{"id":28911402,"url":"https://github.com/mongodb/kingfisher","last_synced_at":"2026-04-01T18:22:42.204Z","repository":{"id":299346795,"uuid":"980173830","full_name":"mongodb/kingfisher","owner":"mongodb","description":"Kingfisher is a blazingly fast and highly accurate tool for secret detection and live validation across files, Git repos, GitHub, GitLab, Azure Repos, BitBucket, Gitea, AWS S3, Docker images, Jira, Slack, and Confluence","archived":false,"fork":false,"pushed_at":"2026-03-27T06:02:29.000Z","size":43698,"stargazers_count":874,"open_issues_count":2,"forks_count":69,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-03-27T18:19:01.951Z","etag":null,"topics":["credentials","devsecops","scanning","secrets","secrets-management","security"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mongodb.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-05-08T17:27:15.000Z","updated_at":"2026-03-27T08:15:25.000Z","dependencies_parsed_at":"2025-07-01T01:20:17.965Z","dependency_job_id":"1febbdf9-850e-4956-8ff5-a339e2303f42","html_url":"https://github.com/mongodb/kingfisher","commit_stats":null,"previous_names":["mongodb/kingfisher"],"tags_count":83,"template":false,"template_full_name":null,"purl":"pkg:github/mongodb/kingfisher","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mongodb%2Fkingfisher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mongodb%2Fkingfisher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mongodb%2Fkingfisher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mongodb%2Fkingfisher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mongodb","download_url":"https://codeload.github.com/mongodb/kingfisher/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mongodb%2Fkingfisher/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31290824,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["credentials","devsecops","scanning","secrets","secrets-management","security"],"created_at":"2025-06-21T19:05:33.109Z","updated_at":"2026-04-01T18:22:42.187Z","avatar_url":"https://github.com/mongodb.png","language":"Rust","readme":"# Kingfisher: Open Source Secret Scanner with Live Validation\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/kingfisher_logo.png\" alt=\"Kingfisher Logo\" width=\"126\" height=\"173\" style=\"vertical-align: right;\" /\u003e\n\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n[![Detection Rules](https://img.shields.io/badge/Detection%20Rules-601-2ea043.svg)](https://github.com/mongodb/kingfisher)\u003cbr\u003e\n[![ghcr downloads](https://ghcr-badge.elias.eu.org/shield/mongodb/kingfisher/kingfisher)](https://github.com/mongodb/kingfisher/pkgs/container/kingfisher)\u003cbr\u003e\n\n\nKingfisher is an open source secret scanner and **live secret validation** tool built in Rust.\n\nIt combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and **ships with hundreds of built-in rules** to detect, **validate**, and triage leaked API keys, tokens, and credentials before they ever reach production.\n\nDesigned for offensive security engineers and blue-team defenders alike, Kingfisher helps you scan repositories, cloud storage, chat, docs, and CI pipelines to find and verify exposed secrets quickly.\n\n\u003c/p\u003e\n\n**Learn more:** [Introducing Kingfisher: Real‑Time Secret Detection and Validation](https://www.mongodb.com/blog/post/product-release-announcements/introducing-kingfisher-real-time-secret-detection-validation)\n\n## What Is Kingfisher?\n\nKingfisher is a high-performance, open source secret detection tool for source code and developer platforms. If you are searching for a \"GitHub secret scanner,\" \"API key scanner,\" \"token leak detection,\" or \"Git secrets scanner,\" this project is built for that workflow.\n\n- Scan code, Git history, and integrated platforms (GitHub, GitLab, Azure Repos, Bitbucket, Gitea, Hugging Face, Jira, Confluence, Slack, Microsoft Teams, Docker, AWS S3, and Google Cloud Storage)\n- Validate discovered credentials against provider APIs to reduce false positives\n- Revoke supported secrets directly from the CLI\n- Generate JSON, SARIF, TOON, and HTML outputs for security teams, compliance, and CI\n\n## Key Features\n\n### Multiple Scan Targets\n\u003cdiv align=\"center\"\u003e\n\n| Files / Dirs | Local Git | GitHub | GitLab | Azure Repos | Bitbucket | Gitea | Hugging Face |\n|:-------------:|:----------:|:------:|:------:|:-------------:|:----------:|:------:|:-------------:|\n| \u003cimg