated kingfisher.salesforce.* findings.
• Added Weights & Biases support: new kingfisher.wandb.2 rule for wandb_v1_... keys (legacy kingfisher.wandb.1 retained), plus Access Map provider/CLI support (weightsandbiases, alias wandb).
• Reports: always emit validate/revoke command hints when supported by a rule (no suppression for missing template vars).
• Access Map GCP: added resource enumeration for Cloud KMS key rings, Cloud Functions, Firestore databases, Cloud Spanner instances, and project service accounts.
• Access Map GCP: populated token_details with service account metadata (display name, unique ID, disabled status).
• Access Map GCP: fixed BigQuery and Secret Manager risk assessment to detect write permissions and secretmanager.versions.access.
• Access Map GCP: added risk notes for KMS decrypt, Cloud Functions deploy, instance metadata injection, and secret value read access.
• Access Map GCP: expanded testIamPermissions fallback with 11 additional permission candidates.

[v1.83.0]

• Kingfisher can now generate an auditor-friendly HTML report: --format html --output kingfisher-audit.html
• Architecture: split matcher.rs into a src/matcher/ module directory with focused sub-modules (base64_decode, captures, conversion, dedup, filter, fingerprint). Decomposed filter_match into smaller validation helpers.
• Architecture: refactored scanner/runner.rs god function into phase-based helpers (enumerate_all_repos, fetch_all_artifacts, run_sequential_scan, run_parallel_scan, etc.) with a ValidationDeps type alias.
• Architecture: consolidated duplicated matching primitives (base64 detection, dedup, fingerprinting, secret capture selection) into kingfisher-scanner::primitives as the single source of truth; both the scanner crate and binary now share one implementation.
• Architecture: introduced TokenAccessMapper trait for access map providers, implemented for GitHub, GitLab, Slack, HuggingFace, Gitea, and Bitbucket.
• Architecture: moved content_type module to kingfisher-core crate where it logically belongs (zero binary-crate dependencies).
• Library crates: added an external-consumer integration test (tests/library_crates_external_project.rs) and fixed kingfisher-scanner manifest wiring by making serde a required dependency, ensuring kingfisher-core/kingfisher-rules/kingfisher-scanner compile and run from a non-kingfisher Rust project.
• Improved tree-sitter parsing + structured secret detection in source files. A Vectorscan pre-filter over the combined tree-sitter output avoids the O(results × rules) regex cost.
• Access Map: added Hugging Face, Gitea, Bitbucket, PostgreSQL, and MongoDB providers. All perform read-only enumeration with severity classification.
• Access Map: Hugging Face, Bitbucket, Postgres, and MongoDB credentials from scans are now auto-collected when using --access-map.
• Access Map CLI: added providers huggingface/hf, gitea, bitbucket, postgres, mongodb/mongo.
• Added kingfisher.gitea.1 rule for Gitea access tokens with validation; self-revocation not supported (API requires Basic Auth).
• Added revocation for GitHub App Server-to-Server tokens (ghs_, kingfisher.github.5) via DELETE /installation/token. Note: ghu_ (user-to-server) tokens cannot be self-revoked; they require the GitHub App's client credentials or manual revocation via GitHub Settings.
• Fixed GitHub Access Map failing for all token types due to GitHubUser struct field mismatch (_id vs API "id").
• Viewer: replaced the Access Map tree view with a card-based layout showing identity, resource count, permission tags, and token details at a glance with expandable inline detail.
• Viewer: added per-finding Blast Radius section linking findings to their access map entries with an auto-generated risk rationale (critical/high/medium/low) based on credential status, resource count, and permission severity.
• Viewer: added two new report types — Risk Report (findings + blast radius per credential, for researchers/bug bounty) and Scan Report (executive summary + scan metadata + findings table, for defenders/tickets). Both support "Active credentials only" filtering.
• Viewer: redesigned the Access Map export report to match the Scan/Risk report quality with summary stats, per-identity cards, token details, and resource/permission grids.
• Viewer: added scan metadata bar (timestamp, target, duration, version) to the Dashboard view.

