Kingfisher
Kingfisher is a blazingly fast and highly accurate tool for secret detection and live validation across files, Git repos, GitHub, GitLab, Azure Repos, BitBucket, Gitea, AWS S3, Docker images, Slack, Teams, Jira, and Confluence
Install / Use
/learn @mongodb/KingfisherREADME
Kingfisher: Open Source Secret Scanner with Live Validation
<p align="center"> <img src="docs/kingfisher_logo.png" alt="Kingfisher Logo" width="126" height="173" style="vertical-align: right;" />
<br>
<br>
Kingfisher is an open source secret scanner and live secret validation tool built in Rust.
It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and ships with hundreds of built-in rules to detect, validate, and triage leaked API keys, tokens, and credentials before they ever reach production.
Designed for offensive security engineers and blue-team defenders alike, Kingfisher helps you scan repositories, cloud storage, chat, docs, and CI pipelines to find and verify exposed secrets quickly.
</p>Learn more: Introducing Kingfisher: Real‑Time Secret Detection and Validation
What Is Kingfisher?
Kingfisher is a high-performance, open source secret detection tool for source code and developer platforms. If you are searching for a "GitHub secret scanner," "API key scanner," "token leak detection," or "Git secrets scanner," this project is built for that workflow.
- Scan code, Git history, and integrated platforms (GitHub, GitLab, Azure Repos, Bitbucket, Gitea, Hugging Face, Jira, Confluence, Slack, Microsoft Teams, Docker, AWS S3, and Google Cloud Storage)
- Validate discovered credentials against provider APIs to reduce false positives
- Revoke supported secrets directly from the CLI
- Generate JSON, SARIF, TOON, and HTML outputs for security teams, compliance, and CI
Key Features
Multiple Scan Targets
<div align="center">| Files / Dirs | Local Git | GitHub | GitLab | Azure Repos | Bitbucket | Gitea | Hugging Face | |:-------------:|:----------:|:------:|:------:|:-------------:|:----------:|:------:|:-------------:| | <img src="./docs/assets/icons/files.svg" height="40" alt="Files / Dirs"/><br/><sub>Files / Dirs</sub> | <img src="./docs/assets/icons/local-git.svg" height="40" alt="Local Git"/><br/><sub>Local Git</sub> | <img src="./docs/assets/icons/github.svg" height="40" alt="GitHub"/><br/><sub>GitHub</sub> | <img src="./docs/assets/icons/gitlab.svg" height="40" alt="GitLab"/><br/><sub>GitLab</sub> | <img src="./docs/assets/icons/azure-devops.svg" height="40" alt="Azure Repos"/><br/><sub>Azure Repos</sub> | <img src="./docs/assets/icons/bitbucket.svg" height="40" alt="Bitbucket"/><br/><sub>Bitbucket</sub> | <img src="./docs/assets/icons/gitea.svg" height="40" alt="Gitea"/><br/><sub>Gitea</sub> |<img src="./docs/assets/icons/huggingface.svg" height="40" width="40" alt="Hugging Face"/><br/><sub>Hugging Face</sub> |
| Docker | Jira | Confluence | Slack | Teams | AWS S3 | Google Cloud | |:------:|:----:|:-----------:|:-----:|:-----:|:------:|:---:| | <img src="./docs/assets/icons/docker.svg" height="40" alt="Docker"/><br/><sub>Docker</sub> | <img src="./docs/assets/icons/jira.svg" height="40" alt="Jira"/><br/><sub>Jira</sub> | <img src="./docs/assets/icons/confluence.svg" height="40" alt="Confluence"/><br/><sub>Confluence</sub> | <img src="./docs/assets/icons/slack.svg" height="40" alt="Slack"/><br/><sub>Slack</sub> | <img src="./docs/assets/icons/teams.svg" height="40" alt="Microsoft Teams"/><br/><sub>Teams</sub> | <img src="./docs/assets/icons/aws-s3.svg" height="40" alt="AWS S3"/><br/><sub>AWS S3</sub> | <img src="./docs/assets/icons/gcs.svg" height="40" alt="Google Cloud Storage"/><br/><sub>Cloud Storage</sub> |
</div>Performance, Accuracy, and Hundreds of Rules
- Performance: multithreaded, Hyperscan‑powered scanning built for huge codebases
- Extensible rules: hundreds of built-in detectors plus YAML-defined custom rules (docs/RULES.md)
- Validate & Revoke: live validation of discovered secrets, plus direct revocation for supported platforms (GitHub, GitLab, Slack, AWS, GCP, and more) (docs/USAGE.md)
- Revocation support matrix: current built-in revocation coverage across providers and rule IDs (docs/REVOCATION_PROVIDERS.md)