src=\"./docs/assets/icons/files.svg\" height=\"40\" alt=\"Files / Dirs\"/\u003e\u003cbr/\u003e\u003csub\u003eFiles / Dirs\u003c/sub\u003e | \u003cimg src=\"./docs/assets/icons/local-git.svg\" height=\"40\" alt=\"Local Git\"/\u003e\u003cbr/\u003e\u003csub\u003eLocal Git\u003c/sub\u003e | \u003cimg src=\"./docs/assets/icons/github.svg\" height=\"40\" alt=\"GitHub\"/\u003e\u003cbr/\u003e\u003csub\u003eGitHub\u003c/sub\u003e | \u003cimg src=\"./docs/assets/icons/gitlab.svg\" height=\"40\" alt=\"GitLab\"/\u003e\u003cbr/\u003e\u003csub\u003eGitLab\u003c/sub\u003e | \u003cimg src=\"./docs/assets/icons/azure-devops.svg\" height=\"40\" alt=\"Azure Repos\"/\u003e\u003cbr/\u003e\u003csub\u003eAzure Repos\u003c/sub\u003e | \u003cimg src=\"./docs/assets/icons/bitbucket.svg\" height=\"40\" alt=\"Bitbucket\"/\u003e\u003cbr/\u003e\u003csub\u003eBitbucket\u003c/sub\u003e | \u003cimg src=\"./docs/assets/icons/gitea.svg\" height=\"40\" alt=\"Gitea\"/\u003e\u003cbr/\u003e\u003csub\u003eGitea\u003c/sub\u003e |\u003cimg src=\"./docs/assets/icons/huggingface.svg\" height=\"40\" width=\"40\" alt=\"Hugging Face\"/\u003e\u003cbr/\u003e\u003csub\u003eHugging Face\u003c/sub\u003e |\n\n| Docker | Jira | Confluence | Slack | Teams | AWS S3 | Google Cloud |\n|:------:|:----:|:-----------:|:-----:|:-----:|:------:|:---:|\n| \u003cimg src=\"./docs/assets/icons/docker.svg\" height=\"40\" alt=\"Docker\"/\u003e\u003cbr/\u003e\u003csub\u003eDocker\u003c/sub\u003e | \u003cimg src=\"./docs/assets/icons/jira.svg\" height=\"40\" alt=\"Jira\"/\u003e\u003cbr/\u003e\u003csub\u003eJira\u003c/sub\u003e | \u003cimg src=\"./docs/assets/icons/confluence.svg\" height=\"40\" alt=\"Confluence\"/\u003e\u003cbr/\u003e\u003csub\u003eConfluence\u003c/sub\u003e | \u003cimg src=\"./docs/assets/icons/slack.svg\" height=\"40\" alt=\"Slack\"/\u003e\u003cbr/\u003e\u003csub\u003eSlack\u003c/sub\u003e | \u003cimg src=\"./docs/assets/icons/teams.svg\" height=\"40\" alt=\"Microsoft Teams\"/\u003e\u003cbr/\u003e\u003csub\u003eTeams\u003c/sub\u003e | \u003cimg src=\"./docs/assets/icons/aws-s3.svg\" height=\"40\" alt=\"AWS S3\"/\u003e\u003cbr/\u003e\u003csub\u003eAWS\u0026nbsp;S3\u003c/sub\u003e |  \u003cimg src=\"./docs/assets/icons/gcs.svg\" height=\"40\" alt=\"Google Cloud Storage\"/\u003e\u003cbr/\u003e\u003csub\u003eCloud Storage\u003c/sub\u003e |\n\n\u003c/div\u003e\n\n### Performance, Accuracy, and Hundreds of Rules\n- **Performance**: multithreaded, Hyperscan‑powered scanning built for huge codebases  \n- **Extensible rules**: hundreds of built-in detectors plus YAML-defined custom rules ([docs/RULES.md](/docs/RULES.md))  \n- **Validate \u0026 Revoke**: live validation of discovered secrets, plus direct revocation for supported platforms (GitHub, GitLab, Slack, AWS, GCP, and more) ([docs/USAGE.md](/docs/USAGE.md))\n- **Revocation support matrix**: current built-in revocation coverage across providers and rule IDs ([docs/REVOCATION_PROVIDERS.md](/docs/REVOCATION_PROVIDERS.md))\n- **Blast Radius Mapping**: instantly map leaked keys to their effective cloud identities and exposed resources with `--access-map`. Supports AWS, GCP, Azure, GitHub, GitLab, Slack, Microsoft Teams, and more.\n- **Broad AI SaaS coverage**: finds and validates tokens for OpenAI, Anthropic, Google Gemini, Cohere, AWS Bedrock, Voyage AI, Mistral, Stability AI, Replicate, xAI (Grok), Ollama, Langchain, Perplexity, Weights \u0026 Biases, Cerebras, Friendli, Fireworks.ai, NVIDIA NIM, Together.ai, Zhipu, and many more\n- **Compressed Files**: Supports extracting and scanning compressed files for secrets\n- **SQLite Database Scanning**: Automatically extracts and scans SQLite database contents for secrets stored in table rows\n- **Python Bytecode (.pyc) Scanning**: Extracts and scans string constants from compiled Python (`.pyc`, `.pyo`) files\n- **Baseline management**: generate and track baselines to suppress known secrets ([docs/BASELINE.md](/docs/BASELINE.md))\n- **Checksum-aware detection**: verifies tokens with built-in checksums (e.g., GitHub, Confluent, Zuplo) — no API calls required\n- **Built-in Report Viewer**: Visualize and triage findings locally with `kingfisher view ./report-file.json`\n- **Audit reporting**: Generate compliance-oriented HTML reports with scan metadata and validation ordering\n- **Library crates**: Embed Kingfisher's scanning engine in your own Rust applications ([docs/LIBRARY.md](docs/LIBRARY.md))\n\n# Benchmark Results\n\nSee ([docs/COMPARISON.md](docs/COMPARISON.md))\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/runtime-comparison.png\" alt=\"Kingfisher Runtime Comparison\" style=\"vertical-align: center;\" /\u003e\n\u003c/p\u003e\n\n## Basic Usage Demo\n```bash\nkingfisher scan /path/to/scan --view-report\n```\nNOTE: Replay has been slowed down for demo\n![Kingfisher secret scanning demo](docs/kingfisher-usage-01.gif)\n\n## Report Viewer Demo\nExplore Kingfisher's built-in report viewer and its `--access-map`, which can show what the token (AWS, GCP, Azure, GitHub, GitLab, Slack, Microsoft Teams, and more) can actually access.