[v1.82.0]

• Added Vercel credential rules for new token formats introduced February 2026: vcp_ (personal access), vci_ (integration), vca_ (app access), vcr_ (app refresh), vck_ (AI Gateway API key). All use CRC32/Base62 checksum validation. Legacy 24-char format retained as kingfisher.vercel.1.
• Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
• Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
• Fixed HTTP validation incorrectly marking valid credentials as inactive when response bodies exceeded 2048 bytes. Matchers (JsonValid, WordMatch, etc.) now run against the full response; only the stored preview remains truncated for reporting.
• Fixed validation flakiness under service rate limiting by retrying HTTP validations on 429/408 in addition to transient 5xx failures.
• Added optional validation rate limiting via --validation-rps (global) and repeatable --validation-rps-rule <RULE_SELECTOR=RPS> (per-rule override) for both scan and validate. Throttling now applies across built-in validator types (HTTP/gRPC plus AWS, GCP, Coinbase, MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). Rule selectors support the short form (for example, github=2 matches kingfisher.github.*) with longest-prefix precedence when multiple selectors apply.
• Prevented transient HTTP validation failures (429/5xx) from being cached, avoiding cache poisoning that could suppress later successful validations in the same scan.
• Added kingfisher.temporal.1 rule for Temporal Cloud API keys (namespace-scoped and user-scoped JWT formats) with Temporal-specific pattern matching.
• Added Temporal Cloud active credential validation via GET https://saas-api.tmprl.cloud/cloud/current-identity using bearer auth, so Temporal keys validate against provider APIs instead of generic OIDC discovery.
• Fixed JWT issuer normalization to treat bare host issuers (e.g. iss: "temporal.io") as HTTPS URLs during discovery, avoiding low-level URL builder failures.
• Added crates/kingfisher-rules/build.rs to ensure embedded rule assets rebuild when files under crates/kingfisher-rules/data change.

[v1.81.0]

• Fixed checksum-template evaluation for prefixed tokens by using explicit checksum/body captures in NPM, GitHub, Confluent, and GitLab rules.
• Updated references sections to rules with API documentation links.
• Updated Google OAuth credentials rule requirements so bundled client-id/client-secret examples pass rules check consistently.
• Added gRPC validation support for gRPC-only APIs via validation: type: Grpc (e.g., Modal administrative keys).

[v1.80.0]

• Added --full-validation-response flag to include complete validation response bodies without truncation. By default, validation responses are still truncated to 512 characters for readability. When enabled, users can parse and present full validation responses as needed (e.g., for GitHub token validation responses that include user metadata beyond the first 512 characters).
• Improved AWS rule.
• Enhanced HTTP multi-step revocation extraction by allowing Liquid rendering in extractors; updated NPM rules accordingly.

[v1.79.0]

• Added revocation support for SendGrid, Tailscale, MongoDB Atlas, Twilio, and NPM using multi-step (lookup ID then delete) pattern.
• Added new Sumo Logic rule with direct revocation support.
• Added docs/TOKEN_REVOCATION_SUPPORT.md with detailed revocation implementation guide and testing examples.
• Fixed AWS access key validation to support temporary/session keys (ASIA prefix) in addition to long-lived keys (AKIA prefix).
• Consolidated all validator implementations into the kingfisher-scanner crate to eliminate code duplication. Validators for AWS, Azure, Coinbase, GCP, JWT, JDBC, MongoDB, MySQL, Postgres, and HTTP are now maintained in a single location with proper feature gating.

[v1.78.0]

• Added "Skipped Validations" counter to scan summary output to distinguish between validations that failed (HTTP errors, connection failures) and validations that were skipped due to missing preconditions (e.g., missing dependent rules). This provides better visibility into validation coverage for large scans.
• Improved error messages for kingfisher validate command when rules require dependent variables from depends_on sections. Now clearly explains which variables are needed and from which dependent rules they are normally captured.
• Fixed validate_command and revoke_command generation in scan output to include all required --var arguments for rules with depends_on sections (e.g., PubNub, Azure Storage). Commands now include dependent variables like --var SUBSCRIPTIONTOKEN=<value> or --var AZURENAME=<value>.
• Updated Azure Storage validation to use AZURENAME variable (matching the depends_on_rule configuration) with STORAGE_ACCOUNT maintained as a backward-compatible alias.
• Added internal dependent_captures field to match records to preserve variables from dependent rules through the validation pipeline for accurate command generation.
• Added --tls-mode <strict|lax|off> global flag to control TLS certificate validation behavior during credential validation:
  • strict (default): Full WebPKI certificate validation with trusted CA chains, hostname verification, and expiration checks
  • lax: Accept self-signed or unknown CA certificates, useful for database connections (PostgreSQL, MySQL, MongoDB) and services using private CAs (e.g., Amazon RDS)
  • off: Disable all TLS validation (equivalent to legacy --ignore-certs)
• Added rule-level tls_mode field allowing individual rules to opt into relaxed TLS validation when appropriate. Rules for PostgreSQL, MySQL, MongoDB, JDBC, and JWT now include tls_mode: lax by default.
• The --ignore-certs flag remains supported as a deprecated alias for --tls-mode=off for backward compatibility.
• Updated documentation to explain TLS validation modes and their security implications.
• Added comprehensive test coverage for TLS mode functionality including unit tests, integration tests, and rule configuration verification.
• Fixed deprecated commit stage name in .pre-commit-hooks.yaml to use pre-commit stage name, eliminating pre-commit framework warnings.

