v1.98.0

Compare Source

• Bounded disk usage for large multi-repo scans (e.g. --include-contributors --repo-artifacts against orgs with thousands of repos): cloning, artifact fetching, and scanning now run concurrently through bounded channels, and each cloned repo is removed from the temp directory as soon as its scan completes. On-disk footprint stays roughly O(num_jobs) regardless of total repo count instead of growing without bound. --keep-clones and --git-clone-dir opt out of the per-repo cleanup as before.
• Parallelized --repo-artifacts fetching with buffer_unordered(num_jobs) so issue/PR/wiki API calls run concurrently and stream into the scan loop, replacing the previous per-repo serial loop that delayed the start of scanning by hours on large fan-outs.
• Streamed --format json output as compact one-envelope-per-line so concatenated per-repo emits from the parallel scan path produce valid JSONL that kingfisher view can load. Pipe through jq . for pretty-printed output.
• Fixed a panic in the lexer when a string literal ends in a trailing backslash ('... \); the escape handling now clamps past-EOF so extract_literal_values returns instead of slicing out of bounds.
• Added first-class Postman scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports.
• Fixed #​359: added kingfisher.github.9 to detect the new ~520-character stateless GitHub App installation token format (ghs_<APP_ID>_<JWT>). The legacy 36-character ghs_ rule (kingfisher.github.5) is retained for older / GHES-issued tokens that are still in circulation.
• Added provider endpoint overrides for validation and revocation via global --endpoint PROVIDER=URL and --endpoint-config FILE, with built-in support for self-hosted GitHub, GitLab, Gitea, Jira, Confluence, and Artifactory instances.