- Blast Radius Mapping: instantly map leaked keys to their effective cloud identities and exposed resources with
--access-map. Supports AWS, GCP, Azure, GitHub, GitLab, Slack, Microsoft Teams, and more. - Broad AI SaaS coverage: finds and validates tokens for OpenAI, Anthropic, Google Gemini, Cohere, AWS Bedrock, Voyage AI, Mistral, Stability AI, Replicate, xAI (Grok), Ollama, Langchain, Perplexity, Weights & Biases, Cerebras, Friendli, Fireworks.ai, NVIDIA NIM, Together.ai, Zhipu, and many more
- Compressed Files: Supports extracting and scanning compressed files for secrets
- SQLite Database Scanning: Automatically extracts and scans SQLite database contents for secrets stored in table rows
- Python Bytecode (.pyc) Scanning: Extracts and scans string constants from compiled Python (
.pyc,.pyo) files - Baseline management: generate and track baselines to suppress known secrets (docs/BASELINE.md)
- Checksum-aware detection: verifies tokens with built-in checksums (e.g., GitHub, Confluent, Zuplo) — no API calls required
- Built-in Report Viewer: Visualize and triage findings locally with
kingfisher view ./report-file.json - Audit reporting: Generate compliance-oriented HTML reports with scan metadata and validation ordering
- Library crates: Embed Kingfisher's scanning engine in your own Rust applications (docs/LIBRARY.md)
Benchmark Results
See (docs/COMPARISON.md)
<p align="center"> <img src="docs/runtime-comparison.png" alt="Kingfisher Runtime Comparison" style="vertical-align: center;" /> </p>Basic Usage Demo
kingfisher scan /path/to/scan --view-report
NOTE: Replay has been slowed down for demo
Report Viewer Demo
Explore Kingfisher's built-in report viewer and its --access-map, which can show what the token (AWS, GCP, Azure, GitHub, GitLab, Slack, Microsoft Teams, and more) can actually access.
Note: when you pass --view-report, Kingfisher starts a web server on port 7890 (default) and opens it in your default browser. By default it binds to 127.0.0.1 for security. You'll see this near the end of the scan output, and Kingfisher will keep running until you stop it.
INFO kingfisher::cli::commands::view: Starting access-map viewer address=127.0.0.1:7890
Serving access-map viewer at http://127.0.0.1:7890 (Ctrl+C to stop)
Usage:
kingfisher scan /path/to/scan --access-map --view-report
Click to view video
Table of Contents
- What Is Kingfisher?
- Key Features
- Compliance and Audit-Ready Scans
- Benchmark Results
- Getting Started
- Detection Rules
- Usage Examples
- Platform Integrations
- Advanced Features
- Documentation
- Library Usage
- Roadmap
- License
Getting Started
Quick Start
1: Install Kingfisher (INSTALLATION.md)
# Homebrew (Linux/macOS)
brew install kingfisher
# Or install from PyPI with uv
uv tool install kingfisher-bin
# Or use the install script (Linux/macOS)
curl -sSL https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash
# Or use PowerShell based install script on Windows
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.ps1' -OutFile install-kingfisher.ps1
./install-kingfisher.ps1
# Or run with Docker (no install required)
docker run --rm -v "$PWD":/src ghcr.io/mongodb/kingfisher:latest scan /src
2: Scan a directory for secrets (USAGE.md)
kingfisher scan /path/to/code
3: Scan and view results in browser
kingfisher scan /path/to/code --view-report
4: Show only validated (live) secrets
kingfisher scan /path/to/code --only-valid
5: Revoke a discovered secret
# Revoke a GitHub token
kingfisher revoke --rule github "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# Revoke AWS credentials (sets access key to Inactive)
kingfisher revoke --rule aws --arg "AKIAIOSFODNN7EXAMPLE" "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
6: Scan a GitHub organization (INTEGRATIONS.md)
KF_GITHUB_TOKEN="ghp_..." kingfisher scan github --organization my-org
7: Scan a GitLab group
KF_GITLAB_TOKEN="glpat-..." kingfisher scan gitlab --group my-group
8: Scan Azure Repos
KF_AZURE_PAT="pat" kingfisher scan azure --organization my-org
9: Scan Bitbucket workspace
KF_BITBUCKET_TOKEN="token" kingfisher scan bitbucket --workspace my-team
