From bb603699562295b55e62b7f1c9868e5ed2e7ea3d Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 28 Mar 2026 21:50:54 -0700
Subject: [PATCH] Simplify Kingfisher CronJob to HTML-only output
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove the second scan pass for JSON — one format is enough for now.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 argocd/manifests/kingfisher/cronjob.yaml | 14 +++-----------
 docs/reference/services/kingfisher.md    |  4 ++--
 2 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/argocd/manifests/kingfisher/cronjob.yaml b/argocd/manifests/kingfisher/cronjob.yaml
index c035940..0efd7ab 100644
--- a/argocd/manifests/kingfisher/cronjob.yaml
+++ b/argocd/manifests/kingfisher/cronjob.yaml
@@ -26,23 +26,15 @@ spec:
                   OUTDIR=/reports/kingfisher
                   mkdir -p "$OUTDIR"
 
-                  COMMON_ARGS="scan gitea \
+                  kingfisher scan gitea \
                     --api-url https://forge.ops.eblu.me/api/v1/ \
                     --user eblume \
                     --repo-type all \
                     --no-update-check \
                     --tls-mode lax \
-                    --allow-internal-ips"
-
-                  # HTML report for human review
-                  kingfisher $COMMON_ARGS \
+                    --allow-internal-ips \
                     --format html \
-                    --output "$OUTDIR/scan-${STAMP}.html" || true
-
-                  # JSON report for machine parsing
-                  kingfisher $COMMON_ARGS \
-                    --format json \
-                    --output "$OUTDIR/scan-${STAMP}.json"
+                    --output "$OUTDIR/scan-${STAMP}.html"
               env:
                 - name: KF_GITEA_TOKEN
                   valueFrom:
diff --git a/docs/reference/services/kingfisher.md b/docs/reference/services/kingfisher.md
index dea47f1..d6c5cf2 100644
--- a/docs/reference/services/kingfisher.md
+++ b/docs/reference/services/kingfisher.md
@@ -26,7 +26,7 @@ Secret detection and live validation scanner for Forgejo repositories, using Mon
 
 Runs as a weekly CronJob that scans all repositories in the `eblume` user on Forgejo for leaked secrets, API keys, and credentials. Produces timestamped HTML and JSON reports on the sifaka NFS share.
 
-Uses the Forgejo/Gitea API to enumerate repos, then clones and scans each one. Validation is enabled (secrets are tested against their respective APIs to confirm they're live).
+Uses the Forgejo/Gitea API to enumerate repos, then clones and scans each one. Validation is enabled (secrets are tested against their respective APIs to confirm they're live). Reports are HTML only.
 
 ## Pre-commit hook
 
@@ -47,7 +47,7 @@ kubectl logs -f job/kingfisher-manual -n kingfisher --context=minikube-indri
 ## Limitations
 
 - Clone URLs come from Forgejo's API response using the instance's public `ROOT_URL` (`forge.eblu.me`), so clones roundtrip through Fly.io. Mirror/org scanning is excluded for now to avoid unnecessary external bandwidth. A clone URL rewrite option would need an upstream contribution.
-- Only one output format per invocation, so the CronJob runs Kingfisher twice (HTML then JSON).
+- Only one output format per invocation. Currently producing HTML only.
 
 ## See also