Kingfisher v1.68.0

[v1.68.0]

• Fixed Bitbucket authenticated cloning bug

Kingfisher v1.67.0

[v1.67.0]

• Added checksum to GitLab rule
• Fixed deduplication to consider rule identifiers so overlapping patterns are not merged before validation
• After scan summaries, emit the styled outdated-version notice to stderr when a newer release is available
• Reduced false positives across a number of rules
• Updated Summary to include scan date, kingfisher version ran, and latest kingfisher version available

Kingfisher v1.66.0

[v1.66.0]

• Updating to support Bitbucket App Passwords
• Improved boundaries for several rules
• Added more rules

Kingfisher v1.65.0

[v1.65.0]

• Skip reporting MongoDB and Postgres findings when their connection strings cannot be parsed, even when validation is disabled.
• Improve MySQL detection by broadening URI coverage and adding live validation that skips clearly invalid connection strings.
• Added a helper to truncate validation response bodies only at UTF-8 character boundaries to prevent panics during validation.

Kingfisher v1.64.0

[v1.64.0]

• Fixed a bug when using --redact, that broke validation
• Added JDBC rule with validator
• Filter out empty 'KF_BITBUCKET_*' environment values when constructing the Bitbucket authentication configuration so blank variables no longer override valid credentials

Kingfisher v1.63.1

[v1.63.1]

• Updated allocator

Kingfisher v1.63.0

[v1.63.0]

• Fixed bug when retrieving some finding values and injecting them as TOKENS in the rule templates
• Improved Datadog rule
• Improved AWS rule

Kingfisher v1.62.0

[v1.62.0]

• Added pattern_requirements checks to rules, providing lightweight post-regex character-class validation without lookarounds. See docs/RULES.md for detail
• Added an ignore_if_contains option to pattern_requirements to drop matches containing case-insensitive placeholder words, with tests covering the new behavior.
• Updated rules to adopt the new pattern_requirements support.
• Added checksum comparisons to pattern_requirements, new suffix, crc32, and base62 Liquid filters, and verbose logging so mismatched checksums are skipped with context rather than reported as findings.
• Split GitHub token detections into fine-grained/fixed-format variants and enforce checksum validation for modern GitHub token families (PAT, OAuth, App, refresh) while preserving legacy coverage.
• Added a rule for Zuplo tokens.
• Added checksum calculation for Confluent, GitHub, and Zuplo tokens, which can drastically reduce false positive reports.
• Improved OpsGenie validation.
• Automatically enable --no-dedup when --manage-baseline is supplied so baseline management keeps every finding.
• This release is focused on further improving detection accuracy, before even attempting to validate findings.
• Updated GitHub Actions CI for Windows and buildwin.bat script

Kingfisher v1.61.0

[v1.61.0]

• Fixed local filesystem scans to keep open_path_as_is enabled when opening Git repositories and only disable it for diff-based scans.
• Created Linux and Windows specific installer script
• Updated diff-focused scanning so --branch-root-commit can be provided alongside --branch, letting you diff from a chosen commit while targeting a specific branch tip (still defaulting back to the --branch ref when the commit is omitted).
• Updated rules

Kingfisher v1.60.0

[v1.60.0]

• Removed the --bitbucket-username, --bitbucket-token, and --bitbucket-oauth-token flags in favour of KF_BITBUCKET_* environment variables when authenticating to Bitbucket.
• Added provider-specific kingfisher scan subcommands (for example kingfisher scan github …) that translate into the legacy flags under the hood. The new layout keeps backwards compatibility while removing the wall of provider options from kingfisher scan --help.
• Updated the README so every provider example (GitHub, GitLab, Bitbucket, Azure Repos, Gitea, Hugging Face, Slack, Jira, Confluence, S3, GCS, Docker) uses the new subcommand style.
• Legacy provider flags (for example --github-user, --gitlab-group, --bitbucket-workspace, --s3-bucket) still work but now emit a deprecation warning to encourage migration to the new kingfisher scan <provider> flow.
• Kept the direct kingfisher scan /path/to/dir flow for local filesystem / local git repo scans while adding a --list-only switch to each provider subcommand so repository enumeration no longer requires the standalone github repos, gitlab repos, etc. commands.
• Removed the legacy top-level provider commands (kingfisher github, kingfisher gitlab, kingfisher gitea, kingfisher bitbucket, kingfisher azure, kingfisher huggingface) now that enumeration lives under kingfisher scan <provider> --list-only.