\n\nNote: when you pass `--view-report`, Kingfisher starts a web server on port `7890` (default) and opens it in your default browser. By default it binds to `127.0.0.1` for security. You'll see this near the end of the scan output, and **Kingfisher will keep running** until you stop it.\n\n```bash\nINFO kingfisher::cli::commands::view: Starting access-map viewer address=127.0.0.1:7890\nServing access-map viewer at http://127.0.0.1:7890 (Ctrl+C to stop)\n```\n\n**Usage:**\n```bash\nkingfisher scan /path/to/scan --access-map --view-report\n```\n\n![Kingfisher access map and report viewer demo](docs/kingfisher-usage-access-map-01.gif)\n\n**Click to view video**\n[![Demo](docs/demos/findings-thumbnail.png)](https://github.com/user-attachments/assets/d33ee7a6-c60a-4e42-88e0-ac03cb429a46)\n\n# Table of Contents\n\n- [What Is Kingfisher?](#what-is-kingfisher)\n- [Key Features](#key-features)\n- [Compliance and Audit-Ready Scans](#compliance-and-audit-ready-scans)\n- [Benchmark Results](#benchmark-results)\n- [Getting Started](#getting-started)\n  - [Quick Start](#quick-start)\n  - [Installation](#installation)\n- [Detection Rules](#detection-rules)\n- [Usage Examples](#usage-examples)\n- [Platform Integrations](#platform-integrations)\n  - [Environment Variables](#environment-variables)\n- [Advanced Features](#advanced-features)\n- [Documentation](#documentation)\n- [Library Usage](#library-usage)\n- [Roadmap](#roadmap)\n- [License](#license)\n\n# Getting Started\n\n## Quick Start\n\n### 1: Install Kingfisher ([INSTALLATION.md](docs/INSTALLATION.md))\n\n```bash\n# Homebrew (Linux/macOS)\nbrew install kingfisher\n\n# Or install from PyPI with uv\nuv tool install kingfisher-bin\n\n# Or use the install script (Linux/macOS)\ncurl -sSL https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash\n\n# Or use PowerShell based install script on Windows\nSet-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force\nInvoke-WebRequest -Uri 'https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.ps1' -OutFile install-kingfisher.ps1\n./install-kingfisher.ps1\n\n# Or run with Docker (no install required)\ndocker run --rm -v \"$PWD\":/src ghcr.io/mongodb/kingfisher:latest scan /src\n```\n\n### 2: Scan a directory for secrets ([USAGE.md](/docs/USAGE.md))\n\n```bash\nkingfisher scan /path/to/code\n```\n\n### 3: Scan and view results in browser\n\n```bash\nkingfisher scan /path/to/code --view-report\n```\n\n### 4: Show only validated (live) secrets\n\n```bash\nkingfisher scan /path/to/code --only-valid\n```\n\n### 5: Revoke a discovered secret\n\n```bash\n# Revoke a GitHub token\nkingfisher revoke --rule github \"ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\n\n# Revoke AWS credentials (sets access key to Inactive)\nkingfisher revoke --rule aws --arg \"AKIAIOSFODNN7EXAMPLE\" \"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\"\n```\n\n### 6: Scan a GitHub organization ([INTEGRATIONS.md](docs/INTEGRATIONS.md))\n\n```bash\nKF_GITHUB_TOKEN=\"ghp_...\" kingfisher scan github --organization my-org\n```\n\n### 7: Scan a GitLab group\n\n```bash\nKF_GITLAB_TOKEN=\"glpat-...\" kingfisher scan gitlab --group my-group\n```\n\n### 8: Scan Azure Repos\n\n```bash\nKF_AZURE_PAT=\"pat\" kingfisher scan azure --organization my-org\n```\n\n### 9: Scan Bitbucket workspace\n\n```bash\nKF_BITBUCKET_TOKEN=\"token\" kingfisher scan bitbucket --workspace my-team\n```\n\n### 10: Scan Gitea organization\n\n```bash\nKF_GITEA_TOKEN=\"token\" kingfisher scan gitea --organization my-org\n```\n\n### 11: Scan Hugging Face\n\n```bash\nKF_HUGGINGFACE_TOKEN=\"hf_...