diff --git a/argocd/manifests/kingfisher/cronjob.yaml b/argocd/manifests/kingfisher/cronjob.yaml
index c035940..0efd7ab 100644
--- a/argocd/manifests/kingfisher/cronjob.yaml
+++ b/argocd/manifests/kingfisher/cronjob.yaml
@@ -26,23 +26,15 @@ spec:
                   OUTDIR=/reports/kingfisher
                   mkdir -p "$OUTDIR"
 
-                  COMMON_ARGS="scan gitea \
+                  kingfisher scan gitea \
                     --api-url https://forge.ops.eblu.me/api/v1/ \
                     --user eblume \
                     --repo-type all \
                     --no-update-check \
                     --tls-mode lax \
-                    --allow-internal-ips"
-
-                  # HTML report for human review
-                  kingfisher $COMMON_ARGS \
+                    --allow-internal-ips \
                     --format html \
-                    --output "$OUTDIR/scan-${STAMP}.html" || true
-
-                  # JSON report for machine parsing
-                  kingfisher $COMMON_ARGS \
-                    --format json \
-                    --output "$OUTDIR/scan-${STAMP}.json"
+                    --output "$OUTDIR/scan-${STAMP}.html"
               env:
                 - name: KF_GITEA_TOKEN
                   valueFrom:
diff --git a/docs/reference/services/kingfisher.md b/docs/reference/services/kingfisher.md
index dea47f1..d6c5cf2 100644
--- a/docs/reference/services/kingfisher.md
+++ b/docs/reference/services/kingfisher.md
@@ -26,7 +26,7 @@ Secret detection and live validation scanner for Forgejo repositories, using Mon
 
 Runs as a weekly CronJob that scans all repositories in the `eblume` user on Forgejo for leaked secrets, API keys, and credentials. Produces timestamped HTML and JSON reports on the sifaka NFS share.
 
-Uses the Forgejo/Gitea API to enumerate repos, then clones and scans each one. Validation is enabled (secrets are tested against their respective APIs to confirm they're live).
+Uses the Forgejo/Gitea API to enumerate repos, then clones and scans each one. Validation is enabled (secrets are tested against their respective APIs to confirm they're live). Reports are HTML only.
 
 ## Pre-commit hook
 
@@ -47,7 +47,7 @@ kubectl logs -f job/kingfisher-manual -n kingfisher --context=minikube-indri
 ## Limitations
 
 - Clone URLs come from Forgejo's API response using the instance's public `ROOT_URL` (`forge.eblu.me`), so clones roundtrip through Fly.io. Mirror/org scanning is excluded for now to avoid unnecessary external bandwidth. A clone URL rewrite option would need an upstream contribution.
-- Only one output format per invocation, so the CronJob runs Kingfisher twice (HTML then JSON).
+- Only one output format per invocation. Currently producing HTML only.
 
 ## See also