Kingfisher v1.64.0

[v1.64.0]

• Fixed a bug when using --redact, that broke validation
• Added JDBC rule with validator
• Filter out empty 'KF_BITBUCKET_*' environment values when constructing the Bitbucket authentication configuration so blank variables no longer override valid credentials

Kingfisher v1.63.1

[v1.63.1]

• Updated allocator

Kingfisher v1.63.0

[v1.63.0]

• Fixed bug when retrieving some finding values and injecting them as TOKENS in the rule templates
• Improved Datadog rule
• Improved AWS rule

Kingfisher v1.62.0

[v1.62.0]

• Added pattern_requirements checks to rules, providing lightweight post-regex character-class validation without lookarounds. See docs/RULES.md for detail
• Added an ignore_if_contains option to pattern_requirements to drop matches containing case-insensitive placeholder words, with tests covering the new behavior.
• Updated rules to adopt the new pattern_requirements support.
• Added checksum comparisons to pattern_requirements, new suffix, crc32, and base62 Liquid filters, and verbose logging so mismatched checksums are skipped with context rather than reported as findings.
• Split GitHub token detections into fine-grained/fixed-format variants and enforce checksum validation for modern GitHub token families (PAT, OAuth, App, refresh) while preserving legacy coverage.
• Added a rule for Zuplo tokens.
• Added checksum calculation for Confluent, GitHub, and Zuplo tokens, which can drastically reduce false positive reports.
• Improved OpsGenie validation.
• Automatically enable --no-dedup when --manage-baseline is supplied so baseline management keeps every finding.
• This release is focused on further improving detection accuracy, before even attempting to validate findings.
• Updated GitHub Actions CI for Windows and buildwin.bat script

Kingfisher v1.61.0

[v1.61.0]

• Fixed local filesystem scans to keep open_path_as_is enabled when opening Git repositories and only disable it for diff-based scans.
• Created Linux and Windows specific installer script
• Updated diff-focused scanning so --branch-root-commit can be provided alongside --branch, letting you diff from a chosen commit while targeting a specific branch tip (still defaulting back to the --branch ref when the commit is omitted).
• Updated rules

Kingfisher v1.60.0

[v1.60.0]

• Removed the --bitbucket-username, --bitbucket-token, and --bitbucket-oauth-token flags in favour of KF_BITBUCKET_* environment variables when authenticating to Bitbucket.
• Added provider-specific kingfisher scan subcommands (for example kingfisher scan github …) that translate into the legacy flags under the hood. The new layout keeps backwards compatibility while removing the wall of provider options from kingfisher scan --help.
• Updated the README so every provider example (GitHub, GitLab, Bitbucket, Azure Repos, Gitea, Hugging Face, Slack, Jira, Confluence, S3, GCS, Docker) uses the new subcommand style.
• Legacy provider flags (for example --github-user, --gitlab-group, --bitbucket-workspace, --s3-bucket) still work but now emit a deprecation warning to encourage migration to the new kingfisher scan <provider> flow.
• Kept the direct kingfisher scan /path/to/dir flow for local filesystem / local git repo scans while adding a --list-only switch to each provider subcommand so repository enumeration no longer requires the standalone github repos, gitlab repos, etc. commands.
• Removed the legacy top-level provider commands (kingfisher github, kingfisher gitlab, kingfisher gitea, kingfisher bitbucket, kingfisher azure, kingfisher huggingface) now that enumeration lives under kingfisher scan <provider> --list-only.

Kingfisher v1.59.0

[v1.59.0]

• Fixed kingfisher scan so that providing --branch without --since-commit now diffs the branch against the empty tree and scans every commit reachable from that branch.

• Added rules for meraki, duffel, finnhub, frameio, freshbooks, gitter, infracost, launchdarkly, lob, maxmind, messagebird, nytimes, prefect, scalingo, sendinblue, sentry, shippo, twitch, typeform

• [v1.58.0]

• Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans.

• Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs.

• Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication.

• Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so it's clear that validation was intentionally skipped and why.

Kingfisher v1.58.0

[v1.58.0]

• Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans.
• Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs.
• Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication.
• Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so it's clear that validation was intentionally skipped and why.

Kingfisher v1.57.0

[v1.57.0]

• Added inline ignore directive detection to treat suppression tokens anywhere on surrounding lines, including multi-line handling
• Added a --no-ignore CLI flag to disable inline directives when you need every potential secret reported
• Added: repeatable --ignore-comment <TOKEN> flag to reuse inline directives from other scanners (for example NOSONAR, kics-scan ignore, gitleaks:allow, etc)
• Respect user color settings in update messages by using the same color helper as the main reporter, ensuring consistent output and no ANSI codes on update check, when color is disabled

Kingfisher v1.56.0

[v1.56.0]

• Fixed tree-sitter scanning bug where passing --no-base64 caused errors to be printed when the file type couldn’t be determined