\" kingfisher scan huggingface --organization my-org\n```\n\n### 12: Scan an S3 bucket\n\n```bash\nkingfisher scan s3 bucket-name --prefix path/\n```\n\n### 13: Scan Google Cloud Storage\n\n```bash\nkingfisher scan gcs bucket-name --prefix path/\n```\n\n### 14: Scan a Docker image\n\n```bash\nkingfisher scan docker ghcr.io/org/image:latest\n```\n\n### 15: Scan Jira issues\n\n```bash\nKF_JIRA_TOKEN=\"token\" kingfisher scan jira --url https://jira.company.com --jql \"project = SEC\"\n```\n\nAdd `--include-comments` and/or `--include-changelog` to expand the scan beyond the issue body.\n\n### 16: Scan Confluence pages\n\n```bash\nKF_CONFLUENCE_TOKEN=\"token\" kingfisher scan confluence --url https://confluence.company.com --cql \"label = secret\"\n```\n\n### 17: Scan Slack messages\n\n```bash\nKF_SLACK_TOKEN=\"xoxp-...\" kingfisher scan slack \"api_key OR password\"\n```\n\n### 18: Run with Docker (no install required)\n\n```bash\ndocker run --rm -v \"$PWD\":/src ghcr.io/mongodb/kingfisher:latest scan /src\n```\n\n### 19: Run with Docker and view report in browser\n\nTo run a scan in Docker and view the HTML report on your host machine, use `--view-report-address 0.0.0.0` so the server is reachable from outside the container, and map the port with `-p`:\n\n```bash\ndocker run --rm \\\n  -v \"$PWD\":/src \\\n  -p 7890:7890 \\\n  ghcr.io/mongodb/kingfisher:latest \\\n  scan https://github.com/leaktk/fake-leaks \\\n  --access-map \\\n  --view-report \\\n  --view-report-address 0.0.0.0\n```\n\nThen open **http://localhost:7890** in your browser. If port 7890 is already in use, use `--view-report-port` and map accordingly:\n\n```bash\ndocker run --rm \\\n  -v \"$PWD\":/src \\\n  -p 7891:7891 \\\n  ghcr.io/mongodb/kingfisher:latest \\\n  scan https://github.com/leaktk/fake-leaks \\\n  --access-map \\\n  --view-report \\\n  --view-report-port 7891 \\\n  --view-report-address 0.0.0.0\n```\n\nThen open **http://localhost:7891**.\n\n### 20: Output JSON results\n\n```bash\nkingfisher scan /path/to/code --format json --output findings.json\n```\n\n### 21: Map blast radius of discovered credentials\n\n```bash\nkingfisher scan /path/to/code --access-map --view-report\n```\n\n## Installation\n\nKingfisher supports multiple installation methods:\n\n- **Homebrew**: `brew install kingfisher` ![Homebrew Formula Version](https://img.shields.io/homebrew/v/kingfisher)\n- **PyPI with uv**: `uv tool install kingfisher-bin`\n- **Pre-built releases**: Download from [GitHub Releases](https://github.com/mongodb/kingfisher/releases)\n- **Install scripts**: One-line installers for Linux, macOS, and Windows - [INSTALLATION.md](docs/INSTALLATION.md)\n- **Docker**: `docker run ghcr.io/mongodb/kingfisher:latest`\n- **Pre-commit hooks**: Integrate with git hooks, pre-commit framework, or Husky\n- **Compile from source**: Build with `make` for your platform\n\n**For complete installation instructions and pre-commit hook setup, see [docs/INSTALLATION.md](docs/INSTALLATION.md).**\n\n## Verifying Releases\n\nEvery Kingfisher release includes [SLSA v3](https://slsa.dev) provenance and GitHub build attestations so you can verify that artifacts were built by our CI pipeline and haven't been tampered with.\n\n### SLSA provenance\n\nEach GitHub release includes a `multiple.intoto.jsonl` provenance file. Verify any release artifact with [`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier):\n\n```bash\n# Install slsa-verifier\ngo install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@latest\n\n# Download the artifact and provenance from the release\ngh release download \u003cversion\u003e --repo mongodb/kingfisher \\\n  --pattern 'kingfisher-linux-x64.tgz' \\\n  --pattern 'multiple.intoto.jsonl'\n\n# Verify\nslsa-verifier verify-artifact kingfisher-linux-x64.tgz \\\n  --provenance-path multiple.intoto.jsonl \\\n  --source-uri github.com/mongodb/kingfisher\n```\n\n### GitHub attestations\n\nRelease artifacts also have GitHub build attestations, verifiable with the GitHub CLI:\n\n```bash\ngh release download \u003cversion\u003e --repo mongodb/kingfisher \\\n  --pattern 'kingfisher-linux-x64.tgz'\n\ngh attestation verify kingfisher-linux-x64.tgz --repo mongodb/kingfisher\n```\n\n# Detection Rules\n\nKingfisher ships with [hundreds of rules](crates/kingfisher-rules/data/rules/) that cover everything from classic cloud keys to the latest AI SaaS tokens. Below is an overview:\n\n| Category | What we catch |\n|----------|---------------|\n| **AI SaaS APIs** | OpenAI, Anthropic, Google Gemini, Cohere, Mistral, Stability AI, Replicate, xAI (Grok), Ollama, Langchain, Perplexity, Weights \u0026 Biases, Cerebras, Friendli, Fireworks.ai, NVIDIA