Kingfisher is an open source secret scanner and live secret validation tool built in Rust.
It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and ships with 942 built-in rules to detect, validate, and triage leaked API keys, tokens, and credentials before they ever reach production.
Kingfisher also ships a browser-based report viewer that visualizes and triages findings from Kingfisher and from Gitleaks and TruffleHog JSON reports — so you can import scans from other tools and triage them in the same UI. A hosted copy of the viewer is published on the Kingfisher docs site.
Designed for offensive security engineers and blue-team defenders alike, Kingfisher helps you scan repositories, cloud storage, chat, docs, and CI pipelines to find and verify exposed secrets quickly.
Learn more: Introducing Kingfisher: Real‑Time Secret Detection and Validation
Kingfisher is a high-performance, open source secret detection tool for source code and developer platforms. If you are searching for a "GitHub secret scanner," "API key scanner," "token leak detection," or "Git secrets scanner," this project is built for that workflow.
- Scan code, Git history, and integrated platforms (GitHub, GitLab, Azure Repos, Bitbucket, Gitea, Hugging Face, Jira, Confluence, Slack, Microsoft Teams, Docker, AWS S3, and Google Cloud Storage)
- Validate discovered credentials against provider APIs to reduce false positives
- Revoke supported secrets directly from the CLI
- Generate JSON, SARIF, TOON, and HTML outputs for security teams, compliance, and CI
| Files / Dirs | Local Git | GitHub | GitLab | Azure Repos | Bitbucket | Gitea | Hugging Face |
|---|---|---|---|---|---|---|---|
 Files / Dirs |
 Local Git |
 GitHub |
 GitLab |
 Azure Repos |
 Bitbucket |
 Gitea |
 Hugging Face |
| Docker | Jira | Confluence | Slack | Teams | AWS S3 | Google Cloud |
|---|---|---|---|---|---|---|
 Docker |
 Jira |
 Confluence |
 Slack |
 Teams |
 AWS S3 |
 Cloud Storage |
- Performance: multithreaded, Hyperscan‑powered scanning built for huge codebases
- Extensible rules: 942 built-in rules (484 with live validation) plus YAML-defined custom rules (docs/RULES.md)
- Validate & Revoke: live validation of discovered secrets, plus direct revocation for supported platforms (GitHub, GitLab, Slack, AWS, GCP, and more) (docs/USAGE.md)
- Revocation support matrix: current built-in revocation coverage across providers and rule IDs (docs/REVOCATION_PROVIDERS.md)
- Blast Radius Mapping: instantly map leaked keys to their effective cloud identities and exposed resources with
--access-map. Supports 42 providers (see table below). - Broad AI SaaS coverage: finds and validates tokens for OpenAI, Anthropic, Google Gemini, Cohere, AWS Bedrock, Voyage AI, Mistral, Stability AI, Replicate, xAI (Grok), Ollama, Langchain, Perplexity, Weights & Biases, Cerebras, Friendli, Fireworks.ai, NVIDIA NIM, Together.ai, Zhipu, and many more
- Compressed Files: Supports extracting and scanning compressed files for secrets, including
tar.gz/bz2/xz, ZIP-family containers (zip,jar,docx,xlsx,pptx,odt,epub,hwpx, and more),asar, HWP (Hancom OLE2/CFBF binary with DEFLATE/zlib stream decoding), and EGG (ALZip; raw-byte scanning) - SQLite Database Scanning: Automatically extracts and scans SQLite database contents for secrets stored in table rows
- Python Bytecode (.pyc) Scanning: Extracts and scans string constants from compiled Python (
.pyc,.pyo) files - Baseline management: generate and track baselines to suppress known secrets (docs/BASELINE.md)
- Checksum-aware detection: verifies tokens with built-in checksums (e.g., GitHub, Confluent, Zuplo) — no API calls required
- Report Viewer (local + hosted): Visualize and triage Kingfisher, Gitleaks, and TruffleHog JSON output locally with
kingfisher view ./report.jsonor online with the hosted viewer. Multiple files, directories, and imported third-party reports are merged and deduplicated. See docs/USAGE.md. - Audit reporting: Generate compliance-oriented HTML reports with scan metadata and validation ordering
- Library crates: Embed Kingfisher's scanning engine in your own Rust applications (docs/LIBRARY.md)
See (docs/COMPARISON.md)
kingfisher scan /path/to/scan --view-reportNOTE: Replay has been slowed down for demo
- What Is Kingfisher?
