mongodb/kingfisher v1.83.0

Kingfisher v1.83.0

on GitHub

[v1.83.0]

• Kingfisher can now generate an auditor-friendly HTML report: --format html --output kingfisher-audit.html
• Architecture: split matcher.rs into a src/matcher/ module directory with focused sub-modules (base64_decode, captures, conversion, dedup, filter, fingerprint). Decomposed filter_match into smaller validation helpers.
• Architecture: refactored scanner/runner.rs god function into phase-based helpers (enumerate_all_repos, fetch_all_artifacts, run_sequential_scan, run_parallel_scan, etc.) with a ValidationDeps type alias.
• Architecture: consolidated duplicated matching primitives (base64 detection, dedup, fingerprinting, secret capture selection) into kingfisher-scanner::primitives as the single source of truth; both the scanner crate and binary now share one implementation.
• Architecture: introduced TokenAccessMapper trait for access map providers, implemented for GitHub, GitLab, Slack, HuggingFace, Gitea, and Bitbucket.
• Architecture: moved content_type module to kingfisher-core crate where it logically belongs (zero binary-crate dependencies).
• Library crates: added an external-consumer integration test (tests/library_crates_external_project.rs) and fixed kingfisher-scanner manifest wiring by making serde a required dependency, ensuring kingfisher-core/kingfisher-rules/kingfisher-scanner compile and run from a non-kingfisher Rust project.
• Improved tree-sitter parsing + structured secret detection in source files. A Vectorscan pre-filter over the combined tree-sitter output avoids the O(results × rules) regex cost.
• Access Map: added Hugging Face, Gitea, Bitbucket, PostgreSQL, and MongoDB providers. All perform read-only enumeration with severity classification.
• Access Map: Hugging Face, Bitbucket, Postgres, and MongoDB credentials from scans are now auto-collected when using --access-map.
• Access Map CLI: added providers huggingface/hf, gitea, bitbucket, postgres, mongodb/mongo.
• Added kingfisher.gitea.1 rule for Gitea access tokens with validation; self-revocation not supported (API requires Basic Auth).
• Added revocation for GitHub App Server-to-Server tokens (ghs_, kingfisher.github.5) via DELETE /installation/token. Note: ghu_ (user-to-server) tokens cannot be self-revoked; they require the GitHub App's client credentials or manual revocation via GitHub Settings.
• Fixed GitHub Access Map failing for all token types due to GitHubUser struct field mismatch (_id vs API "id").
• Viewer: replaced the Access Map tree view with a card-based layout showing identity, resource count, permission tags, and token details at a glance with expandable inline detail.
• Viewer: added per-finding Blast Radius section linking findings to their access map entries with an auto-generated risk rationale (critical/high/medium/low) based on credential status, resource count, and permission severity.
• Viewer: added two new report types — Risk Report (findings + blast radius per credential, for researchers/bug bounty) and Scan Report (executive summary + scan metadata + findings table, for defenders/tickets). Both support "Active credentials only" filtering.
• Viewer: redesigned the Access Map export report to match the Scan/Risk report quality with summary stats, per-identity cards, token details, and resource/permission grids.
• Viewer: added scan metadata bar (timestamp, target, duration, version) to the Dashboard view.