Add Kingfisher secret scanner to prek hooks

Running alongside TruffleHog to compare coverage. Kingfisher uses staged-only mode with validation disabled for fast, offline-safe pre-commit checks. Validation will be enabled in the planned cron job. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 21:06:16 -07:00 · 2026-03-28 21:06:16 -07:00 · 6b1717bf28
commit 6b1717bf28
parent 7fb6eff388
2 changed files with 19 additions and 1 deletions
--- a/prek.toml
+++ b/prek.toml
@ -25,7 +25,7 @@ repo = "https://github.com/pre-commit/pre-commit-hooks"
 rev = "v6.0.0"
 hooks = [{ id = "check-yaml", args = ["--unsafe"] }]

-# Secret detection
+# Secret detection (running both tools in parallel to compare coverage)
 [[repos]]
 repo = "https://github.com/trufflesecurity/trufflehog"
 rev = "v3.94.0"
@ -36,6 +36,23 @@ hooks = [
  ] },
 ]

+[[repos]]
+repo = "https://github.com/mongodb/kingfisher"
+rev = "v1.91.0"
+hooks = [
+  { id = "kingfisher", args = [
+    "scan",
+    ".",
+    "--staged",
+    "--quiet",
+    "--no-update-check",
+    "--no-validate",
+  ], stages = [
+    "pre-commit",
+    "pre-push",
+  ] },
+]
+
 # YAML linting
 [[repos]]
 repo = "https://github.com/adrienverge/yamllint"