- Key Features
- Report Viewer (local and hosted)
- Compliance and Audit-Ready Scans
- Benchmark Results
- Getting Started
- Detection Rules
- Usage Examples
- Platform Integrations
- Advanced Features
- Documentation
- Library Usage
- Roadmap
- License
1: Install Kingfisher (INSTALLATION.md)
# Homebrew (Linux/macOS)
brew install kingfisher
# Or install from PyPI with uv
uv tool install kingfisher-bin
# Or use the install script (Linux/macOS)
curl -sSL https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash
# Or use PowerShell based install script on Windows
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.ps1' -OutFile install-kingfisher.ps1
./install-kingfisher.ps1
# Or run with Docker (no install required)
docker run --rm -v "$PWD":/src ghcr.io/mongodb/kingfisher:latest scan /src2: Scan a directory for secrets (USAGE.md)
kingfisher scan /path/to/codekingfisher scan /path/to/code --view-reportYou can also open existing Kingfisher, Gitleaks, or TruffleHog JSON reports with kingfisher view <report.json>:
# Kingfisher report
kingfisher view kingfisher.json
# Import a Gitleaks JSON report
kingfisher view gitleaks-report.json
# Import a TruffleHog JSON or JSONL report
kingfisher view trufflehog-report.jsonl
# Combine multiple reports (deduplicated by fingerprint / secret identity)
kingfisher view kingfisher.json gitleaks.json trufflehog.jsonl
# Or load every JSON/JSONL report in a directory
kingfisher view ./reports/For a shareable, upload-based experience, the docs site also hosts the same viewer as a static page: https://mongodb.github.io/kingfisher/viewer/. Everything runs client-side in the browser — no reports leave your machine.
kingfisher scan /path/to/code --only-valid# Revoke a GitHub token
kingfisher revoke --rule github "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# Revoke AWS credentials (sets access key to Inactive)
kingfisher revoke --rule aws --arg "AKIAIOSFODNN7EXAMPLE" "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"6: Scan a GitHub organization (INTEGRATIONS.md)
KF_GITHUB_TOKEN="ghp_..." kingfisher scan github --organization my-orgKF_GITLAB_TOKEN="glpat-..." kingfisher scan gitlab --group my-groupKF_AZURE_PAT="pat" kingfisher scan azure --organization my-orgKF_BITBUCKET_TOKEN="token" kingfisher scan bitbucket --workspace my-teamKF_GITEA_TOKEN="token" kingfisher scan gitea --organization my-orgKF_HUGGINGFACE_TOKEN="hf_..." kingfisher scan huggingface --organization my-orgkingfisher scan s3 bucket-name --prefix path/kingfisher scan gcs bucket-name --prefix path/kingfisher scan docker ghcr.io/org/image:latestKF_JIRA_TOKEN="token" kingfisher scan jira --url https://jira.company.com --jql "project = SEC"Add --include-comments and/or --include-changelog to expand the scan beyond the issue body.