[v1.77.0]

• Added kingfisher revoke subcommand for revoking leaked credentials directly with the provider.
• Added optional revocation section to rules to support credential revocation (currently supporting AWS, GCP, GitHub, GitLab, Slack, and Buildkite).
• Added kingfisher validate subcommand to validate credentials without running a full scan.
• Added validate_command and revoke_command fields to scan output (pretty, JSON, JSONL, BSON, SARIF formats) showing the exact kingfisher validate or kingfisher revoke command to run for each finding. The validate_command is included for all findings with validation support; revoke_command is included only for active credentials with revocation support. These fields are omitted when --redact is used since they contain the secret value.
• Updated the HTML report viewer to display validate and revoke commands in the Finding Details panel with copy-to-clipboard functionality.
• Refactored project into multiple crates for better modularity and maintainability.
• Ensured more CLI arguments are global and available across all subcommands.
• Added kingfisher-auto pre-commit hook that automatically downloads and caches the appropriate binary for your platform (no Docker or manual installation required).
• Added Husky integration support with install-husky.sh helper script and documentation fclearor Node.js projects.
• Added kingfisher-pre-commit-auto.sh and kingfisher-pre-commit-auto.ps1 scripts for automatic binary download in Git hooks (Linux, macOS, Windows support).

[v1.76.0]

• Fixed validation deduplication for rules with nested unnamed captures (e.g. (?<REGEX>...(ABC|DEF)...)) to use the primary capture for grouping, ensuring each unique match triggers a separate validation request.
• Added trace-level (-vv) logging for internal validation dedup keys and grouping to aid debugging.
• Switched compression dependencies to pure-Rust bzip2/lzma implementations and pared zip features to avoid C-based codecs for bz2/xz handling.

[v1.75.0]

• Enhanced Access Map View: added fingerprint display, enabled searching by fingerprint, and implemented bidirectional navigation between Findings and Access Map nodes.
• Added Slack Access Map support with granular permissions in the tree view.
• Improved HTML report
• Improved several rules
• Added new rules for Apollo, Clay, CodeRabbit, Customer.io, Instantly, Vast.ai
• Skipped per-repository report writes when an output file is specified and emit a single aggregated report after multi-repository scans to preserve full output content in files.

[v1.74.0]

• Added new rules: cursor, definednetworking, filezilla, harness, intra42, klingai, lark, mergify, naver, plaid, resend, retellai

[v1.73.0]

• Will now prefer git history findings when identical secrets appear in both current files and git history (dedup only).
• Fixed report viewer to add support for opening JSONL.
• Add opt-in contributor repository enumeration for GitHub/GitLab --git-url scans with --include-contributors, plus --repo-clone-limit to cap repo cloning.
• Add --git-clone-dir to set the parent clone directory and --keep-clones to preserve cloned repos after scans.
• Added several new rules.
• Added configurable validation timeout and retry settings for kingfisher scan.

[v1.72.0]

• Fixed deduplication for dependency-provider rules so dependent validations run per blob
• Updated Artifactory rule entropy and added new artifactory rule
• Aliased "kingfisher self-update" as "kingfisher update"
• Map SARIF result levels from rule confidence
• Added tag selection support to the bash and PowerShell install scripts.

