From 52f71c44624f0c95bf417aaed73b0c469e95a833 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Sat, 31 Jan 2026 23:14:06 -0800
Subject: [PATCH] updated changelog

---
 CHANGELOG.md    |  2 +-
 src/reporter.rs | 60 ++++++++++++++++++++++++++++---------------------
 2 files changed, 35 insertions(+), 27 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f688b29..2b24d6d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file.
 - Added `kingfisher revoke` subcommand for revoking leaked credentials directly with the provider.
 - Added optional `revocation` section to rules to support credential revocation (currently supporting AWS, GCP, GitHub, GitLab, Slack, and Buildkite).
 - Added `kingfisher validate` subcommand to validate credentials without running a full scan.
-- Added `validate_command` and `revoke_command` fields to scan output (pretty, JSON, JSONL, BSON, SARIF formats) showing the exact `kingfisher validate` or `kingfisher revoke` command to run for each finding. The `validate_command` is included for all findings with validation support; `revoke_command` is included only for active credentials with revocation support.
+- Added `validate_command` and `revoke_command` fields to scan output (pretty, JSON, JSONL, BSON, SARIF formats) showing the exact `kingfisher validate` or `kingfisher revoke` command to run for each finding. The `validate_command` is included for all findings with validation support; `revoke_command` is included only for active credentials with revocation support. These fields are omitted when `--redact` is used since they contain the secret value.
 - Updated the HTML report viewer to display validate and revoke commands in the Finding Details panel with copy-to-clipboard functionality.
 - Refactored project into multiple crates for better modularity and maintainability.
 - Ensured more CLI arguments are global and available across all subcommands.
diff --git a/src/reporter.rs b/src/reporter.rs
index 8da01c8..3f1f403 100644
--- a/src/reporter.rs
+++ b/src/reporter.rs
@@ -627,45 +627,53 @@ impl DetailsReporter {
             .or_else(|| self.git_object_fallback_path(rm))
             .unwrap_or_else(|| format!("blob:{}", rm.blob_metadata.id.hex()));
 
-        // Try to find AKID from captures (for AWS)
-        let akid_from_captures: Option<String> =
-            rm.m.groups
+        // Generate validate/revoke commands only if not redacting (they contain the secret)
+        let (validate_command, revoke_command) = if args.redact {
+            (None, None)
+        } else {
+            // Try to find AKID from captures (for AWS)
+            let akid_from_captures: Option<String> = rm
+                .m
+                .groups
                 .captures
                 .iter()
                 .find(|c| c.name == Some("AKID") || c.name == Some("akid"))
                 .map(|c| c.raw_value().to_string());
 
-        // Try to extract AKID from validation response body (fallback for AWS)
-        let akid_from_body = extract_akid_from_validation_body(&rm.validation_response_body);
+            // Try to extract AKID from validation response body (fallback for AWS)
+            let akid_from_body = extract_akid_from_validation_body(&rm.validation_response_body);
 
-        // Generate validate command for findings with validation support
-        let validate_command = if let Some(validation) = &rm.m.rule.syntax().validation {
-            build_validate_command(
-                rm.m.rule.id(),
-                validation,
-                &raw_snippet,
-                akid_from_captures.as_deref(),
-                akid_from_body.as_deref(),
-            )
-        } else {
-            None
-        };
-
-        // Generate revoke command for active credentials with revocation support
-        let revoke_command = if rm.validation_success {
-            if let Some(revocation) = &rm.m.rule.syntax().revocation {
-                build_revoke_command(
+            // Generate validate command for findings with validation support
+            let validate_cmd = if let Some(validation) = &rm.m.rule.syntax().validation {
+                build_validate_command(
                     rm.m.rule.id(),
-                    revocation,
+                    validation,
                     &raw_snippet,
                     akid_from_captures.as_deref(),
                     akid_from_body.as_deref(),
                 )
             } else {
                 None
-            }
-        } else {
-            None
+            };
+
+            // Generate revoke command for active credentials with revocation support
+            let revoke_cmd = if rm.validation_success {
+                if let Some(revocation) = &rm.m.rule.syntax().revocation {
+                    build_revoke_command(
+                        rm.m.rule.id(),
+                        revocation,
+                        &raw_snippet,
+                        akid_from_captures.as_deref(),
+                        akid_from_body.as_deref(),
+                    )
+                } else {
+                    None
+                }
+            } else {
+                None
+            };
+
+            (validate_cmd, revoke_cmd)
         };
 
         FindingReporterRecord {