KF_CONFLUENCE_TOKEN="token" kingfisher scan confluence --url https://confluence.company.com --cql "label = secret"KF_SLACK_TOKEN="xoxp-..." kingfisher scan slack "api_key OR password"docker run --rm -v "$PWD":/src ghcr.io/mongodb/kingfisher:latest scan /srcTo run a scan in Docker and view the HTML report on your host machine, use --view-report-address 0.0.0.0 so the server is reachable from outside the container, and map the port with -p:
docker run --rm \
-v "$PWD":/src \
-p 7890:7890 \
ghcr.io/mongodb/kingfisher:latest \
scan https://github.com/leaktk/fake-leaks \
--access-map \
--view-report \
--view-report-address 0.0.0.0Then open http://localhost:7890 in your browser. If port 7890 is already in use, use --view-report-port and map accordingly:
docker run --rm \
-v "$PWD":/src \
-p 7891:7891 \
ghcr.io/mongodb/kingfisher:latest \
scan https://github.com/leaktk/fake-leaks \
--access-map \
--view-report \
--view-report-port 7891 \
--view-report-address 0.0.0.0Then open http://localhost:7891.
kingfisher scan /path/to/code --format json --output findings.jsonkingfisher scan /path/to/code --access-map --view-reportKingfisher supports multiple installation methods:
- Homebrew:
brew install kingfisher - PyPI with uv:
uv tool install kingfisher-bin - Pre-built releases: Download from GitHub Releases
- Install scripts: One-line installers for Linux, macOS, and Windows - INSTALLATION.md
- Docker:
docker run ghcr.io/mongodb/kingfisher:latest - Pre-commit hooks: Integrate with git hooks, pre-commit framework, or Husky
- Compile from source: Build with
makefor your platform
For complete installation instructions and pre-commit hook setup, see docs/INSTALLATION.md.
Every Kingfisher release includes GitHub build attestations so you can verify that artifacts were built by our CI pipeline and haven't been tampered with.
Release artifacts have GitHub build attestations, verifiable with the GitHub CLI:
gh release download <version> --repo mongodb/kingfisher \
--pattern 'kingfisher-linux-x64.tgz'
gh attestation verify kingfisher-linux-x64.tgz --repo mongodb/kingfisherKingfisher ships a browser-based report viewer and triager for three formats:
- Kingfisher JSON / JSONL (with full
access_mapblast-radius data when present) - Gitleaks JSON
- TruffleHog JSON / JSONL (verified findings are surfaced as active credentials)
There are two ways to use it:
- Locally via the CLI —
kingfisher view ./report.json(bundled into every Kingfisher binary; no external services) - Hosted — https://mongodb.github.io/kingfisher/viewer/ — a static, client-side upload-based copy of the same viewer. Drag in Kingfisher, Gitleaks, or TruffleHog reports and triage in your browser; nothing is uploaded to a server.
Raw JSON from Kingfisher, Gitleaks, or TruffleHog is great for machines, but awful for humans making decisions on which findings are real and which need to be rotated first. The viewer lets a security engineer:
- Skim hundreds of findings at a glance, grouped by detector, file, repository, and validation status instead of one line per finding in a terminal.
- Triage across multiple tools in one place — import a Gitleaks report plus a TruffleHog report plus a Kingfisher scan of the same repo and look at them side-by-side with dedup, instead of eyeballing three different JSON schemas.
- Prioritize real, validated secrets — validated Kingfisher findings and TruffleHog-verified findings float to the top so you act on live credentials first.
- Drop duplicates — repeated imports and overlapping scans are deduplicated by fingerprint/secret identity so you don't open the same key five times. Per-tool "duplicates removed" cards on the dashboard show how much noise each tool contributed, and an upload-time Deduplicate findings toggle (on by default) lets you inspect raw rows when you need to.
- Cross-tool enrichment — when a Gitleaks or TruffleHog finding lines up with a Kingfisher finding at the same commit, file, and line, the imported row picks up Kingfisher's validation verdict and validate / revoke commands. This is useful when a team already has a Gitleaks or TruffleHog pipeline in CI and wants to layer Kingfisher's validation and remediation data on top of the reports they already produce, without replacing their existing tooling.
