chore(deps): update pre-commit hook mongodb/kingfisher to v1.99.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
mongodb/kingfisher	repository	minor	v1.97.0 → v1.99.0

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

mongodb/kingfisher (mongodb/kingfisher)

v1.99.0

Compare Source

• Fixed #​371: pip install kingfisher-bin on glibc Linux distros (Ubuntu, Debian, RHEL, Fedora, …) installed a macOS Mach-O binary and failed with OSError: [Errno 8] Exec format error. Linux wheels are now tagged manylinux_2_17_<arch>.musllinux_1_2_<arch> (instead of musllinux_1_2_<arch> only), so pip accepts them on both glibc-2.17+ and musl distros. The pypi/hatch_build.py hook now hard-fails when KINGFISHER_PYPI_WHEEL_TAG is unset, and the publish workflow refuses to upload any py3-none-any.whl, so the v1.92.0-era pure-Python wheel cannot recur.
• --self-update (alias --update) on a scan or other command now re-execs into the freshly installed binary so the current invocation completes with the new code and the latest detection rules. Previously the on-disk binary was replaced but the running process kept using the old in-memory version, requiring a second invocation to pick up the changes. On Unix this is a true exec() (same PID); on Windows the new binary is spawned and the parent exits with its status code. The explicit kingfisher self-update subcommand still updates and exits without re-execing. Self-update now also covers Windows arm64 (the asset was already published; the runtime cfg map gained the missing arm). See docs/ADVANCED.md → Update Checks.
• --include-contributors now respects --github-repo-type when enumerating contributor-owned repositories: by default contributor forks are excluded (matching the existing Source default), previously they were always included regardless of the flag. Added a new --github-repo-type all option to opt into the prior behavior of scanning both source and fork repos for contributors, organizations, and users.
• Access Map: Pinecone API keys (validated kingfisher.pinecone.1): caller resources via GET /indexes (with serverless cloud/region or pod environment metadata, deletion-protection state) and GET /collections; standalone kingfisher access-map pinecone (alias pinecone.io).
• Added --blast-radius as an alias for --access-map on kingfisher scan, and kingfisher blast-radius <provider> as an alias for the kingfisher access-map <provider> subcommand, so the user-facing "blast radius" concept matches the CLI invocation.
• Webhook alerting — Discord, Mattermost, and Google Chat targets: --alert-format now accepts discord (color-coded embeds), mattermost (Slack-compatible attachments), and googlechat (cardsV2 cards). Discord and Google Chat URLs are auto-inferred from the webhook host; Mattermost requires --alert-format mattermost since it is always self-hosted. All five chat targets (Slack, Teams, Discord, Mattermost, Google Chat) plus the Generic JSON sink can be combined in a single run via repeated --alert-webhook flags or alerts.webhooks entries in kingfisher.yaml.
• Webhook alerting — --alert-detail mode: new --alert-detail auto|summary|detail flag controls per-finding verbosity. auto (default) renders inline findings for ≤ 25 filtered results and drops to a summary card for larger scans so high-volume runs do not flood the channel. summary always suppresses per-finding blocks; detail always renders them. Per-webhook overrides are available via detail: in kingfisher.yaml.
• Webhook alerting — --alert-report-url pivot link: pass a CI run URL (or set KINGFISHER_ALERT_REPORT_URL) to embed a one-click "Full report →" link in every chat payload. In GitHub Actions, pair with github.server_url/${{ github.repository }}/actions/runs/${{ github.run_id }} to land the responder directly in the SARIF view for that run.
• Webhook alerting — fingerprints in chat payloads: every finding rendered in detail mode now includes its stable fingerprint ID (e.g. fp:1635470773610661884), matching the value emitted in JSON/JSONL/SARIF/baseline outputs. SOAR playbooks and SIEM rules can use these IDs to dedupe across runs without a separate correlation step.
• Webhook alerting — scan target in all alert modes: the "Target" line in chat payloads now correctly reflects the actual scan target for all input modes (GitHub org/user, GitLab group, Bitbucket workspace, S3/GCS bucket, Docker image, Jira/Confluence, Slack, Teams, Postman, etc.), not just local path scans.
• kingfisher.yaml reaches near-CLI parity: scalar overrides for --confidence, --redact, --format, --baseline-file, --tls-mode, validation tuning (timeout / retries / rps / per-rule rps), filters (--max-file-size, --no-binary, --extraction-depth, --skip-aws-account*), output (--output), git options (--git-clone-dir, --keep-clones, --repo-clone-limit, --include-contributors), alerts.defaults.*, and global flags (--allow-internal-ips, --no-update-check, --user-agent-suffix, --endpoint). Precedence is CLI > env > config > built-in default (clap ValueSource decides per-flag); list-typed values stay additive. Scan-target inputs (paths, --git-url, provider user/org/bucket flags) remain CLI-only by design. The config is loaded only when --config FILE is passed explicitly — there is no auto-discovery, so scan results never depend on which directory the binary was launched from. See docs/CONFIG.md.
• kingfisher config init subcommand: convert an existing kingfisher scan ... invocation into a reusable kingfisher.yaml by replacing scan with config init (e.g. kingfisher config init --confidence high --redact --exclude vendor/ > kingfisher.yaml). Only flags the user actually supplied appear in the output — clap defaults are stripped — and scan-target inputs are dropped. Writes to stdout by default, or to --out FILE (with --force to overwrite).
• Access Map UI redesign in the report viewer: identities are now grouped into collapsible per-provider sections (admin-bearing providers first); permissions are classified by severity (admin / privilege escalation / risky / read-only) with color-coded badges and rollup chips on each card header; the expanded card body renders permissions once per group with a "These permissions apply to all N resources above" banner instead of repeating the same 50+ badges per resource; duplicate-named identities (e.g., multiple MongoDB admin tokens) now display a discriminator subtitle (identity_id · access_type) so they're tellable apart; new "Critical only" toolbar toggle (persisted in localStorage) hides read-only permissions and zero-risk identities; the stats bar gained an admin-permission count. Imported TruffleHog/Gitleaks reports keep the previous flat rendering as a backwards-compatible fallback. Underlying JSON now includes permissions_by_severity and an identity.context discriminator on each AccessMapEntry.

