From 6b1717bf28ec6f634e85c48081bfb9c38931beae Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 28 Mar 2026 21:06:16 -0700
Subject: [PATCH] Add Kingfisher secret scanner to prek hooks

Running alongside TruffleHog to compare coverage. Kingfisher uses
staged-only mode with validation disabled for fast, offline-safe
pre-commit checks. Validation will be enabled in the planned cron job.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docs/changelog.d/+kingfisher-prek.feature.md |  1 +
 prek.toml                                    | 19 ++++++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 docs/changelog.d/+kingfisher-prek.feature.md

diff --git a/docs/changelog.d/+kingfisher-prek.feature.md b/docs/changelog.d/+kingfisher-prek.feature.md
new file mode 100644
index 0000000..dadedc1
--- /dev/null
+++ b/docs/changelog.d/+kingfisher-prek.feature.md
@@ -0,0 +1 @@
+Add MongoDB Kingfisher secret scanner as a prek hook alongside TruffleHog for comparative coverage evaluation.
diff --git a/prek.toml b/prek.toml
index b679a6f..7f0f9ab 100644
--- a/prek.toml
+++ b/prek.toml
@@ -25,7 +25,7 @@ repo = "https://github.com/pre-commit/pre-commit-hooks"
 rev = "v6.0.0"
 hooks = [{ id = "check-yaml", args = ["--unsafe"] }]
 
-# Secret detection
+# Secret detection (running both tools in parallel to compare coverage)
 [[repos]]
 repo = "https://github.com/trufflesecurity/trufflehog"
 rev = "v3.94.0"
@@ -36,6 +36,23 @@ hooks = [
   ] },
 ]
 
+[[repos]]
+repo = "https://github.com/mongodb/kingfisher"
+rev = "v1.91.0"
+hooks = [
+  { id = "kingfisher", args = [
+    "scan",
+    ".",
+    "--staged",
+    "--quiet",
+    "--no-update-check",
+    "--no-validate",
+  ], stages = [
+    "pre-commit",
+    "pre-push",
+  ] },
+]
+
 # YAML linting
 [[repos]]
 repo = "https://github.com/adrienverge/yamllint"