- See blast radius — for Kingfisher reports generated with
--access-map, the viewer renders the identity, permissions, and resources a leaked credential can reach, so you can tell a dev token apart from a production admin key. - Export triage decisions — filter down to what matters and export a cleaned-up subset for a ticket, a rotation runbook, or an audit reviewer.
Gitleaks and TruffleHog are both widely used open-source secret scanners with their own strengths; Kingfisher's viewer reads their standard JSON output so teams that already run them can pull those findings into the same triage workflow. Kingfisher is not affiliated with or endorsed by the Gitleaks project or Truffle Security Co.; TruffleHog and Gitleaks are trademarks of their respective owners.
Note: when you pass --view-report, Kingfisher starts a web server on port 7890 (default) and opens it in your default browser. By default it binds to 127.0.0.1 for security. You'll see this near the end of the scan output, and Kingfisher will keep running until you stop it.
INFO kingfisher::cli::commands::view: Starting access-map viewer address=127.0.0.1:7890
Serving access-map viewer at http://127.0.0.1:7890 (Ctrl+C to stop)Usage:
kingfisher scan /path/to/scan --access-map --view-report
Click to view video
Kingfisher ships with 942 built-in rules covering cloud keys, AI tokens, CI/CD secrets, database credentials, and SaaS API keys. Below is an overview — see the full list in crates/kingfisher-rules/data/rules/:
| Category | What we catch |
|---|---|
| Cloud Providers | AWS, GCP, Azure (Storage, DevOps, OpenAI, Speech, Translator), Alibaba Cloud, DigitalOcean, IBM Cloud, Cloudflare, Heroku, Fly.io, Railway, Render, Temporal Cloud, and more |
| AI & ML | OpenAI, Anthropic, Google Gemini, Azure OpenAI, Cohere, Mistral, DeepSeek, Groq, xAI (Grok), Stability AI, Replicate, ElevenLabs, Ollama, Langchain, Perplexity, Weights & Biases, NVIDIA NIM, Fireworks.ai, Together.ai, Cerebras, Friendli, Hugging Face, Pinecone, Cursor, Zhipu, and more |
| Dev & CI/CD | GitHub, GitLab, Bitbucket, Buildkite, CircleCI, TravisCI, TeamCity, Jenkins, Drone CI, Harness, Docker Hub, npm, PyPI, RubyGems, Crates.io, NuGet, Vercel, Netlify, Pulumi, Terraform, and more |
| Databases | PostgreSQL, MySQL, MongoDB, Redis, PlanetScale, Supabase, Neon, ClickHouse, DataStax Astra, Firebase, JDBC, ODBC, and more |
| Messaging & Email | Slack, Discord, Microsoft Teams, Telegram, Twilio, SendGrid, Mailgun, Mailchimp, Mailjet, Postmark, Brevo (Sendinblue), Resend, and more |
| Observability | Datadog, Grafana, New Relic, Sentry, Dynatrace, Honeycomb, PagerDuty, OpsGenie, Sumo Logic, Better Stack, and more |
| Payments & Fintech | Stripe, PayPal, Square, GoCardless, Flutterwave, Razorpay, Plaid, Coinbase, and more |
| Security & Identity | Snyk, Auth0, Okta, Clerk, LaunchDarkly, 1Password, JFrog Artifactory/Xray, SonarCloud, Endor Labs, Dependency-Track, StackHawk, and more |
| CRM & Business SaaS | Salesforce, HubSpot, Jira, Confluence, Asana, Linear, Monday.com, Zendesk, Intercom, Shopify, and more |
| Crypto Material | Private keys (PEM, PGP/GPG, SSH), JWTs, age encryption keys, WireGuard keys, and more |
Kingfisher ships with 484 built-in rules that include HTTP and service-specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential.
However, you may want to add your own custom rules, or modify a detection to better suit your needs / environment.
For complete rule documentation, see docs/RULES.md.
Modern API tokens increasingly include built-in checksums, short internal digests that make each credential self-verifiable. (For background, see GitHub's write-up on their newer token formats and why checksums slash false positives.)
