kingfisher

Mick Grove a4cf3990a5 webhook support and kingfisher configuration yaml support	2026-05-03 22:11:26 -07:00
..
assets/icons	Added first-class Postman scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports.	2026-04-29 08:58:11 -07:00
benchmark	preparing for v1.12	2025-06-24 17:17:16 -07:00
demos	updated README	2026-03-05 13:23:07 -08:00
viewer	improved access map viewer	2026-04-30 18:11:10 -07:00
ACCESS_MAP.md	improved access map viewer	2026-04-30 18:11:10 -07:00
ADVANCED.md	--self-update (alias --update) on a scan or other command now re-execs into the freshly installed binary so the current invocation completes with the new code and the latest detection rules. Previously the on-disk binary was replaced but the running process kept using the old in-memory version, requiring a second invocation to pick up the changes. On Unix this is a true exec() (same PID); on Windows the new binary is spawned and the parent exits with its status code. The explicit kingfisher self-update subcommand still updates and exits without re-execing. Self-update now also covers Windows arm64 (the asset was already published; the runtime cfg map gained the missing arm). See docs/ADVANCED.md → Update Checks.	2026-05-01 20:14:27 -07:00
AGENTS.md	added more access-maps	2026-04-01 10:20:52 -07:00
ALERTS.md	webhook support and kingfisher configuration yaml support	2026-05-03 22:11:26 -07:00
ARCHITECTURE.md	Replaced tree-sitter with a lighter parser-based context verifier built from handwritten lexers plus tl/cssparser, preserving context-dependent matching while cutting about 19 MB from the release binary.	2026-04-07 23:20:17 -07:00
BASELINE.md	- Fixed the HTML access-map viewer dark mode so charts redraw correctly on theme changes and follow the system color scheme until manually overridden.	2026-04-20 17:54:51 -07:00
binary-size-comparison.png	Replaced tree-sitter with a lighter parser-based context verifier built from handwritten lexers plus tl/cssparser, preserving context-dependent matching while cutting about 19 MB from the release binary.	2026-04-07 23:20:17 -07:00
COMPARISON.md	Replaced tree-sitter with a lighter parser-based context verifier built from handwritten lexers plus tl/cssparser, preserving context-dependent matching while cutting about 19 MB from the release binary.	2026-04-07 23:20:17 -07:00
CONFIG.md	webhook support and kingfisher configuration yaml support	2026-05-03 22:11:26 -07:00
CONTEXT_VERIFICATION.md	updates to new rules	2026-04-15 14:37:26 -07:00
DEPLOYMENT.md	added more access-maps	2026-04-01 10:20:52 -07:00
FINGERPRINT.md	- Fixed the HTML access-map viewer dark mode so charts redraw correctly on theme changes and follow the system color scheme until manually overridden.	2026-04-20 17:54:51 -07:00
INSTALLATION.md	fixing windows installers to support new arm64 build	2026-03-06 11:53:24 -08:00
INTEGRATIONS.md	improved github organization scanning	2026-04-30 16:40:43 -07:00
kingfisher-usage-01.gif	updated README	2026-03-05 13:23:19 -08:00
kingfisher-usage-access-map-01.gif	updated README	2026-03-05 13:23:19 -08:00
kingfisher-usage-access-map-02.mp4	v1.73.0	2026-01-02 12:49:58 -08:00
kingfisher_logo.png	preparing for v1.12	2025-06-24 17:17:16 -07:00
LIBRARY.md	performance improvements and rule improvements	2026-04-24 00:23:50 -07:00
MULTI_STEP_REVOCATION.md	added multi-step revocation support. Added revocation support for SendGrid, Netlify, Tailscale, ElevenLabs, Sourcegraph, MongoDB Atlas, Twilio, and NPM using multi-step (lookup ID then delete) pattern.	2026-02-04 22:26:57 -08:00
PARSING.md	updates to new rules	2026-04-15 14:37:26 -07:00
PYPI.md	initial support for distribution via pypi wheels	2026-02-04 12:43:13 -08:00
REVOCATION_PROVIDERS.md	updated docs	2026-04-14 22:56:19 -07:00
RULES.md	updates to new rules	2026-04-15 14:37:26 -07:00
runtime-comparison.png	updated README	2025-07-17 15:11:41 -07:00
TOKEN_REVOCATION_SUPPORT.md	- Added Vercel credential rules for new token formats introduced February 2026: vcp_ (personal access), vci_ (integration), vca_ (app access), vcr_ (app refresh), vck_ (AI Gateway API key). All use CRC32/Base62 checksum validation. Legacy 24-char format retained as kingfisher.vercel.1.	2026-02-11 13:56:17 -08:00
USAGE.md	improved github organization scanning	2026-04-30 16:40:43 -07:00

assets/icons

Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports.

