Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports.

2026-04-29 11:09:47 -07:00 · 2026-04-29 11:09:47 -07:00 · c387ac08d2
commit c387ac08d2
parent 8d9f5bed40
10 changed files with 303 additions and 539 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -132,7 +132,7 @@ jobs:
          toolchain: ${{ env.RUST_TOOLCHAIN }}

      - name: Set up MSYS2
-        uses: msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d # v2.31.0
+        uses: msys2/setup-msys2@e9898307ac31d1a803454791be09ab9973336e1c # v2.31.1
        with:
          msystem: ${{ matrix.msystem }}
          update: true
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@ -25,7 +25,7 @@ jobs:
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

-      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0

      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
@ -46,7 +46,7 @@ jobs:
          CI: true

      - name: Upload artifact
-        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
        with:
          path: docs-site/site

--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@ -141,7 +141,7 @@ jobs:
            --plat-name win_arm64

      - name: Publish to PyPI (Trusted Publishing)
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
        with:
          packages-dir: dist-pypi
          verbose: true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -274,7 +274,7 @@ jobs:
          toolchain: ${{ env.RUST_TOOLCHAIN }}

      - name: Set up MSYS2
-        uses: msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d # v2.31.0
+        uses: msys2/setup-msys2@e9898307ac31d1a803454791be09ab9973336e1c # v2.31.1
        with:
          msystem: ${{ matrix.msystem }}
          update: true