Kingfisher supports checksum-aware matching in rules, enabling offline structural verification of credentials without calling third-party APIs.
By validating each token's internal checksum (for tokens that support checksums), Kingfisher eliminates nearly all false positives—automatically skipping structurally invalid or fake tokens before validation ever runs.
Why this matters
- Offline verification — no API call required
- Industry-aligned — compatible with prefix + checksum token designs (e.g., modern PATs)
- Lower false positives — invalid tokens are filtered out by structure alone
Learn more: implementation details and templating are documented in docs/RULES.md
Note:
kingfisher scanautomatically detects whether the input is a Git repository or a plain directory—no extra flags required.
# Scan with secret validation
kingfisher scan /path/to/code
## NOTE: This path can refer to:
# 1. a local git repo
# 2. a directory with many git repos
# 3. or just a folder with files and subdirectories
# Scan without validation
kingfisher scan ~/src/myrepo --no-validate
# Turbo mode: run as fast as possible by disabling Git commit metadata, Base64 decoding,
# MIME sniffing, language detection, and parser-based context verification
# (findings omit commit context, Base64-only matches, MIME type, and language metadata)
kingfisher scan ~/src/myrepo --turbo
# Display only secrets confirmed active by third‑party APIs
kingfisher scan /path/to/repo --only-valid
# Output JSON and capture to a file
kingfisher scan . --format json | tee kingfisher.json
# Output SARIF directly to disk
kingfisher scan /path/to/repo --format sarif --output findings.sarifStop Guessing, Start Mapping: Understand Your True Blast Radius
Finding a leaked credential is only the first step. The critical question isn't just "Is this a secret?"—it's "What can an attacker do with it?"
Kingfisher's --access-map feature transforms secret detection from a simple alert into a comprehensive threat assessment. Instead of leaving you with a cryptic API key, Kingfisher actively authenticates against the provider to map the full extent of the credential's power.
- Instant Identity Resolution: Immediately identify who the key belongs to—whether it's a specific IAM user, an assumed role, or a service account.
- Visualize the Blast Radius: See exactly which resources (S3 buckets, EC2 instances, projects, storage containers) are exposed and at risk.
# Generate access map during scan
kingfisher scan /path/to/code --access-map --view-report
# View access-map reports locally
kingfisher view kingfisher.json
# Import third-party reports for local triage
kingfisher view trufflehog.json
kingfisher view gitleaks.json
# Combine multiple reports (deduplicated by fingerprint)
kingfisher view report1.json report2.jsonl
# Load all reports from a directory (non-recursive, skips non-JSON/JSONL files)
kingfisher view ./reports/The viewer can import Gitleaks JSON and TruffleHog JSON/JSONL in addition to native Kingfisher reports. Imported findings are normalized for browsing, filtering, and export, and imported TruffleHog/Gitleaks findings deduplicate by secret identity. Imported reports remain display-oriented: native access_map, validate/revoke commands, and blast-radius linking still require a Kingfisher scan.
Use the access map functionality only when you are authorized to inspect the target account, as Kingfisher will issue additional network requests to determine what access the secret grants
| Cloud & Infra | DevOps & CI/CD | SaaS & APIs | Data & Messaging |
|---|---|---|---|
| AWS | GitHub | Airtable | MongoDB |
| GCP | GitLab | Algolia | MySQL |
| Azure Storage | Azure DevOps | Auth0 | PostgreSQL |
| Alibaba Cloud | Bitbucket | HubSpot | SendGrid |
| DigitalOcean | Buildkite | Salesforce | Sendinblue / Brevo |
| IBM Cloud | CircleCI | Shopify | Slack |
| Terraform Cloud | Harness | Zendesk | Microsoft Teams |
| JFrog Artifactory | Stripe | ||
| JFrog Xray | Square | ||
| Jira | PayPal | ||
| Plaid | |||
| Fastly | |||
| OpenAI | |||
| Anthropic | |||
| Hugging Face | |||
| Weights & Biases | |||
| Gitea | |||
| monday.com | |||
| Asana |
# Validate a known secret without scanning
kingfisher validate --rule opsgenie "12345678-9abc-def0-1234-56789abcdef0"
# Validate from stdin
echo "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | kingfisher validate --rule github -
# Revoke a Slack token
kingfisher revoke --rule slack "xoxb-..."
