[v1.100.0]
- Archive scanning now reaches inside Android/iOS app packages: added
apk,aab, andipato the recognized ZIP-based archive formats so secrets embedded in APK/AAB/IPA contents (e.g.classes*.dex,res/values/strings.xml) are extracted and matched. - Git repository scans now extract archive blobs encountered in the object database, not just on the filesystem. Previously a
.zip/.jar/.apk/.tar.gzcommitted to a repo was scanned as raw compressed bytes, so secrets inside it were invisible. The git enumerator fans each archive entry out as a synthetic<archive>!<entry>blob with the original commit metadata. Honors--no-extract-archivesfor opt-out. - Fixed tar-wrapped archive extraction for
.tgzand.tar.*files, and made dependent credential validation deduplication preserve per-occurrence context so repeated secrets validate with the correct nearby companion value. - Performance: ZIP-based git blobs ≤ 64 MB extract entirely in memory (no temp-file round trip), beating the v1.99.0 baseline by ~15% on a 80 GiB monorepo despite scanning ~300K additional archive-content blobs. Larger archives auto-fall-back to a disk-streaming extractor.
- Memory safety: hard caps on archive extraction — 64 MB compressed pre-flight, 256 MB aggregate decompressed per archive (in-memory and disk paths), 512 MB per entry, plus a
PK\x03\x04magic-byte gate. Worst-case footprint is bounded at ~num_jobs * 320 MB. - Release binary trimmed from 34 MB to 26 MB (~24% smaller). Switched
jsonwebtokento itsrust_cryptobackend (eliminates our scanner's pull onaws-lc-rs), bumped workspacehmac0.12→0.13,sha10.10→0.11,sha20.10→0.11 to deduplicate our internal crypto code with the AWS sigv4 side, and migrated affected call sites inkingfisher-core,kingfisher-rules, andkingfisher-scannerto the digest-0.11 API (hex::encodefor hex digests, explicitKeyInitimport for HMAC).