github mongodb/kingfisher v1.96.0
Kingfisher v1.96.0
on GitHub

11 hours ago

[v1.96.0]

  • Added archive extraction for three Korean formats: HWPX (Hancom OWPML ZIP container), HWP (Hancom 5.x OLE2/CFBF binary — streams decoded via raw DEFLATE / zlib fallbacks), and EGG (ALZip; registered for enumeration and scanned as raw bytes since no open-source extractor exists).
  • Added live HTTP validation for 18 rules across 15 providers: Val Town, Polar, hCaptcha, Thunderstore, Elastic Cloud (2 rules), LlamaCloud, Gemfury (2 rules), Vonage, ThingsBoard, Zapier, Facebook Access Token, GitLab Session Cookie, PostHog Feature Flags, Unkey API Key, and Hop.io (2 rules).
  • Added revocation support for 7 rules across 6 providers: Discord webhooks (single-step DELETE), DigitalOcean PATs (self-revoke via OAuth), and multi-step HttpMultiStep revocation for LaunchDarkly, Resend, Linode, and Netlify (2 rules). Built-in revocation coverage is now 34 provider families with 53 revocation-enabled rules.
  • Expanded Alibaba Cloud coverage with STS temporary credential detection for STS access key IDs, STS security tokens, and STS access key secrets. Built-in rule coverage is now 923 rules total.
  • Access Map: Alibaba Cloud long-lived and STS access key pairs (validated kingfisher.alibabacloud.2 and kingfisher.alibabacloud.5): caller identity via STS GetCallerIdentity; standalone kingfisher access-map alibaba (alias aliyun).
  • Access Map: monday.com API tokens (validated kingfisher.monday.1) and Asana personal access / OAuth tokens (validated kingfisher.asana.3, kingfisher.asana.4, kingfisher.asana.5). Monday maps the caller via the me { account, teams } GraphQL query and enumerates accessible workspaces and boards; Asana resolves the caller via /users/me and enumerates accessible workspaces, organizations, projects, and team memberships. Standalone kingfisher access-map monday and kingfisher access-map asana.
  • Report viewer: Import Gitleaks and TruffleHog JSON into the bundled local viewer with deduplication for repeated imported findings, and publish a static upload-based viewer on the docs site for GitHub Pages hosting. See docs/USAGE.md.
  • Fixed parser-based context gating so assignment-style contextual secrets still scan in raw text when parser verification is unavailable, instead of being dropped.
  • Fixed dependent-variable pairing for HTTP validation so rules use the nearest helper match in-file, and updated Pinata detection/validation to reliably catch API key IDs, API secrets, and JWTs, including key+secret validation.
  • Corrected several newly added SaaS rules and validators, including LiveKit (with dependent API secret validation), Tinybird, Inngest, Tolgee, Unkey, Composio, Hex.pm, Trigger.dev, Voiceflow, WorkOS, and Infisical.
  • Added 61 new detection rules across 46 providers: Axiom (API token + PAT), Trigger.dev (secret key + PAT), Dub.co, Svix webhook signing secret, Liveblocks, Inngest (signing key + event key), Seam, Courier, Cal.com, Arcjet, WarpStream, Mem0, Mintlify, Pirsch, Tinybird, Tolgee (project key + PAT), Ory (API key + session + OAuth2 tokens), Xendit, Xata, Crossmint (server + client keys), DeepL (Free + Pro), Flagsmith, E2B, Infisical, WooCommerce (consumer key + secret), Nightfall AI, Ramp (client ID + secret), Hex.pm (personal + workspace tokens), Convex deploy key, MiniMax, Mappedin (key + secret), Pollinations (secret + publishable), Fal.ai, Aikido, Hack Club, GuardSquare, Browser Use, Composio, Gamma, Hex.tech, Mastra, redirect.pizza, Upstash, and WorkOS. Also added new prefixed-token rules for Netlify (nfp_), Cloudflare (cfut_), and Supabase (sb_publishable_). Added live HTTP validation for 30 of these rules.
  • Added 32 new detection rules across 25 providers: Ghost CMS (admin + content keys), UpCloud (ucat_), Voiceflow (VF.DM./VF.WS.), Robinhood Crypto (rh-api-), ClickUp (pk_), Unleash (client/admin + personal tokens), ConfigCat (standard + extended SDK keys), SaladCloud (salad_cloud_), Tigris (tid_/tsec_), Portainer (ptr_), Permit.io (permit_key_), Builder.io (bpk-), LiveKit (API key + secret), Close CRM (api_), Hetzner Cloud, Censys (API ID + secret), Wistia, PandaDoc, Pinata (key + secret), ZeroTier, Detectify, ChartMogul, Moralis, ButterCMS, and Loops. Includes HTTP validation for 19 of these rules.
  • Removed 17 direct dependencies from the root crate by dropping unused deps (p256, ed25519-dalek, jsonwebtoken, gitlab, lazy_static, base32, pem, byteorder, reqwest-middleware, sha1, time, ring, num_cpus, strum_macros), replacing once_cell with std::sync::{LazyLock, OnceLock}, and using std::thread::available_parallelism() in place of num_cpus. Salt generation now uses rand instead of ring, and all strum_macros::Display imports are consolidated under strum::Display.
  • Migrated the workspace to Rust Edition 2024 (MSRV 1.94) and refactored nested if let chains in core/scanner hot paths (content-type detection, origin parsing, GCP/Harness/Azure DevOps access maps, GitHub/GitLab repo parsing, dependent-variable pairing) to use stable let-chains for flatter control flow.
  • Tightened lint hygiene by converting stable #[allow(...)] attributes to #[expect(...)] across the workspace (e.g. dead_code, clippy::too_many_arguments, clippy::large_enum_variant) so the compiler surfaces stale suppressions as warnings.
Check out latest releases or
releases around mongodb/kingfisher v1.96.0

Don't miss a new kingfisher release

NewReleases is sending notifications on new releases.

Get notifications