[v1.71.0]

• Improved Report Viewer layout
• Improved Salesforce rule

[v1.70.0]

• Added --staged argument to support new pre-commit behavior and added integration coverage to ensure validated secrets block commits when used as pre-commit hook
• Added new rules for AWS Bedrock, Voyage.ai, Posthog, Atlassian
• Added an embedded web-based report and access-map viewer via kingfisher view subcommand that can load JSON or JSONL reports passed on the CLI (or upload them in the browser)
• Updated Jira create to gouqi, which supports Jira api v2 and v3

[v1.69.0]

• Reduced per-match memory usage by compacting stored source locations and interning repeated capture names.
• Stored optional validation response bodies as boxed strings to avoid allocating empty payloads and to streamline validator caches.
• Parallelized git cloning based on the configured job count and begin scanning repositories as soon as each clone finishes to reduce end-to-end scan times.
• Combined per-repository results into a single aggregate summary after scans complete.
• Added initial access-map support and report viewer html file. Currently beta features.

[v1.68.0]

• Fixed Bitbucket authenticated cloning bug

[v1.67.0]

• Added checksum to GitLab rule
• Fixed deduplication to consider rule identifiers so overlapping patterns are not merged before validation
• After scan summaries, emit the styled outdated-version notice to stderr when a newer release is available
• Reduced false positives across a number of rules
• Updated Summary to include scan date, kingfisher version ran, and latest kingfisher version available

[v1.66.0]

• Updating to support Bitbucket App Passwords
• Improved boundaries for several rules
• Added more rules

[v1.65.0]

• Skip reporting MongoDB and Postgres findings when their connection strings cannot be parsed, even when validation is disabled.
• Improve MySQL detection by broadening URI coverage and adding live validation that skips clearly invalid connection strings.
• Added a helper to truncate validation response bodies only at UTF-8 character boundaries to prevent panics during validation.

[v1.64.0]

• Fixed a bug when using --redact, that broke validation
• Added JDBC rule with validator
• Filter out empty 'KF_BITBUCKET_*' environment values when constructing the Bitbucket authentication configuration so blank variables no longer override valid credentials

[v1.63.1]

• Updated allocator

[v1.63.0]

• Fixed bug when retrieving some finding values and injecting them as TOKENS in the rule templates
• Improved Datadog rule
• Improved AWS rule

[v1.62.0]

• Added pattern_requirements checks to rules, providing lightweight post-regex character-class validation without lookarounds. See docs/RULES.md for detail
• Added an ignore_if_contains option to pattern_requirements to drop matches containing case-insensitive placeholder words, with tests covering the new behavior.
• Updated rules to adopt the new pattern_requirements support.
• Added checksum comparisons to pattern_requirements, new suffix, crc32, and base62 Liquid filters, and verbose logging so mismatched checksums are skipped with context rather than reported as findings.
• Split GitHub token detections into fine-grained/fixed-format variants and enforce checksum validation for modern GitHub token families (PAT, OAuth, App, refresh) while preserving legacy coverage.
• Added a rule for Zuplo tokens.
• Added checksum calculation for Confluent, GitHub, and Zuplo tokens, which can drastically reduce false positive reports.
• Improved OpsGenie validation.
• Automatically enable --no-dedup when --manage-baseline is supplied so baseline management keeps every finding.
• This release is focused on further improving detection accuracy, before even attempting to validate findings.
• Updated GitHub Actions CI for Windows and buildwin.bat script

[v1.61.0]

• Fixed local filesystem scans to keep open_path_as_is enabled when opening Git repositories and only disable it for diff-based scans.
• Created Linux and Windows specific installer script
• Updated diff-focused scanning so --branch-root-commit can be provided alongside --branch, letting you diff from a chosen commit while targeting a specific branch tip (still defaulting back to the --branch ref when the commit is omitted).
• Updated rules

[v1.60.0]

• Removed the --bitbucket-username, --bitbucket-token, and --bitbucket-oauth-token flags in favour of KF_BITBUCKET_* environment variables when authenticating to Bitbucket.
• Added provider-specific kingfisher scan subcommands (for example kingfisher scan github …) that translate into the legacy flags under the hood. The new layout keeps backwards compatibility while removing the wall of provider options from kingfisher scan --help.
• Updated the README so every provider example (GitHub, GitLab, Bitbucket, Azure Repos, Gitea, Hugging Face, Slack, Jira, Confluence, S3, GCS, Docker) uses the new subcommand style.
• Legacy provider flags (for example --github-user, --gitlab-group, --bitbucket-workspace, --s3-bucket) still work but now emit a deprecation warning to encourage migration to the new kingfisher scan <provider> flow.
• Kept the direct kingfisher scan /path/to/dir flow for local filesystem / local git repo scans while adding a --list-only switch to each provider subcommand so repository enumeration no longer requires the standalone github repos, gitlab repos, etc. commands.
• Removed the legacy top-level provider commands (kingfisher github, kingfisher gitlab, kingfisher gitea, kingfisher bitbucket, kingfisher azure, kingfisher huggingface) now that enumeration lives under kingfisher scan <provider> --list-only.