NIM, together.ai, Zhipu, and more |\n| **Cloud Providers** | AWS, Azure, GCP, Alibaba Cloud, DigitalOcean, IBM Cloud, Cloudflare, Temporal Cloud, and more |\n| **Dev \u0026 CI/CD** | GitHub/GitLab tokens, CircleCI, TravisCI, TeamCity, Docker Hub, npm, PyPI, Vercel, and more |\n| **Messaging \u0026 Comms** | Slack, Discord, Microsoft Teams, Twilio, Mailgun, SendGrid, Mailchimp, and more |\n| **Databases \u0026 Data Ops** | MongoDB Atlas, PlanetScale, Postgres DSNs, Grafana Cloud, Datadog, Dynatrace, and more |\n| **Payments \u0026 Billing** | Stripe, PayPal, Square, GoCardless, and more |\n| **Security \u0026 DevSecOps** | Snyk, Dependency-Track, CodeClimate, Codacy, OpsGenie, PagerDuty, and more |\n| **Misc. SaaS \u0026 Tools** | 1Password, Adobe, Atlassian/Jira, Asana, Netlify, Baremetrics, and more |\n\n## Write Custom Rules\n\nKingfisher ships with hundreds of rules with HTTP and service‑specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential.\n\nHowever, you may want to add your own custom rules, or modify a detection to better suit your needs / environment.\n\n**For complete rule documentation, see [docs/RULES.md](docs/RULES.md).**\n\n### Checksum Intelligence\n\nModern API tokens increasingly include **built-in checksums**, short internal digests that make each credential self-verifiable. (For background, see [GitHub's write-up on their newer token formats](https://github.blog/engineering/platform-security/behind-githubs-new-authentication-token-formats/) and why checksums slash false positives.)\n\nKingfisher supports **checksum-aware matching** in rules, enabling **offline structural verification** of credentials *without* calling third-party APIs.\n\nBy validating each token's internal checksum (for tokens that support checksums), Kingfisher eliminates nearly all false positives—automatically skipping structurally invalid or fake tokens before validation ever runs.\n\n**Why this matters**\n- **Offline verification** — no API call required  \n- **Industry-aligned** — compatible with prefix + checksum token designs (e.g., modern PATs)  \n- **Lower false positives** — invalid tokens are filtered out by structure alone\n\n**Learn more**: implementation details and templating are documented in **[docs/RULES.md](docs/RULES.md)**\n\n# Usage Examples\n\n\u003e **Note**: `kingfisher scan` automatically detects whether the input is a Git repository or a plain directory—no extra flags required.\n\n## Basic Scanning\n\n```bash\n# Scan with secret validation\nkingfisher scan /path/to/code\n## NOTE: This path can refer to:\n# 1. a local git repo\n# 2. a directory with many git repos\n# 3. or just a folder with files and subdirectories\n\n# Scan without validation\nkingfisher scan ~/src/myrepo --no-validate\n\n# Turbo mode: run as fast as possible by disabling Git commit metadata, Base64 decoding,\n# MIME sniffing, language detection, and tree-sitter parsing\n# (findings omit commit context, Base64-only matches, MIME type, and language metadata)\nkingfisher scan ~/src/myrepo --turbo\n\n# Display only secrets confirmed active by third‑party APIs\nkingfisher scan /path/to/repo --only-valid\n\n# Output JSON and capture to a file\nkingfisher scan . --format json | tee kingfisher.json\n\n# Output SARIF directly to disk\nkingfisher scan /path/to/repo --format sarif --output findings.sarif\n```\n\n## Access Map and Visualization\n\n**Stop Guessing, Start Mapping: Understand Your True Blast Radius**\n\nFinding a leaked credential is only the first step. The critical question isn't just \"Is this a secret?\"—it's \"What can an attacker do with it?\"\n\nKingfisher's `--access-map` feature transforms secret detection from a simple alert into a comprehensive threat assessment. Instead of leaving you with a cryptic API key, Kingfisher actively authenticates against your cloud provider (AWS, GCP, Azure Storage, Azure DevOps, GitHub, GitLab, Slack, or Microsoft Teams) to map the full extent of the credential's power. \n\n* Instant Identity Resolution: Immediately identify who the key belongs to—whether it's a specific IAM user, an assumed role, or a service account.\n* Visualize the Blast Radius: See exactly which resources (S3 buckets, EC2 instances, projects, storage containers) are exposed and at risk.