kingfisher

Author	SHA1	Message	Date
Mick Grove	8d9f5bed40	Added first-class Postman scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports.	2026-04-29 08:58:11 -07:00
Mick Grove	60931c11a9	added Teams support	2026-03-13 17:39:34 -07:00
Mick Grove	bde7002877	change in response to code review	2025-10-16 10:52:33 -07:00
Mick Grove	03d7364888	- Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans. - Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs. - Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication. - Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so its clear that validation was intentionally skipped and why.	2025-10-15 22:47:40 -07:00
Mick Grove	7e5bdf59ef	Updated README	2025-10-05 16:42:29 -07:00
Mick Grove	81574833f7	Updated README	2025-10-05 16:37:15 -07:00

6 commits