2026-04-29 08:58:11 -07:00

benchmark

preparing for v1.12

2025-06-24 17:17:16 -07:00

demos

updated README

2026-03-05 13:23:07 -08:00

viewer

improved access map viewer

2026-04-30 18:11:10 -07:00

ACCESS_MAP.md

improved access map viewer

2026-04-30 18:11:10 -07:00

ADVANCED.md

--self-update (alias --update) on a scan or other command now **re-execs into the freshly installed binary** so the current invocation completes with the new code and the latest detection rules. Previously the on-disk binary was replaced but the running process kept using the old in-memory version, requiring a second invocation to pick up the changes. On Unix this is a true exec() (same PID); on Windows the new binary is spawned and the parent exits with its status code. The explicit kingfisher self-update subcommand still updates and exits without re-execing. Self-update now also covers Windows arm64 (the asset was already published; the runtime cfg map gained the missing arm). See docs/ADVANCED.md → *Update Checks*.

2026-05-01 20:14:27 -07:00

AGENTS.md

added more access-maps

2026-04-01 10:20:52 -07:00

ALERTS.md

webhook support and kingfisher configuration yaml support

2026-05-03 22:11:26 -07:00

ARCHITECTURE.md

Replaced tree-sitter with a lighter parser-based context verifier built from handwritten lexers plus tl/cssparser, preserving context-dependent matching while cutting about 19 MB from the release binary.

2026-04-07 23:20:17 -07:00

BASELINE.md

- Fixed the HTML access-map viewer dark mode so charts redraw correctly on theme changes and follow the system color scheme until manually overridden.

2026-04-20 17:54:51 -07:00

binary-size-comparison.png

Replaced tree-sitter with a lighter parser-based context verifier built from handwritten lexers plus tl/cssparser, preserving context-dependent matching while cutting about 19 MB from the release binary.

2026-04-07 23:20:17 -07:00

COMPARISON.md

Replaced tree-sitter with a lighter parser-based context verifier built from handwritten lexers plus tl/cssparser, preserving context-dependent matching while cutting about 19 MB from the release binary.

2026-04-07 23:20:17 -07:00

CONFIG.md

webhook support and kingfisher configuration yaml support

2026-05-03 22:11:26 -07:00

CONTEXT_VERIFICATION.md

updates to new rules

2026-04-15 14:37:26 -07:00

DEPLOYMENT.md

added more access-maps

2026-04-01 10:20:52 -07:00

FINGERPRINT.md

- Fixed the HTML access-map viewer dark mode so charts redraw correctly on theme changes and follow the system color scheme until manually overridden.

2026-04-20 17:54:51 -07:00

INSTALLATION.md

fixing windows installers to support new arm64 build

2026-03-06 11:53:24 -08:00

INTEGRATIONS.md

improved github organization scanning

2026-04-30 16:40:43 -07:00

kingfisher-usage-01.gif

updated README

2026-03-05 13:23:19 -08:00

kingfisher-usage-access-map-01.gif

updated README

2026-03-05 13:23:19 -08:00

kingfisher-usage-access-map-02.mp4

v1.73.0

2026-01-02 12:49:58 -08:00

kingfisher_logo.png

preparing for v1.12

2025-06-24 17:17:16 -07:00

LIBRARY.md

performance improvements and rule improvements

2026-04-24 00:23:50 -07:00

MULTI_STEP_REVOCATION.md

added multi-step revocation support. Added revocation support for SendGrid, Netlify, Tailscale, ElevenLabs, Sourcegraph, MongoDB Atlas, Twilio, and NPM using multi-step (lookup ID then delete) pattern.

2026-02-04 22:26:57 -08:00

PARSING.md

updates to new rules

2026-04-15 14:37:26 -07:00

PYPI.md

initial support for distribution via pypi wheels

2026-02-04 12:43:13 -08:00

REVOCATION_PROVIDERS.md

updated docs

2026-04-14 22:56:19 -07:00

RULES.md

updates to new rules

2026-04-15 14:37:26 -07:00

runtime-comparison.png

updated README

2025-07-17 15:11:41 -07:00

TOKEN_REVOCATION_SUPPORT.md

- Added Vercel credential rules for new token formats introduced February 2026: vcp_ (personal access), vci_ (integration), vca_ (app access), vcr_ (app refresh), vck_ (AI Gateway API key). All use CRC32/Base62 checksum validation. Legacy 24-char format retained as kingfisher.vercel.1.

2026-02-11 13:56:17 -08:00

USAGE.md

improved github organization scanning

2026-04-30 16:40:43 -07:00