\n\n```bash\n# Generate access map during scan\nkingfisher scan /path/to/code --access-map --view-report\n\n# View access-map reports locally\nkingfisher view kingfisher.json\n```\n\n\u003e **Use the access map functionality only when you are authorized to inspect the target account, as Kingfisher will issue additional network requests to determine what access the secret grants**\n\n## Direct Secret Validation \u0026 Revocation\n\n```bash\n# Validate a known secret without scanning\nkingfisher validate --rule opsgenie \"12345678-9abc-def0-1234-56789abcdef0\"\n\n# Validate from stdin\necho \"ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\" | kingfisher validate --rule github -\n\n# Revoke a Slack token\nkingfisher revoke --rule slack \"xoxb-...\"\n\n# Revoke a GitHub PAT\nkingfisher revoke --rule github \"ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\n```\n\nValidation throttling is also available for direct validation:\n\n- `--validation-rps \u003cRPS\u003e` sets a global request rate.\n- `--validation-rps-rule \u003cRULE_SELECTOR=RPS\u003e` sets per-rule overrides (repeatable).\n- Rule selectors accept short names, so `github=2` matches `kingfisher.github.*`.\n\n```bash\n# Limit direct validation to 1 req/sec for GitHub rules\nkingfisher validate --rule github \"ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\" \\\n  --validation-rps-rule github=1\n```\n\n\n## Compliance and Audit-Ready Scans\n\nKingfisher is built to support compliance and security-assurance goals, not just detection. In addition to finding secrets, it helps teams produce evidence that secure development controls are operating.\n\n- **Audit scan output**: generate a standalone HTML report with scan timestamp, report generation time, validation status, and file-level links for findings\n- **Evidence-friendly metadata**: include version, scan stats, and sanitized command arguments for review workflows\n- **Control narrative support**: demonstrate that hardcoded credentials/secrets are actively detected and triaged in CI/CD and developer workflows\n\n```bash\n# Generate an audit-ready HTML report\nkingfisher scan /path/to/code --format html --output kingfisher-audit.html\n```\n\n## Advanced Scanning Options\n\n```bash\n# Pipe any text directly into Kingfisher\ncat /path/to/file.py | kingfisher scan -\n\n# Limit maximum file size scanned (default: 256 MB)\nkingfisher scan /some/file --max-file-size 500\n\n# Turbo mode: equivalent to --commit-metadata=false --no-base64 and disables MIME sniffing,\n# language detection/tree-sitter parsing for maximum speed\n# No Git commit metadata (author, date, hash), Base64 decoding, MIME, or language metadata in findings\nkingfisher scan /path/to/repo --turbo\n\n# Scan using a rule family\nkingfisher scan /path/to/repo --rule kingfisher.aws\n\n# Display rule performance statistics\nkingfisher scan /path/to/repo --rule-stats\n\n# Throttle validation request rate globally\nkingfisher scan /path/to/repo --validation-rps 5\n\n# Override specific rule families (kingfisher. prefix optional)\nkingfisher scan /path/to/repo \\\n  --validation-rps 10 \\\n  --validation-rps-rule github=2 \\\n  --validation-rps-rule pypi=0.5\n\n# Increase validation response storage limit (default: 2048 bytes)\nkingfisher scan /path/to/repo --max-validation-response-length 8192\n\n# Disable validation response storage truncation entirely (0 = unlimited)\nkingfisher scan /path/to/repo --max-validation-response-length 0\n\n# Include full validation response bodies end-to-end (no validation or reporter truncation)\n# Useful for parsing complete validation responses (e.g., GitHub token metadata)\nkingfisher scan /path/to/repo --full-validation-response\n\n# Exclude specific paths\nkingfisher scan ./my-project \\\n  --exclude '*.py' \\\n  --exclude '[Tt]ests'\n\n# Scan changes in CI pipelines\nkingfisher scan . \\\n  --since-commit origin/main \\\n  --branch \"$CI_BRANCH\"\n```\n\n\u003e Validation rate limiting applies to all built-in validator types (HTTP/gRPC, cloud SDK validators such as AWS/GCP/Coinbase, and database/token validators such as MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). `Raw` validators are excluded.\n\n# Platform Integrations\n\nKingfisher can scan multiple platforms and services directly:\n\n**Version Control \u0026 Code Hosting:**\n- GitHub (organizations, users, repositories)\n- GitLab (groups, users, projects)\n- Azure Repos (organizations, projects)\n- Bitbucket (workspaces, users, repositories)\n- Gitea (organizations, users, repositories)\n- Hugging Face (models, datasets, spaces)\n\n**Cloud Storage:**\n- AWS S3\n- Google Cloud Storage\n\n**Containers:**\n- Docker (images from registries)\n\n**Collaboration \u0026 Documentation:**\n- Jira (issues via JQL queries)\n- Confluence (pages via CQL queries)\n- Slack (messages via search queries)\n- Microsoft Teams (messages via Microsoft Graph search)\n\nSee **[docs/INTEGRATIONS.md](docs/INTEGRATIONS.md)** for complete integration documentation and authentication setup.