[v1.59.0]

• Fixed kingfisher scan github … (and other provider-specific subcommands) so they no longer demand placeholder path arguments before the CLI accepts the request.

• Fixed kingfisher scan so that providing --branch without --since-commit now diffs the branch against the empty tree and scans every commit reachable from that branch.

• Added rules for meraki, duffel, finnhub, frameio, freshbooks, gitter, infracost, launchdarkly, lob, maxmind, messagebird, nytimes, prefect, scalingo, sendinblue, sentry, shippo, twitch, typeform

• [v1.58.0]

• Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans.

• Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs.

• Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication.

• Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so it's clear that validation was intentionally skipped and why.

[v1.57.0]

• Added inline ignore directive detection to treat suppression tokens anywhere on surrounding lines, including multi-line handling
• Added a --no-ignore CLI flag to disable inline directives when you need every potential secret reported
• Added: repeatable --ignore-comment <TOKEN> flag to reuse inline directives from other scanners (for example NOSONAR, kics-scan ignore, gitleaks:allow, etc)
• Respect user color settings in update messages by using the same color helper as the main reporter, ensuring consistent output and no ANSI codes on update check, when color is disabled

[v1.56.0]

• Fixed tree-sitter scanning bug where passing --no-base64 caused errors to be printed when the file type couldn’t be determined

[v1.55.0]

• Added first-class Azure Repos support, including CLI commands, enumeration, and documentation updates
• Improved performance of tree-sitter parsing
• Updated Windows build script to ensure static binary is produced

[v1.54.0]

• Added first-class Gitea support, including CLI commands, environment-based authentication, documentation, and integration with scans and repository enumeration.
• Populate the finding path from git blob metadata so history-derived secrets display their file location instead of an empty path
• Replaced Match::finding_id’s SHA1-based hashing with a fast xxh3_64 digest that keeps IDs deterministic while eliminating a hot-path SHA1 dependency

[v1.53.0]

• Added first-class Bitbucket support, including CLI commands, authentication helpers, documentation, and integration testing.

[v1.52.0]

• Enabled ANSI formatting in the tracing formatter whenever stderr is attached to a terminal so colorized updater messages render correctly instead of showing escape sequences.
• Added a new CLI flag, --user-agent-suffix to allow developers to append additional information to the user-agent
• Removed the unused --rlimit-nofile flag

[1.51.0]

• Added diff-only Git scanning via --since-commit and --branch, including remote-aware ref resolution so CI jobs can pair --git-url clones with pull request branches

[1.50.0]

• Added --github-exclude and --gitlab-exclude options to skip specific repositories when scanning or listing GitHub and GitLab sources, including support for gitignore-style glob patterns

[1.49.0]

• Enabled MongoDB URI validation
• AWS + GCP validators now respect HTTPS_PROXY and share a consistent user agent across AWS, GCP, and HTTP validation
• Increase max-file-size default to 256 mb (up from 64 mb)
• Improved AWS rule

[1.48.0]

• Improved error message when self-update cannot find the current binary
• Optimized memory usage via string interning and extensive data sharing
• Replaced quadratic match filtering with a per-rule span map, fixing missed secrets in extremely large files and improving scan performance
• Support scanning extremely large files by chunking input into 1 GiB segments with small overlaps, avoiding vectorscan buffer limits while preserving match offsets
• Always use chunked vectorscan, eliminating the slow regex fallback for blobs over 4 GiB
• Skip Base64 scanning for blobs over 64 MB to avoid a second pass over massive files
• Increased max-file-size default to 64 MB (up from 25 MB)

[1.47.0]

• MongoDB validator now validates mongodb+srv:// URIs with a fast timeout instead of skipping them
• Improved rules: github oauth2, diffbot, mailchimp, aws
• Added validation to SauceLabs rule
• Added rules: shodan, bitly, flickr
• Decode Base64 blobs and scan their contents for secrets while skipping short strings for performance. This has a small performance impact and can be disabled with --no-base64

