mongodb · mickgmdb · Oct 24, 2025 · Oct 21, 2025 · Oct 21, 2025 · Oct 22, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,7 +2,16 @@
 
 All notable changes to this project will be documented in this file.
 
+## [v1.60.0]
+- Removed the `--bitbucket-username`, `--bitbucket-token`, and `--bitbucket-oauth-token` flags in favour of `KF_BITBUCKET_*` environment variables when authenticating to Bitbucket.
+- Added provider-specific `kingfisher scan` subcommands (for example `kingfisher scan github …`) that translate into the legacy flags under the hood. The new layout keeps backwards compatibility while removing the wall of provider options from `kingfisher scan --help`.
+- Updated the README so every provider example (GitHub, GitLab, Bitbucket, Azure Repos, Gitea, Hugging Face, Slack, Jira, Confluence, S3, GCS, Docker) uses the new subcommand style.
+- Legacy provider flags (for example `--github-user`, `--gitlab-group`, `--bitbucket-workspace`, `--s3-bucket`) still work but now emit a deprecation warning to encourage migration to the new `kingfisher scan <provider>` flow.
+- Kept the direct `kingfisher scan /path/to/dir` flow for local filesystem / local git repo scans while adding a `--list-only` switch to each provider subcommand so repository enumeration no longer requires the standalone `github repos`, `gitlab repos`, etc. commands.
+- Removed the legacy top-level provider commands (`kingfisher github`, `kingfisher gitlab`, `kingfisher gitea`, `kingfisher bitbucket`, `kingfisher azure`, `kingfisher huggingface`) now that enumeration lives under `kingfisher scan <provider> --list-only`.
+
 ## [v1.59.0]
+- Fixed `kingfisher scan github …` (and other provider-specific subcommands) so they no longer demand placeholder path arguments before the CLI accepts the request.
 - Fixed `kingfisher scan` so that providing `--branch` without `--since-commit` now diffs the branch against the empty tree and scans every commit reachable from that branch.
 - Added rules for meraki, duffel, finnhub, frameio, freshbooks, gitter, infracost, launchdarkly, lob, maxmind, messagebird, nytimes, prefect, scalingo, sendinblue, sentry, shippo, twitch, typeform
 

diff --git a/Cargo.toml b/Cargo.toml
@@ -10,7 +10,7 @@ publish = false
 
 [package]
 name = "kingfisher"
-version = "1.59.0"
+version = "1.60.0"
 description = "MongoDB's blazingly fast and accurate secret scanning and validation tool"
 edition.workspace = true
 rust-version.workspace = true

diff --git a/README.md b/README.md
diff --git a/data/rules/maxmind.yml b/data/rules/maxmind.yml
@@ -15,16 +15,48 @@ rules:
       - license_key="ZXCVBN_0987654321abcdef1234567890abc_mmk"
     references:
       - https://dev.maxmind.com/geoip/docs/web-services
+    depends_on_rule:
+      - rule_id: kingfisher.maxmind.2
+        variable: ACCOUNT_ID
     validation:
       type: Http
       content:
         request:
           method: GET
-          url: https://geoip.maxmind.com/geoip/v2.1/city/me?license_key={{ TOKEN }}
+          url: https://geoip.maxmind.com/geoip/v2.1/city/me
           headers:
+            Authorization: "Basic {{ ACCOUNT_ID | append: ':' | append: TOKEN | b64enc }}"
-            Authorization: "Basic {{ ACCOUNT_ID | append: ':' | append: TOKEN | b64enc }}"
+            Authorization: "Basic {{ ACCOUNT_ID | concat: ':' | concat: TOKEN | b64enc }}"
-            Authorization: "Basic {{ ACCOUNT_ID | append: ':' | append: TOKEN | b64enc }}"
+            Authorization: "Basic {{ ACCOUNT_ID | concat: ':' | concat: TOKEN | b64enc }}"
             Accept: application/json
           response_matcher:
             - report_response: true
             - type: StatusMatch
               status:
                 - 200
+  - name: MaxMind Account ID
+    id: kingfisher.maxmind.2
+    pattern: |
+      (?xi)
+      (?:maxmind|geoip|geolite)
+      (?:.|[\n\r]){0,40}?
+      (?:account|user)
+      (?:.|[\n\r]){0,10}?
+      (?:id|number)
+      (?:.|[\n\r]){0,10}?
+      [:=\s]+
+      \s*
+      ["']?
+      \b
+      (
+        \d{4,8}
+      )
+      \b
+      ["']?
+    min_entropy: 2.0
+    confidence: low
+    examples:
+      - MAXMIND_ACCOUNT_ID=123456
+      - AccountID 988765
+      - '"maxmind": {"account_id": "654321", "license_key": "..."}'
+      - 'geoip_account_number: 456789'
+    references:
+      - https://dev.maxmind.com/geoip/docs/web-services
diff --git a/data/rules/prefect.yml b/data/rules/prefect.yml
@@ -20,7 +20,7 @@ rules:
       content:
         request:
           method: GET
-          url: https://api.prefect.cloud/api/me
+          url: https://api.prefect.cloud/api/me/workspaces
           headers:
             Authorization: 'Bearer {{ TOKEN }}'
             Accept: application/json

diff --git a/src/bitbucket.rs b/src/bitbucket.rs
@@ -55,6 +55,10 @@ impl AuthConfig {
         Self { username, password, bearer_token }
     }
 
+    pub fn from_env() -> Self {
+        Self::from_options(None, None, None)
+    }
+
     fn apply(&self, request: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
         if let Some(token) = &self.bearer_token {
             request.bearer_auth(token)

diff --git a/src/cli/commands/bitbucket.rs b/src/cli/commands/bitbucket.rs
@@ -6,17 +6,9 @@ use crate::cli::commands::output::OutputArgs;
 
 #[derive(Args, Debug, Clone, Default)]
 pub struct BitbucketAuthArgs {
-    /// Username for Bitbucket basic authentication (app password or server)
-    #[arg(long)]
-    pub bitbucket_username: Option<String>,
-
-    /// Bitbucket app password, PAT, or server token
-    #[arg(long = "bitbucket-token", alias = "bitbucket-password")]
-    pub bitbucket_token: Option<String>,
-
-    /// Bitbucket OAuth token for bearer authentication
-    #[arg(long = "bitbucket-oauth-token", alias = "bitbucket-oauth")]
-    pub bitbucket_oauth_token: Option<String>,
+    /// Bitbucket credentials are sourced from KF_BITBUCKET_* environment variables.
+    #[arg(skip)]
+    _env_only: (),
 }
 
 /// Top-level Bitbucket command group