\n\n## Quick Examples\n\n```bash\n# Scan AWS S3 bucket\nkingfisher scan s3 bucket-name --prefix path/\n\n# Scan Google Cloud Storage\nkingfisher scan gcs bucket-name\n\n# Scan Docker image\nkingfisher scan docker ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master\n\n# Scan GitHub organization\nkingfisher scan github --organization my-org\n\n# Scan GitLab group\nkingfisher scan gitlab --group my-group\n\n# Scan Azure Repos\nkingfisher scan azure --organization my-org\n\n# Scan Jira issues\nKF_JIRA_TOKEN=\"token\" kingfisher scan jira --url https://jira.company.com \\\n  --jql \"project = TEST AND status = Open\"\n\n# Scan Jira issues, comments, and changelog entries\nKF_JIRA_TOKEN=\"token\" kingfisher scan jira --url https://jira.company.com \\\n  --jql \"project = TEST AND status = Open\" \\\n  --include-comments \\\n  --include-changelog\n\n# Scan Confluence pages\nKF_CONFLUENCE_TOKEN=\"token\" kingfisher scan confluence --url https://confluence.company.com \\\n  --cql \"label = secret\"\n\n# Scan Slack messages\nKF_SLACK_TOKEN=\"xoxp-...\" kingfisher scan slack \"from:username has:link\"\n\n# Scan Microsoft Teams messages\nKF_TEAMS_TOKEN=\"eyJ0...\" kingfisher scan teams \"password OR api_key\"\n```\n\n**For detailed integration instructions and authentication setup, see [docs/INTEGRATIONS.md](docs/INTEGRATIONS.md).**\n\n## Environment Variables\n\n| Variable          | Purpose                      |\n| ----------------- | ---------------------------- |\n| `KF_GITHUB_TOKEN` | GitHub Personal Access Token |\n| `KF_GITLAB_TOKEN` | GitLab Personal Access Token |\n| `KF_GITEA_TOKEN` | Gitea Personal Access Token |\n| `KF_GITEA_USERNAME` | Username for private Gitea clones (used with `KF_GITEA_TOKEN`) |\n| `KF_AZURE_TOKEN` / `KF_AZURE_PAT` | Azure Repos Personal Access Token |\n| `KF_AZURE_USERNAME` | Username to use with Azure Repos PATs (defaults to `pat` when unset) |\n| `KF_BITBUCKET_TOKEN` | Bitbucket Cloud workspace API token or Bitbucket Server PAT |\n| `KF_BITBUCKET_USERNAME` | Optional Bitbucket username for legacy app passwords or server tokens |\n| `KF_BITBUCKET_APP_PASSWORD` | Legacy Bitbucket app password (deprecated September 9, 2025; disabled June 9, 2026) |\n| `KF_BITBUCKET_OAUTH_TOKEN` | Bitbucket OAuth or PAT token |\n| `KF_HUGGINGFACE_TOKEN` | Hugging Face access token for API enumeration and git cloning |\n| `KF_HUGGINGFACE_USERNAME` | Optional username for Hugging Face git operations (defaults to `hf_user`) |\n| `KF_JIRA_TOKEN`   | Jira API token               |\n| `KF_CONFLUENCE_TOKEN` | Confluence API token      |\n| `KF_SLACK_TOKEN`  | Slack API token              |\n| `KF_TEAMS_TOKEN`  | Microsoft Graph API token for Teams message search |\n| `KF_DOCKER_TOKEN` | Docker registry token (`user:pass` or bearer token). If unset, credentials from the Docker keychain are used |\n| `KF_AWS_KEY`, `KF_AWS_SECRET`, and `KF_AWS_SESSION_TOKEN` | AWS credentials for S3 bucket scanning. Session token is optional, for temporary credentials |\n\nSet them temporarily per command:\n\n```bash\nKF_GITLAB_TOKEN=\"glpat-…\" kingfisher scan gitlab --group my-group\n```\n\nOr export for the session:\n\n```bash\nexport KF_GITLAB_TOKEN=\"glpat-…\"\n```\n\n# Advanced Features\n\nKingfisher offers powerful features for complex scanning scenarios. See **[docs/ADVANCED.md](docs/ADVANCED.md)** for complete advanced documentation.\n\n## Baseline Management\n\nTrack known secrets and detect only new ones:\n\n```bash\n# Create/update baseline\nkingfisher scan /path/to/code \\\n  --confidence low \\\n  --manage-baseline \\\n  --baseline-file ./baseline-file.yml\n\n# Scan with baseline (suppress known findings)\nkingfisher scan /path/to/code \\\n  --baseline-file /path/to/baseline-file.yaml\n```\n\n## Filtering and Suppression\n\n```bash\n# Skip known false positives\nkingfisher scan --skip-regex '(?i)TEST_KEY' path/\nkingfisher scan --skip-word dummy path/\n\n# Skip AWS canary tokens\nkingfisher scan /path/to/code \\\n  --skip-aws-account \"171436882533,534261010715\"\n\n# Inline ignore directives in code\n# Add `kingfisher:ignore` on the same line or surrounding lines\n```\n\n## CI Pipeline Scanning\n\n```bash\n# Scan only changes between branches\nkingfisher scan . \\\n  --since-commit origin/main \\\n  --branch \"$CI_BRANCH\"\n\n# Scan specific commit range\nkingfisher scan /tmp/repo --branch feature-1 \\\n  --branch-root-commit $(git -C /tmp/repo merge-base main feature-1)\n```\n\n**For more advanced features including confidence levels, validation tuning, and custom rules, see [docs/ADVANCED.md](docs/ADVANCED.md).