- Replace the inline RS256 token and committed public key with a
throwaway RSA keypair generated at runtime; the token is signed from
readable claims so no key material or opaque blobs live in the repo
- Add `rsa` as a dev-only dependency (getrandom feature) for in-test
key generation; release binary is unaffected
Addresses review feedback on #386.
- Git repository scans now extract archive blobs encountered in the object database, not just on the filesystem. Previously a .zip/.jar/.apk/.tar.gz committed to a repo was scanned as raw compressed bytes, so secrets inside it were invisible. The git enumerator fans each archive entry out as a synthetic blob with the original commit metadata. Honors --no-extract-archives for opt-out.
- Performance: ZIP-based git blobs ≤ 64 MB extract entirely in memory (no temp-file round trip), beating the v1.99.0 baseline by ~15% on a 80 GiB monorepo despite scanning ~300K additional archive-content blobs. Larger archives auto-fall-back to a disk-streaming extractor.
- Memory safety: hard caps on archive extraction — 64 MB compressed pre-flight, 256 MB aggregate decompressed per archive (in-memory and disk paths), 512 MB per entry, plus a PK\x03\x04 magic-byte gate. Worst-case footprint is bounded at ~num_jobs * 320 MB.
- Fixed [#344](https://github.com/mongodb/kingfisher/issues/344): baseline fingerprints no longer have to be hexadecimal. The fingerprint value emitted by scan output (JSON, JSONL, pretty, SARIF) can now be copied directly into a baseline file and will match on the next scan. --manage-baseline now writes fingerprints in decimal to match scan output, and legacy 16-char hex (and 0x-prefixed hex) entries continue to be accepted, so existing baseline files keep working unchanged.
- Update X-GitHub-Api-Version to 2026-03-10 for /credentials/revoke
endpoint (the endpoint is only documented under this API version).
- Clarify sha256_b32 filter description: note that the optional `len`
parameter may produce output that is not valid RFC 4648 Base32.
- Move base32 to [workspace.dependencies] and reference it via
.workspace = true from both the root crate and kingfisher-rules
to avoid version skew.
- Prevented transient HTTP validation failures (429/5xx) from being cached, avoiding cache poisoning that could suppress later successful validations in the same scan.