[1.46.0]

• Improved rules: AWS, pem
• Added rule for Ollama, Weights and Biases, Cerebras, Friendli, Fireworks.ai, NVIDIA NIM, together.ai, zhipu
• Added self-update command to update the binary independently. Now supports updating over homebrew managed binary
• MongoDB validator now checks mongodb+srv:// URIs with fast-fail timeouts

[1.45.0]

• Added --repo-artifacts flag to scan repository issues, gists/snippets, and wikis when cloning via --git-url
• Added rules for sendbird, mattermost, langchain, notion
• JWT validation hardened to reject alg:none by default (only allowed if explicitly configured), require iss for OIDC/JWKS verification, ensuring "Active Credential" means cryptographically verified and time-valid, not just unexpired
• Updated the Git cloning logic to include all refs and minimize clone output, allowing Kingfisher to analyze pull request and deleted branch history

[1.44.0]

• Fixed issue with self-update on Linux
• Reverted the change to json and jsonl outputs by rule
• Added --skip-regex and --skip-word flags to ignore secrets matching custom patterns or skipwords

[1.43.0]

• Added rules for clearbit, kickbox, azure container registry, improved Azure Storage key
• Grouped JSON and JSONL outputs by rule, restoring matches arrays in reports

[1.42.0]

• Fixed pagination issue when calling gitlab api
• Expanded directory exclusion handling to interpret plain patterns as prefixes, ensuring options like --exclude .git also skip all nested paths
• Updated baseline management to track encountered findings and remove entries that are no longer present, saving the baseline file whenever entries are pruned or new matches are added
• Added rules for authress, clickhouse, codecov, contentful, curl, dropbox, fly.io, hubspot, firecrawl
• Internal refactoring of rule loader, git enumerator, and filetype guesser
• Improved language detection

[1.41.0]

• Added support for scanning gitlab subgroups, with kingfisher scan --gitlab-group my-group --gitlab-include-subgroups
• Added rule for Vercel

[1.40.0]

• Dropped the “prevalidated” flag from rule definitions and validation logic so every finding now flows through the standard active/inactive/unknown pipeline, simplifying rule configuration and preventing special‑case bypasses
• Improved Tailscale api key detectors

[1.39.0]

• Added support for scanning Confluence pages via --confluence-url and --cql

[1.38.0]

• --quiet now suppresses scan summaries and rule statistics unless --rule-stats is explicitly provided
• Added X Consumer key detection and validation

[1.37.0]

• GitLab: Matched GitLab group repository listings to glab by only enumerating projects that belong directly to each group, without automatically traversing subgroups

[1.36.0]

• Fixed GitHub organization and GitLab group scans when using --git-history=none
• JWT tokens without both iss and aud are no longer reported as active credentials

[1.35.0]

• Remote scans with --git-history=none now clone repositories with a working tree and scan the current files instead of erroring with "No inputs to scan".
• Fixed issue where --redact did not function properly
• Fixed validation logic for clarifai rule

[1.34.0]

• Use system TLS root certificates to support self-hosted GitLab instances with internal CAs
• Added new rule: Coze personal access token
• Updated Supabase rule to detect project url's and validate their corresponding tokens

[1.33.0]

• Fixed header precedence so custom HTTP validation headers like Accept are preserved
• Added new Heroku rule

[1.32.0]

• Added support for scanning AWS S3 buckets via --s3-bucket and optional --s3-prefix
• Added --role-arn and --aws-local-profile flags for S3 authentication alongside KF_AWS_KEY/KF_AWS_SECRET
• Added progress bar for scanning s3 buckets
• Refactored output reporting and formatting logic

[1.31.0]

• New rules: Telegram bot token, OpenWeatherMap, Apify, Groq
• New OpenAI detectors added (@joshlarsen)
• Fixed bug that broke validation when using unnamed group captures

[1.30.0]

• Fixed validation caching for HTTP validators to include rendered headers so inactive secrets no longer appear active.
• Removed pre-commit installation hook, due to bugs

[1.29.0]

• Fixed issue when more than 1 named capture group is used in a rule variable
• Added a new liquid template filters: b64dec
• Added custom validator for Coinbase, and a Coinbase rule that uses it

[1.28.0]

• Added support for scanning Slack

[1.27.0]