# Revoke a GitHub PAT
kingfisher revoke --rule github "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"Validation throttling is also available for direct validation:
--validation-rps <RPS>sets a global request rate.--validation-rps-rule <RULE_SELECTOR=RPS>sets per-rule overrides (repeatable).- Rule selectors accept short names, so
github=2matcheskingfisher.github.*.
# Limit direct validation to 1 req/sec for GitHub rules
kingfisher validate --rule github "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
--validation-rps-rule github=1Kingfisher is built to support compliance and security-assurance goals, not just detection. In addition to finding secrets, it helps teams produce evidence that secure development controls are operating.
- Audit scan output: generate a standalone HTML report with scan timestamp, report generation time, validation status, and file-level links for findings
- Evidence-friendly metadata: include version, scan stats, and sanitized command arguments for review workflows
- Control narrative support: demonstrate that hardcoded credentials/secrets are actively detected and triaged in CI/CD and developer workflows
# Generate an audit-ready HTML report
kingfisher scan /path/to/code --format html --output kingfisher-audit.html# Pipe any text directly into Kingfisher
cat /path/to/file.py | kingfisher scan -
# Limit maximum file size scanned (default: 256 MB)
kingfisher scan /some/file --max-file-size 500
# Turbo mode: equivalent to --commit-metadata=false --no-base64 and disables MIME sniffing,
# language detection/parser-based context verification for maximum speed
# No Git commit metadata (author, date, hash), Base64 decoding, MIME, or language metadata in findings
kingfisher scan /path/to/repo --turbo
# Scan using a rule family
kingfisher scan /path/to/repo --rule kingfisher.aws
# Display rule performance statistics
kingfisher scan /path/to/repo --rule-stats
# Throttle validation request rate globally
kingfisher scan /path/to/repo --validation-rps 5
# Override specific rule families (kingfisher. prefix optional)
kingfisher scan /path/to/repo \
--validation-rps 10 \
--validation-rps-rule github=2 \
--validation-rps-rule pypi=0.5
# Increase validation response storage limit (default: 2048 bytes)
kingfisher scan /path/to/repo --max-validation-response-length 8192
# Disable validation response storage truncation entirely (0 = unlimited)
kingfisher scan /path/to/repo --max-validation-response-length 0
# Include full validation response bodies end-to-end (no validation or reporter truncation)
# Useful for parsing complete validation responses (e.g., GitHub token metadata)
kingfisher scan /path/to/repo --full-validation-response
# Exclude specific paths
kingfisher scan ./my-project \
--exclude '*.py' \
--exclude '[Tt]ests'
# Scan changes in CI pipelines
kingfisher scan . \
--since-commit origin/main \
--branch "$CI_BRANCH"Validation rate limiting applies to all built-in validator types (HTTP/gRPC, cloud SDK validators such as AWS/GCP/Coinbase, and database/token validators such as MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage).
Rawvalidators are excluded.
Kingfisher can scan multiple platforms and services directly:
Version Control & Code Hosting:
- GitHub (organizations, users, repositories)
- GitLab (groups, users, projects)
- Azure Repos (organizations, projects)
- Bitbucket (workspaces, users, repositories)
- Gitea (organizations, users, repositories)
- Hugging Face (models, datasets, spaces)
Cloud Storage:
- AWS S3
- Google Cloud Storage
Containers:
- Docker (images from registries)
Collaboration & Documentation:
- Jira (issues via JQL queries)
- Confluence (pages via CQL queries)
- Slack (messages via search queries)
- Microsoft Teams (messages via Microsoft Graph search)
See docs/INTEGRATIONS.md for complete integration documentation and authentication setup.