v1.98.0

Compare Source

• Bounded disk usage for large multi-repo scans (e.g. --include-contributors --repo-artifacts against orgs with thousands of repos): cloning, artifact fetching, and scanning now run concurrently through bounded channels, and each cloned repo is removed from the temp directory as soon as its scan completes. On-disk footprint stays roughly O(num_jobs) regardless of total repo count instead of growing without bound. --keep-clones and --git-clone-dir opt out of the per-repo cleanup as before.
• Parallelized --repo-artifacts fetching with buffer_unordered(num_jobs) so issue/PR/wiki API calls run concurrently and stream into the scan loop, replacing the previous per-repo serial loop that delayed the start of scanning by hours on large fan-outs.
• Streamed --format json output as compact one-envelope-per-line so concatenated per-repo emits from the parallel scan path produce valid JSONL that kingfisher view can load. Pipe through jq . for pretty-printed output.
• Fixed a panic in the lexer when a string literal ends in a trailing backslash ('... \); the escape handling now clamps past-EOF so extract_literal_values returns instead of slicing out of bounds.
• Added first-class Postman scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports.
• Fixed #​359: added kingfisher.github.9 to detect the new ~520-character stateless GitHub App installation token format (ghs_<APP_ID>_<JWT>). The legacy 36-character ghs_ rule (kingfisher.github.5) is retained for older / GHES-issued tokens that are still in circulation.
• Added provider endpoint overrides for validation and revocation via global --endpoint PROVIDER=URL and --endpoint-config FILE, with built-in support for self-hosted GitHub, GitLab, Gitea, Jira, Confluence, and Artifactory instances.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Only on Saturday (* * * * 6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.