• Added Buildkite rule
• Added support for scanning Docker images via --docker-image

[1.26.0]

• Added rule for ElevenLabs
• Added support for scanning Jira issues via a given JQL (Jira Query Language)

[1.25.0]

• Fixed GitLab authentication bug
• Added pre-commit and pre-receive installation hooks
• MongoDB validator now skips mongodb+srv:// URIs and returns a message that validation was skipped
• Fixed noisy Baseten rule

[1.24.0]

• Now generating DEB and RPM packages
• Now releasing Docker images, and updated README
• Added rule for Scale, Deepgram, AssemblyAI

[1.23.0]

• Updating GitHub Action to generate Docker image
• Added rules for Diffbot, ai21, baseten
• Fixed supabase rule
• Added 'alg' to JWT validation output

[1.22.0]

• Added rules for Google Gemini AI, Cohere, Stability.ai, Replicate, Runway, Clarifai
• Upgraded dependencies

[1.21.0]

• Improved Azure Storage rule
• Added rule to detect TravisCI encrypted values
• Added baseline feature with --baseline-file and --manage-baseline flags
• Introduced --exclude option for skipping paths
• Added tests covering baseline and exclude workflow
• Added validation for JWT tokens that checks exp and nbf claims
• JWT validation performs OpenID Connect discovery using the iss claim and verifies signatures via JWKS
• Removed --ignore-tests argument, because the --exclude flag provides more granular functionality
• DigitalOcean rule update
• Adafruit rule update

[1.20.0]

• Removed confirmation prompt when user provides --self-update flag
• Added support for HTTP request bodies in rule validation
• Added new liquid-rs filters: HmacSha1, IsoTimestampNoFracFilter, Replace
• Added rules for mistral, perplexity
• Added validation for Alibaba rule
• Set GIT_TERMINAL_PROMPT=0 when cloning git repos

[1.19.0]

• JSON output was missing committer name and email
• Fixed Gitlab rule which was incorrectly identifying certain tokens as valid

[1.18.1]

• Restored --version cli argument
• Added test for the argument

[1.18.0]

• Added rules for DeepSeek, xAI
• Removed branding
• Added NOTICE file

[1.17.1]

• Fixed broken sourcegraph rule
• Added test to prevent this and similar issues

[1.17.0]

• Updated README to give proper attribution to Nosey Parker!
• Added rules for sonarcloud, sonarqube, sourcegraph, shopify, truenas, square, sendgrid, nasa, teamcity, truenas, shopify
• Introduced --ignore-tests flag – skip files/dirs whose path resembles tests (test, spec, fixture, example, sample), reducing noise.

[1.16.0]

• Fix: HTML detection now requires both HTML content-type and "<html" tag, fixing webhook false negatives
• Removed cargo-nextest installation during test running
• Added rules for 1password, droneci

[1.15.0]

• Ensuring temp files are cleaned up
• Applying visual style to the update check output
• Fixed bug in --self-update where it was looking for the incorrect binary name on GitHub releases
• Rule cleanup

[1.14.0]

• Fixed several malformed rules
• Now validating that response_matcher is present in validation section of all rules

[1.13.0]

• Added new rules for Planetscale, Postman, Openweather, opsgenie, pagerduty, pastebin, paypal, netlify, netrc, newrelic, ngrok, npm, nuget, mandrill, mapbox, microsoft teams, stripe, linkedin, mailchimp, mailgun, linear, line, huggingface, ibm cloud, intercom, ipstack, heroku, gradle, grafana
• Added --rule-stats command-line flag that will display rule performance statistics during a scan. Useful when creating or debugging rules

[1.12.0]

• Added automatic update checks using GitHub releases.
• New --self-update flag installs updates when available
• New --no-update-check flag disables update checks
• Updated rules

[1.11.0] 2025-06-21

• Increased default value for number of scanning jobs to improve validation speed
• Fixed issue where some API responses (e.g. GitHub's /user endpoint) include required fields like "name" beyond the first 512 bytes. Truncating earlier causes WordMatch checks to fail even for active credentials. Increased the limit to keep a larger slice of the body while still bounding memory usage.

[1.10.0] 2025-06-20

• Updated de-dupe fingerprint to include the content of the match
• Updated Makefile
• Adding GitHub Actions

[1.9.0] 2025-06-16

• Initial public release of Kingfisher