# Scan AWS S3 bucket
kingfisher scan s3 bucket-name --prefix path/
# Scan Google Cloud Storage
kingfisher scan gcs bucket-name
# Scan Docker image
kingfisher scan docker ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master
# Scan GitHub organization
kingfisher scan github --organization my-org
# Scan GitLab group
kingfisher scan gitlab --group my-group
# Scan Azure Repos
kingfisher scan azure --organization my-org
# Scan Jira issues
KF_JIRA_TOKEN="token" kingfisher scan jira --url https://jira.company.com \
--jql "project = TEST AND status = Open"
# Scan Jira issues, comments, and changelog entries
KF_JIRA_TOKEN="token" kingfisher scan jira --url https://jira.company.com \
--jql "project = TEST AND status = Open" \
--include-comments \
--include-changelog
# Scan Confluence pages
KF_CONFLUENCE_TOKEN="token" kingfisher scan confluence --url https://confluence.company.com \
--cql "label = secret"
# Scan Slack messages
KF_SLACK_TOKEN="xoxp-..." kingfisher scan slack "from:username has:link"
# Scan Microsoft Teams messages
KF_TEAMS_TOKEN="eyJ0..." kingfisher scan teams "password OR api_key"For detailed integration instructions and authentication setup, see docs/INTEGRATIONS.md.
| Variable | Purpose |
|---|---|
KF_GITHUB_TOKEN |
GitHub Personal Access Token |
KF_GITLAB_TOKEN |
GitLab Personal Access Token |
KF_GITEA_TOKEN |
Gitea Personal Access Token |
KF_GITEA_USERNAME |
Username for private Gitea clones (used with KF_GITEA_TOKEN) |
KF_AZURE_TOKEN / KF_AZURE_PAT |
Azure Repos Personal Access Token |
KF_AZURE_USERNAME |
Username to use with Azure Repos PATs (defaults to pat when unset) |
KF_BITBUCKET_TOKEN |
Bitbucket Cloud workspace API token or Bitbucket Server PAT |
KF_BITBUCKET_USERNAME |
Optional Bitbucket username for legacy app passwords or server tokens |
KF_BITBUCKET_APP_PASSWORD |
Legacy Bitbucket app password (deprecated September 9, 2025; disabled June 9, 2026) |
KF_BITBUCKET_OAUTH_TOKEN |
Bitbucket OAuth or PAT token |
KF_HUGGINGFACE_TOKEN |
Hugging Face access token for API enumeration and git cloning |
KF_HUGGINGFACE_USERNAME |
Optional username for Hugging Face git operations (defaults to hf_user) |
KF_JIRA_TOKEN |
Jira API token |
KF_CONFLUENCE_TOKEN |
Confluence API token |
KF_SLACK_TOKEN |
Slack API token |
KF_TEAMS_TOKEN |
Microsoft Graph API token for Teams message search |
KF_DOCKER_TOKEN |
Docker registry token (user:pass or bearer token). If unset, credentials from the Docker keychain are used |
KF_AWS_KEY, KF_AWS_SECRET, and KF_AWS_SESSION_TOKEN |
AWS credentials for S3 bucket scanning. Session token is optional, for temporary credentials |
Set them temporarily per command:
KF_GITLAB_TOKEN="glpat-…" kingfisher scan gitlab --group my-groupOr export for the session:
export KF_GITLAB_TOKEN="glpat-…"Kingfisher offers powerful features for complex scanning scenarios. See docs/ADVANCED.md for complete advanced documentation.
