kingfisher
Kingfisher is an open-source secret scanner built in Rust that detects leaked API keys, tokens, and credentials across code repositories, cloud storage, chat platforms, and CI pipelines. It validates findings live against provider APIs to reduce false positives and can revoke compromised secrets directly from the CLI.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | mongodb/kingfisher |
| Owner | mongodb |
| Primary language | Rust |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.2k |
| Forks | 108 |
| Open issues | 4 |
| Latest release | v1.106.0 (2026-07-08) |
| Last updated | 2026-07-08 |
| Source | https://github.com/mongodb/kingfisher |
What kingfisher is
High-performance secret detection tool using Intel's Hyperscan regex engine with 958+ detection rules. Supports scanning multiple platforms (GitHub, GitLab, Azure, AWS S3, Docker, Slack, etc.), generates SARIF/JSON/HTML reports, and provides a browser-based viewer for triage. Includes library crates for embedding in Rust applications.
Get the kingfisher source
Clone the repository and explore it locally.
git clone https://github.com/mongodb/kingfisher.gitcd kingfisher# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Install via Homebrew (macOS/Linux), pre-built binaries, or Docker container (ghcr.io/mongodb/kingfisher). Rust compilation from source is an option but slower.
- Configure credentials for target platforms (GitHub PAT, GitLab token, AWS S3 credentials, Slack bot token) via environment variables before scanning. Missing credentials will skip those scan targets.
- Live validation and revocation require API permissions on target platforms; ensure service accounts have appropriate scopes (e.g., token management, secret deletion).
- Custom YAML rules can extend the 958 built-in rules; define patterns, entropy checks, or checksum validation. Test rules against known leaks before deploying to production.
- Report viewer runs locally (`kingfisher view ./report.json`) or via hosted UI. Merge multiple scan outputs (SARIF, Gitleaks, TruffleHog) into a single triage interface.
When to avoid it — and what to weigh
- Need Non-Rust Embedded Scanning — Kingfisher's library mode is Rust-only. If you require embedding secret detection in Python, Node.js, or Java applications, consider Gitleaks, TruffleHog, or language-specific alternatives.
- Require Offline/Air-Gapped Operation — Live validation and blast-radius mapping require API calls to external providers. Organizations with strict network isolation may face limitations unless running in validation-disabled mode.
- Need Enterprise Support & SLA — Apache-2.0 licensed open-source project with no commercial support listed. For mission-critical environments requiring vendor SLA, consider commercial alternatives (Snyk, GitGuardian, Spectral).
- Minimal Documentation or Custom Rules Required — While documentation exists, custom YAML rule development and platform-specific integrations may require trial-and-error. Teams unfamiliar with Rust tooling may face onboarding friction.
License & commercial use
Apache License 2.0 (Apache-2.0). Permissive OSI-approved open-source license. Allows commercial use, modification, and distribution with minimal restrictions. Requires license and copyright notice retention.
Apache-2.0 is a permissive license compatible with commercial use. No restrictions on scanning proprietary code or deploying Kingfisher in enterprise environments. However, no commercial support, SLA, or warranty is provided by MongoDB or the project maintainers. Commercial users should evaluate risk tolerance for relying on community-driven maintenance.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Kingfisher is a security tool, not a secure platform. Key considerations: (1) Live validation sends credential samples to external APIs; ensure network isolation policies allow such calls. (2) Report files contain detected secrets (often redacted); store reports securely. (3) CLI accepts credentials via environment variables; use secure secret management (e.g., HashiCorp Vault, AWS Secrets Manager) to inject credentials, not hardcoded. (4) No independent security audit listed in README. (5) Revocation relies on correct API integration; test on non-production accounts first. (6) Hyperscan library is maintained by Intel but any regex engine may have edge-case bypasses.
Alternatives to consider
Gitleaks
Established Go-based secret scanner with similar rule coverage and platform support. Lighter-weight binary, broader language integration, simpler custom rules. Less mature live validation.
TruffleHog
Python-based secret detector with proprietary entropy detection and cloud provider validation. Strong on Git history scanning and Merkle-tree optimization. More mature commercial offering (Truffle Security).
GitGuardian
Commercial SaaS platform with managed scanning, API integration, and enterprise support. No self-hosting required. Higher cost but includes incident response workflows and threat intel.
Build on kingfisher with DEV.co software developers
Deploy Kingfisher to scan repositories, cloud storage, and CI pipelines. Validate and revoke compromised credentials in minutes.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
kingfisher FAQ
Can Kingfisher scan private repositories or cloud storage without exposing credentials?
How do I add custom detection rules?
Is Kingfisher suitable for air-gapped or offline environments?
Does Kingfisher require a database or external service?
Software development & web development with DEV.co
DEV.co helps companies turn open-source tools like kingfisher into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Secure Your Codebase: Detect Leaked Secrets Before Production
Deploy Kingfisher to scan repositories, cloud storage, and CI pipelines. Validate and revoke compromised credentials in minutes.