** See also [docs/DEPLOYMENT.md](docs/DEPLOYMENT.md) for centralized and self-serve deployment strategies.\n\n# Documentation\n\n| Document | Description |\n|----------|-------------|\n| [INSTALLATION.md](docs/INSTALLATION.md) | Complete installation guide including pre-commit hooks setup for git, pre-commit framework, and Husky |\n| [INTEGRATIONS.md](docs/INTEGRATIONS.md) | Platform-specific scanning guide (GitHub, GitLab, AWS S3, Docker, Jira, Confluence, Slack, etc.) |\n| [ACCESS_MAP.md](docs/ACCESS_MAP.md) | Access map: supported tokens and credential formats (GitHub/GitLab/Slack/AWS/GCP/Azure Storage/Postgres/MongoDB/Microsoft Teams) |\n| [ADVANCED.md](docs/ADVANCED.md) | Advanced features: baselines, confidence levels, validation tuning, CI scanning, and more |\n| [RULES.md](docs/RULES.md) | Writing custom detection rules, pattern requirements, and checksum intelligence |\n| [REVOCATION_PROVIDERS.md](docs/REVOCATION_PROVIDERS.md) | Built-in revocation coverage by provider and rule ID |\n| [BASELINE.md](docs/BASELINE.md) | Baseline management for tracking known secrets and detecting new ones |\n| [LIBRARY.md](docs/LIBRARY.md) | Using Kingfisher as a Rust library in your own applications |\n| [FINGERPRINT.md](docs/FINGERPRINT.md) | Understanding finding fingerprints and deduplication |\n| [COMPARISON.md](docs/COMPARISON.md) | Benchmark results and performance comparisons |\n| [PARSING.md](docs/PARSING.md) | Language-aware parsing details |\n| [TREE_SITTER.md](docs/TREE_SITTER.md) | Tree-sitter scanning flow, verification gates, and fallback behavior |\n\n# Library Usage\n\n(**beta feature**) - Kingfisher's scanning engine is available as a set of Rust library crates (`kingfisher-core`, `kingfisher-rules`, `kingfisher-scanner`) that can be embedded into other applications. This enables you to integrate secret scanning directly into your own tools and workflows.\n\n**For complete documentation and examples, see [docs/LIBRARY.md](docs/LIBRARY.md).**\n\n# Exit Codes\n\n| Code | Meaning                       |\n| ---- | ----------------------------- |\n| 0    | No findings                   |\n| 200  | Findings discovered           |\n| 205  | Validated findings discovered |\n\n# Lineage and Evolution\n\nKingfisher began as an internal fork of [Nosey Parker](https://github.com/praetorian-inc/noseyparker), used as a high-performance foundation for secret detection. \n\nSince then it has evolved far beyond that starting point, introducing live validation, hundreds of new rules, additional scan targets, and major architectural changes across nearly every subsystem.\n\n**Key areas of evolution**\n- **Live validation** of detected secrets directly within rules  \n- **Hundreds of new built-in rules** and an expanded YAML rule schema  \n- **Baseline management** to suppress known findings over time  \n- **Tree-sitter parsing** layered on Hyperscan for language-aware detection  \n- **More scan targets** (GitLab, Bitbucket, Gitea, Jira, Confluence, Slack, Microsoft Teams, S3, GCS, Docker, Hugging Face, etc.)  \n- **Compressed Files**, **SQLite database**, and **Python bytecode (.pyc)** scanning support\n- **New storage model** (in-memory + Bloom filter, replacing SQLite)  \n- **Unified workflow** with JSON/BSON/SARIF outputs  \n- **Cross-platform builds** for Linux, macOS, and Windows\n\n# Roadmap\n\n- More rules\n- More targets\n- Please file a [feature request](https://github.com/mongodb/kingfisher/issues), or open a PR, if you have features you'd like added\n\n# License\n\n[Apache2 License](LICENSE)\n","funding_links":[],"categories":["Applications","Rust","Dependency intelligence"],"sub_categories":["Security tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmongodb%2Fkingfisher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmongodb%2Fkingfisher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmongodb%2Fkingfisher/lists"}