Track known secrets and detect only new ones:
# Create/update baseline
kingfisher scan /path/to/code \
--confidence low \
--manage-baseline \
--baseline-file ./baseline-file.yml
# Scan with baseline (suppress known findings)
kingfisher scan /path/to/code \
--baseline-file /path/to/baseline-file.yaml# Skip known false positives
kingfisher scan --skip-regex '(?i)TEST_KEY' path/
kingfisher scan --skip-word dummy path/
# Skip AWS canary tokens
kingfisher scan /path/to/code \
--skip-aws-account "171436882533,534261010715"
# Inline ignore directives in code
# Add `kingfisher:ignore` on the same line or surrounding lines# Scan only changes between branches
kingfisher scan . \
--since-commit origin/main \
--branch "$CI_BRANCH"
# Scan specific commit range
kingfisher scan /tmp/repo --branch feature-1 \
--branch-root-commit $(git -C /tmp/repo merge-base main feature-1)For more advanced features including confidence levels, validation tuning, and custom rules, see docs/ADVANCED.md. See also docs/DEPLOYMENT.md for centralized and self-serve deployment strategies.
| Document | Description |
|---|---|
| INSTALLATION.md | Complete installation guide including pre-commit hooks setup for git, pre-commit framework, and Husky |
| INTEGRATIONS.md | Platform-specific scanning guide (GitHub, GitLab, AWS S3, Docker, Jira, Confluence, Slack, etc.) |
| ACCESS_MAP.md | Access map: supported tokens and credential formats (42 providers including AWS, GCP, Azure, Alibaba Cloud, Stripe, Jira, monday.com, Asana, and more) |
| ARCHITECTURE.md | High-level Mermaid architecture diagram of the CLI, scanner pipeline, validation, access map, and outputs |
| DEPLOYMENT.md | Deployment models for self-serve CLI use, CI/pre-commit enforcement, centralized scanning, and embedded library integrations |
| ADVANCED.md | Advanced features: baselines, confidence levels, validation tuning, CI scanning, and more |
| RULES.md | Writing custom detection rules, pattern requirements, and checksum intelligence |
| REVOCATION_PROVIDERS.md | Built-in revocation coverage by provider and rule ID |
| BASELINE.md | Baseline management for tracking known secrets and detecting new ones |
| LIBRARY.md | Using Kingfisher as a Rust library in your own applications |
| FINGERPRINT.md | Understanding finding fingerprints and deduplication |
| COMPARISON.md | Benchmark results and performance comparisons |
| PARSING.md | Language-aware parsing details |
| CONTEXT_VERIFICATION.md | Context-verification flow, gates, and parser backends |
(beta feature) - Kingfisher's scanning engine is available as a set of Rust library crates (kingfisher-core, kingfisher-rules, kingfisher-scanner) that can be embedded into other applications. This enables you to integrate secret scanning directly into your own tools and workflows.
For complete documentation and examples, see docs/LIBRARY.md.
| Code | Meaning |
|---|---|
| 0 | No findings |
| 200 | Findings discovered |
| 205 | Validated findings discovered |
Kingfisher began as an internal fork of Nosey Parker, used as a high-performance foundation for secret detection.
Since then it has evolved far beyond that starting point, introducing live validation, hundreds of new rules, additional scan targets, and major architectural changes across nearly every subsystem.
Key areas of evolution
- Live validation of detected secrets directly within rules
- Hundreds of new built-in rules and an expanded YAML rule schema
- Baseline management to suppress known findings over time
- Parser-based context verification layered on Hyperscan for language-aware detection
- More scan targets (GitLab, Bitbucket, Gitea, Jira, Confluence, Slack, Microsoft Teams, S3, GCS, Docker, Hugging Face, etc.)
- Compressed Files, SQLite database, and Python bytecode (.pyc) scanning support
- New storage model (in-memory + Bloom filter, replacing SQLite)
- Unified workflow with JSON/BSON/SARIF outputs
- Cross-platform builds for Linux, macOS, and Windows
- More rules
- More targets
- Please file a feature request, or open a PR, if you have features you'd like added