DEV.co
Open-Source Security · mongodb

kingfisher

Kingfisher is an open-source secret scanner built in Rust that detects leaked API keys, tokens, and credentials across code repositories, cloud storage, chat platforms, and CI pipelines. It validates findings live against provider APIs to reduce false positives and can revoke compromised secrets directly from the CLI.

Source: GitHub — github.com/mongodb/kingfisher
1.2k
GitHub stars
108
Forks
Rust
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorymongodb/kingfisher
Ownermongodb
Primary languageRust
LicenseApache-2.0 — OSI-approved
Stars1.2k
Forks108
Open issues4
Latest releasev1.106.0 (2026-07-08)
Last updated2026-07-08
Sourcehttps://github.com/mongodb/kingfisher

What kingfisher is

High-performance secret detection tool using Intel's Hyperscan regex engine with 958+ detection rules. Supports scanning multiple platforms (GitHub, GitLab, Azure, AWS S3, Docker, Slack, etc.), generates SARIF/JSON/HTML reports, and provides a browser-based viewer for triage. Includes library crates for embedding in Rust applications.

Quickstart

Get the kingfisher source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/mongodb/kingfisher.gitcd kingfisher# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

CI/CD Pipeline Secret Detection

Scan repositories and commit history before code reaches production. Kingfisher integrates with GitHub, GitLab, and other VCS platforms to catch exposed credentials early in the development workflow.

Cloud Credential & API Key Validation

Discover and validate leaked AWS, GCP, Azure, and SaaS provider tokens with live API checks. Maps blast radius across cloud identities and exposed resources to quantify breach impact.

Post-Incident Secret Revocation

Quickly identify and revoke compromised secrets (GitHub PATs, Slack tokens, AWS keys) directly from CLI. Reduces time-to-remediation after a breach or accidental exposure.

Implementation considerations

  • Install via Homebrew (macOS/Linux), pre-built binaries, or Docker container (ghcr.io/mongodb/kingfisher). Rust compilation from source is an option but slower.
  • Configure credentials for target platforms (GitHub PAT, GitLab token, AWS S3 credentials, Slack bot token) via environment variables before scanning. Missing credentials will skip those scan targets.
  • Live validation and revocation require API permissions on target platforms; ensure service accounts have appropriate scopes (e.g., token management, secret deletion).
  • Custom YAML rules can extend the 958 built-in rules; define patterns, entropy checks, or checksum validation. Test rules against known leaks before deploying to production.
  • Report viewer runs locally (`kingfisher view ./report.json`) or via hosted UI. Merge multiple scan outputs (SARIF, Gitleaks, TruffleHog) into a single triage interface.

When to avoid it — and what to weigh

  • Need Non-Rust Embedded Scanning — Kingfisher's library mode is Rust-only. If you require embedding secret detection in Python, Node.js, or Java applications, consider Gitleaks, TruffleHog, or language-specific alternatives.
  • Require Offline/Air-Gapped Operation — Live validation and blast-radius mapping require API calls to external providers. Organizations with strict network isolation may face limitations unless running in validation-disabled mode.
  • Need Enterprise Support & SLA — Apache-2.0 licensed open-source project with no commercial support listed. For mission-critical environments requiring vendor SLA, consider commercial alternatives (Snyk, GitGuardian, Spectral).
  • Minimal Documentation or Custom Rules Required — While documentation exists, custom YAML rule development and platform-specific integrations may require trial-and-error. Teams unfamiliar with Rust tooling may face onboarding friction.

License & commercial use

Apache License 2.0 (Apache-2.0). Permissive OSI-approved open-source license. Allows commercial use, modification, and distribution with minimal restrictions. Requires license and copyright notice retention.

Apache-2.0 is a permissive license compatible with commercial use. No restrictions on scanning proprietary code or deploying Kingfisher in enterprise environments. However, no commercial support, SLA, or warranty is provided by MongoDB or the project maintainers. Commercial users should evaluate risk tolerance for relying on community-driven maintenance.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Kingfisher is a security tool, not a secure platform. Key considerations: (1) Live validation sends credential samples to external APIs; ensure network isolation policies allow such calls. (2) Report files contain detected secrets (often redacted); store reports securely. (3) CLI accepts credentials via environment variables; use secure secret management (e.g., HashiCorp Vault, AWS Secrets Manager) to inject credentials, not hardcoded. (4) No independent security audit listed in README. (5) Revocation relies on correct API integration; test on non-production accounts first. (6) Hyperscan library is maintained by Intel but any regex engine may have edge-case bypasses.

Alternatives to consider

Gitleaks

Established Go-based secret scanner with similar rule coverage and platform support. Lighter-weight binary, broader language integration, simpler custom rules. Less mature live validation.

TruffleHog

Python-based secret detector with proprietary entropy detection and cloud provider validation. Strong on Git history scanning and Merkle-tree optimization. More mature commercial offering (Truffle Security).

GitGuardian

Commercial SaaS platform with managed scanning, API integration, and enterprise support. No self-hosting required. Higher cost but includes incident response workflows and threat intel.

Software development agency

Build on kingfisher with DEV.co software developers

Deploy Kingfisher to scan repositories, cloud storage, and CI pipelines. Validate and revoke compromised credentials in minutes.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

kingfisher FAQ

Can Kingfisher scan private repositories or cloud storage without exposing credentials?
Yes, via environment variable authentication (GitHub PAT, GitLab token, AWS IAM credentials). Credentials are not logged or stored in reports; only scan results are output. Live validation does send credential samples to provider APIs; offline mode disables this.
How do I add custom detection rules?
Define YAML rules following the pattern in docs/RULES.md. Rules support regex, entropy, checksum, and fuzzy matching. Test via CLI before production deployment. Built-in 958 rules cover most common leaks; custom rules extend coverage for proprietary formats.
Is Kingfisher suitable for air-gapped or offline environments?
Scanning works fully offline. Live validation and blast-radius mapping require outbound API calls to external providers. Disable `--validate` and `--access-map` flags for offline-only scans. Hosted report viewer requires internet; local viewer does not.
Does Kingfisher require a database or external service?
No. Kingfisher is a stateless CLI tool. Detection rules are embedded; no external database needed. Optional webhook alerts send findings to Slack/Teams/webhooks but are decoupled from the scanner.

Software development & web development with DEV.co

DEV.co helps companies turn open-source tools like kingfisher into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Secure Your Codebase: Detect Leaked Secrets Before Production

Deploy Kingfisher to scan repositories, cloud storage, and CI pipelines. Validate and revoke compromised credentials in minutes.